Blacklist Filter (Development Topic)

HZsolt · August 26, 2018, 7:38am

Where can I find the active blacklist script?

Rico40 · August 26, 2018, 7:50am

Is on this page

HZsolt · August 26, 2018, 7:53am

But I get error in the log: Blacklist Authorization failed

Which is the active and good script?

grusu · August 26, 2018, 8:27am

You must enable IP Cloud service first.

HZsolt · August 26, 2018, 8:37am

Thank you! Works!!!

HZsolt · August 26, 2018, 9:39am

Drop or redirect? Which one is better on firewall?

Question for IntrusDave: Do you have any IPv6 blacklist and domain (IPv4/IPv6) blacklist?

IntrusDave · August 26, 2018, 3:53pm

Unfortunately, I don’t have IPv6 yet. The system is designed for it, but I have no routers in IPv6 networks that I can test with. My home internet supports it, but it’s so unstable, I don’t bother with it.

HZsolt · August 26, 2018, 4:46pm

OK! Thanks!!!

And domain blacklist?

boldsuck · August 26, 2018, 10:13pm

No only IP based.
But more than 135,000 if you want and your router can handle. (I get priority “1” on a RB2011UAS.)

This is a further development of the old project / service:
http://forum.mikrotik.com/t/blacklist-filter-update-script/89817/1

IntrusDave · August 26, 2018, 11:14pm

I don’t find domain blacklisting very effective. Most botnets and viruses have their own DNS resolver and use hard codes servers, so it doesn’t really help at the router level. And more and more are moving to dns over https.

IntrusDave · August 26, 2018, 11:15pm

Personally, I use a RAW Drop rule.

IntrusDave · August 26, 2018, 11:23pm

IP Cloud is used for identification now. Once the service is live, the serial number from IP cloud will be used for authorization. The script gets the serial number from the IP cloud, submits it via the http-post over TLS, this keeps your serial from being sent in the clear. When the server receives the request, the http-post data is pulled, the serial number is then used to do a DNS lookup via {xxxxxxxxx.sn.mynetname.net} and that IP is then matched to the IP that is making the request. If the IP’s don’t match, then the odds are that the serial number is a fake, or someone is trying to leach the list. It’s not a perfect system, but as long as the mynetname service isn’t hacked, it should be good enough to stop most from leaching the list.

Other ideas were along the lines of assigning every router a UUID and then sending that, but again, no way to verify that the http-post is authentic. Nothing to keep someone from putting that UUID on other routers, or just faking it and using a script to clone the list.

I would love for MikroTik to put in a service that allows the routers to authenticate themselves, download and apply a list, Hell, I would even code the service for them.. but I’m fairly certain that will never happen.

HZsolt · August 27, 2018, 5:45am

OK! Thanks!

For example domain blacklist: https://blog.squidblacklist.org/?p=1658 It would works for effective? The script saves the file to flash.

Download domain blacklist script:

/tool fetch url=“https://www.squidblacklist.org/downloads/tik-dns-ads.rsc” mode=http;
:log info “tik-dns-ads.rsc from http://www.squidblacklist.org”;

Replace downloaded domain blacklist script:

/ip firewall address-list remove [find where comment=“sbl ads”]
/import file-name=tik-dns-ads.rsc;
:log info “Removed old DomainBlackList and imported new list”;

http://forum.mikrotik.com/t/problems-solutions-with-mikrotik-routeros-dns-domain-blacklists/102770/1

43north · August 28, 2018, 12:35am

Dave,
Still very interested in learning how to setup a honeypot to collect addresses. Even if you are not to the point to accept other people’s honeypot lists, could you do a brief write up to teach us the best way to setup a honeypot? Thanks!

IntrusDave · August 28, 2018, 2:43am

i haven’t gotten far enough on the honeypot side. I’ve started from scratch on the RouterOS script. I’ll post it once it’s stable enough to test.

tippenring · August 28, 2018, 3:34am

Have you seen HE’s free IPv6 tunnel https://tunnelbroker.net/? I’ve had one up for nearly a year.

tippenring · August 28, 2018, 3:37am

Here are a couple of Honeypot projects from my notes. I’m sure there are many more. It’s one of those things I’ve been wanting to do one of these days.

https://github.com/desaster/kippo
https://trustfoundry.net/honeypi-easy-honeypot-raspberry-pi/

boldsuck · September 1, 2018, 10:53am

If it helps and the IPv4 sevice is done, I can provide an IPv6 router as honeypot.
I get a ::/48 prefix length and could then put a router¹ behind the Mikrotik. @Dave: You can have full admin access on it.
I get a new dynamic prefix from my provider every 36-48 hours. I can get a static IP but I have to pay extra for it. IPv6 has been stable for years, and I’ve had it since the pilotphase. (Year 2013 / Provider: NetCologne.de)

¹On a UBNT (ER-8) router, a honeypot package can be loaded from the Debian reposity.
Of course, the Mikrotik can serve as honeypot directly, if someone has finished scripts for it.

Steveocee · September 10, 2018, 11:50am

Have just noticed 6.43 has moved into the current branch so have updated accordingly. Can’t seem to find IP>Cloud though?? Looking forward to using the IntrusBL again.

**It’s not in Winbox but is there in the terminal.

IntrusDave · September 10, 2018, 5:16pm

ip Cloud terminal-only when running CHR