My contribution to keep out the scanners

borg3571 · July 3, 2025, 2:37am

I’ve done my research. I created several lists of the most notorious scanners doing open port scanning. Love these guys, or hate them… Best to just block input on these guys.

Put this into your terminal, then if its easier, move the firewalls up your chains. Inputs near the top, forwards near the middle.. test as needed.

Feel free to give me comments:

## SHODAN Block List for Mikrotik

/ip firewall address-list
add address=198.20.69.74/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=198.20.69.98/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=198.20.99.130/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=93.120.27.62/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=66.240.236.119/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=71.6.135.131/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=66.240.192.138/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=71.6.167.142/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=82.221.105.6/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=82.221.105.7/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=71.6.165.200/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=188.138.9.50/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=85.25.103.50/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=85.25.43.94/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=71.6.146.185/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=71.6.158.166/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=198.20.87.98/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=209.126.110.38/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=66.240.219.146/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=104.236.198.48/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=104.131.0.69/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=162.159.244.38/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=184.105.247.196/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=141.212.122.112/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=125.237.220.106/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=192.81.128.37/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=74.82.47.2/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=216.218.206.66/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=184.105.139.67/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=54.81.158.232/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=141.212.122.144/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=141.212.122.128/32 comment="SHODAN_Block_List" list=SHODANBlocks
add address=54.206.70.29/32 comment="SHODAN_Block_List" list=SHODANBlocks



## Censys Block List for Mikrotik

/ip firewall address-list
add address=66.132.159.0/24 comment="Censys_Block_List" list=CensysBlocks
add address=162.142.125.0/24 comment="Censys_Block_List" list=CensysBlocks
add address=167.94.138.0/24 comment="Censys_Block_List" list=CensysBlocks
add address=167.94.145.0/24 comment="Censys_Block_List" list=CensysBlocks
add address=167.94.146.0/24 comment="Censys_Block_List" list=CensysBlocks
add address=167.248.133.0/24 comment="Censys_Block_List" list=CensysBlocks
add address=199.45.154.0/24 comment="Censys_Block_List" list=CensysBlocks
add address=199.45.155.0/24 comment="Censys_Block_List" list=CensysBlocks
add address=206.168.34.0/24 comment="Censys_Block_List" list=CensysBlocks
add address=206.168.35.0/24 comment="Censys_Block_List" list=CensysBlocks



## ShadowServer Block List for Mikrotik

/ip firewall address-list
add address=184.105.139.0/24 comment="Shadow_Block_List" list=ShadowBlocks
add address=216.218.206.0/24 comment="Shadow_Block_List" list=ShadowBlocks
add address=74.82.47.0/24 comment="Shadow_Block_List" list=ShadowBlocks
add address=184.105.247.0/24 comment="Shadow_Block_List" list=ShadowBlocks
add address=65.49.20.0/24 comment="Shadow_Block_List" list=ShadowBlocks
add address=65.49.1.0/24 comment="Shadow_Block_List" list=ShadowBlocks
add address=64.62.156.0/24 comment="Shadow_Block_List" list=ShadowBlocks
add address=184.105.247.0/24 comment="Shadow_Block_List" list=ShadowBlocks
add address=64.62.197.0/24 comment="Shadow_Block_List" list=ShadowBlocks


## Add the Rules for input drop 

/ip firewall filter
add action=drop chain=input comment="Drop all traffic to-from addresses on SHODAN Block address list" src-address-list=SHODANBlocks
add action=drop chain=input comment="Drop all traffic to-from addresses on Censys Block address list" src-address-list=CensysBlocks
add action=drop chain=input comment="Drop all traffic to-from addresses on Shadow Block address list" src-address-list=ShadowBlocks

## Add the Rules for foward drop

/ip firewall filter
add action=drop chain=forward comment="Drop all traffic to-from addresses on SHODAN Block address list" dst-address-list=SHODANBlocks
add action=drop chain=forward comment="Drop all traffic to-from addresses on Censys Block address list" dst-address-list=CensysBlocks
add action=drop chain=forward comment="Drop all traffic to-from addresses on Shadow Block address list" dst-address-list=ShadowBlocks

BrateloSlava · July 3, 2025, 9:39am

It is better to block address lists for Mikrotik routers via RAW.

rextended · July 3, 2025, 10:25am

Too bad not all ISPs do what I do with my customers…

holvoetn · July 3, 2025, 10:49am

That was my first idea as well.

borg3571 · July 3, 2025, 4:52pm

Please explain, like im a 16yo.. Im still figuring this out.

holvoetn · July 3, 2025, 5:06pm

Dropping via RAW is a lot faster and easier on CPU. No need to go through packet flow decision chain.

anav · July 3, 2025, 6:13pm

Do pray tell, dear Sir, and what do you do for your customers ??

BrateloSlava · July 3, 2025, 7:18pm

Like this:

/ip firewall raw add action=drop chain=prerouting comment="Permanently Scanners Block" in-interface-list=WAN src-address-list=Block_Permanently

lurker888 · July 3, 2025, 8:05pm

Blocking scanners on the version of the Internet we have today is essentially not possible, especially by blocking a handful of addresses and ranges, especially if that list is not automatically and frequently updated.

What these sorts of measures can help with is reducing spurious resource usage (e.g. due to repeated authentication attempts) or logging.

In my experience, it’s a real danger that people focus on these measures instead of things that provide fundamental security. Also, a false sense of security can be more harmful than scanning.

As to raw/filter: principles around this can be debated endlessly, however for the amount of traffic involved in scanning it doesn’t matter. If you have levels of this type of traffic that it stresses your router, something is very wrong.

borg3571 · July 3, 2025, 8:11pm

Where does the prerouting chain go? Is it like an input?

Thanks

m4rk3J · July 3, 2025, 9:19pm

I am happy that my ISP provides me with an real dual-stack internet connection and not a “web” connection with few other services allowed.

rextended · July 4, 2025, 7:52am

I’ve explained this countless times in other topics…

rextended · July 4, 2025, 7:53am

Why is this my answer?
What limits should my clients have, according to your allusions?

anav · July 4, 2025, 11:17am

As if all readers are going to start combing through all your last posts trying to find that nugget…
We dont all have the same amount of free time

rextended · July 4, 2025, 12:12pm

Without going into too much detail, non-NATted and non-shared public IPv4, direct IPv6, MTU at 1500 instead of limited to 1492 or other, anti-spoofing filters already present, blacklists already updated without the need for the customer to put them in their router, various honeypots, DDoS protection provided directly with the exchange with other ASs.

mnis · July 4, 2025, 1:55pm

Security is not a one pit-stop tho.
One more security layer is not bad. Especially since the source of the blocklist might be different.
That’s why also security does not stop at blocklists, but in addition you isolate devices, keep exposed software up-to-date.

I would not appreciate if my ISP deploys a blocklist on behalf of me that I cannot configure and I have to call them to whitelist an IP.
But, everything else you listed is nice of you and hopefully appreciated by the customers.

BrateloSlava · July 4, 2025, 2:07pm

To be honest, it’s a difficult dilemma. Which is better: to believe that clients are “smart” and can protect themselves, or to think that most clients are ordinary “home” users who practically never update their routers and hope that the default settings will save them from all problems forever?

BrateloSlava · July 4, 2025, 2:09pm

Check out the documentation. I gave you the link. There’s also an example of how to use it.

rextended · July 4, 2025, 4:01pm

Since ask me to be “free” of any(*) blacklist is completely free…

(*) except some blacklist from Italian government I’m forced to apply.
(Gambling, Tobacco, not normal porn [you understand… don’t make me write it…], illegal video streams of pay-tv, etc.)