Hi All,
Has anybody tried to use scripting or some other method to check incoming IP connections (globally or to certain services only) for reputation by an external provider like https://scamalytics.com/?
Depending on the reply received, one can then either allow or drop/reject traffic from that IP address.
Have tried to dabble with this but my LUA scripting is nowhere close to what it should be.
Appreciate any constructive feedback.
Rgds,
Mark.
I dont allow external originating traffic to enter the router… its called a firewall
Hi,
Really? Never heard of that … 
So running a service eg a SIP gateway behind a Mikrotik router does not mean you have to accept externally originating traffic??
That’s what I need to check - incoming connections via their IP address …
Cheers,
Mark.
Of course if you think you must need to allow external originated traffic into your network you are doing something out of the norm.
For any home owner or small business I would state that running servers to the whole internet is plain dumb, at least use a source address list on the destination nat rules.
(note: access to the MT should be done by vpn)
If you are a bigger business you would not use a mikortik as an edge router…
What is more plausible if you stated you wanted to help ensure users didnt inadvertently visit bad sites (by intentional or unintentional means), traffic originating on the LAN.
[IT] Non penso che se apre il SIP le bastano 5000 controlli gratuiti…
[EN] I don’t think if you open the SIP you just need 5000 free checks…
[IT] Meglio se usa i centralini virtuali Yeastar, almeno ci pensano loro a filtrare tutto senza che lei si deva sbattere le…
[EN] Better if you use the Yeastar virtual switchboards, at least they think about filtering everything without you having to bang your…
[IT] Comunque, anche se potesse essere messo un filtro che controlla la reputazione, il servizio non andrebbe a chi gli serve,
perché non si può fermare una connessione, aspettare il controllo, e farla ripartire.
Andrebbero caricate sul router, e tenute aggiornate, le liste degli attacchi SIP conosciuti.
[EN] However, even if a reputation filter could be put in place, the service would not go to whoever it needs,
because you can’t stop a connection, wait for the check, and restart it.
Lists of known SIP attacks should be uploaded to the router and kept up to date.
Hi Gents,
Thank you for the advice. However, I only used SIP as an example. It would still work however, since I could/would check the IP address on first registration.
What I’m looking for here is a live dynamic solution that is not primarily based on address lists but on a reply from an IP address reputation provider which replies as below for IP 223.152.100.162 -.
{
“ip”:“223.152.100.162”,
“score”:“7”,
“risk”:“low”
}
Based on that score, access is either allowed or denied.
Rgds,
Mark.
Me thinks you are on the wrong forum and product line. Check this out…https://en.wiktionary.org/wiki/impossible
@siscom, the closest you can find is crowdsec please check if there’s already a bouncer for mikrotik
Hi,
@loloski - Thank you for the positive comment. And yes, found one - https://hub.crowdsec.net/author/funkolab/bouncers/cs-mikrotik-bouncer
I’ll look into this too - cheers.
Rgds,
Mark.
crowdsec
“Description
This repository aim to implement a CrowdSec bouncer for the router Mikrotik to block malicious IP to access your services. For this it leverages Mikrotik API to populate a dynamic Firewall Address List”
Snake oil.
All these lists are snake oil.
Personal opinion.