Block Traffics by Country

ec2020 · November 18, 2018, 12:32am

I want to block traffics from a certain country. I can export and save a free list from https://www.ip2location.com/free/visitor-blocker and the output for MicroTik is as below.

What should I do next to block the range? Thank you.

# -------------------------------------------------------
# Free IP2Location Firewall List by Country
# Source: https://www.ip2location.com/free/visitor-blocker
# Last Generated: 18 Nov 2018 00:30:16 GMT
# [Important] Please update this list every month
# -------------------------------------------------------
/ip firewall address-list
add address=175.45.176.0/22 comment="Korea, Democratic People's Republic of" list=IP2Location
add address=202.72.96.4/30 comment="Korea, Democratic People's Republic of" list=IP2Location

anav · November 18, 2018, 12:58am

/ip firewall raw
add chain=prerouting in-interface=wan source-address-list=IP2blockcountries action=drop

That should do it but the real question is do you think the bad actors from that country are actually going to use their country servers??
I think its a healthy thing to dabble in setting up such rules but its part measures at best (a stab in the dark).

If you want to have more solid protection there is at least two options I am aware of that are up and running and designed specifically for Mikrotik.
a. expensive AXIOM SHIELD (they do provide discount for serving and ex-serving members of the military) - https://axiomcyber.com/shield/
b. affordable, especially if not a business expense write-off (and developed by a fellow forum poster) - http://forum.mikrotik.com/t/moab-mother-of-all-blacklists/122053/1

Jotne · November 18, 2018, 9:19am

I do agree with anav that a hacker would be stupid using his own IP.

If I look at who is trying to access blocked port on my net, it looks like this the last 60 min:
IP access blocked.jpg
I do use my Splunk for Mikrotik to get this map: http://forum.mikrotik.com/t/tool-using-splunk-to-analyse-mikrotik-logs-3-3-graphing-everything/121810/1

So here you see that EU and USA has more hits than Asia.
Why?
There are lots of services (that are not illegal) that do scans you all the time. Like https://www.shodan.io/
They are looking for internet of things devices. Our work net is hammered hard by them and other.

What can you do? Block country that you know that has no interest of your data is a good start.
It will remove lots of hack attempt, but you will still be scanned.

What I have done, is not the best for all, but works perfect for me.
If an IP tries to access one block port on my net, I add this IP to an access list and block this IP for 24 hour.
Them map above has less hits than it would be without my access list.
The access list does have around 1500 IP in i all time, sometime up to 2500 IPs

How does it work. Here are the last two rules in my FW:
This adds the IP to the access list for 24h if it has not found an valid rule above

add action=add-src-to-address-list address-list=FW_Block_user_try_unkown_port address-list-timeout=1d \
    chain=input comment="This is used to collect uer who tries non open ports." in-interface=\
    ether1-Wan

Then drop it and log it (gives the map above)

add action=drop chain=input comment="Drop all from WAN " in-interface=ether1-Wan log=yes log-prefix=\
    FW_Drop_all_from_WAN

On top of the FW rules I do have this rule blocking all inn the access list:

add action=drop chain=input comment="This FW rule blocks user in group Blocked" log=yes log-prefix=\
    FW_Block_utside_user src-address-list=Blocked

Other stuff I do.
Example. I need RDP. Normally that uses port 3389, but I have set it on some high random number like 53224.
Then if you tries to log inn more than 3 times within 5 minutes, you also get blocked for 24 hour.

You can for sure block your self out this way, but I can always connect using an VPN from another IP and open up my self.