Spamhaus + Dshield + Malc0de + OpenBL Malicious Ip Blacklists!

RouterOS Scripting
1

For some this is nothing new, but for others it might prove to be quite a valued resource, so we decided to make it available gratis for the public as a way of giving back and saying thank you to all those who have supported us, besides, we cant really charge for it, it isnt our work!

Spamhaus and DShield malicious ips combined into a single import script.

Blog post about it http://blog.squidblacklist.org/?p=297

Can be downloaded at the following url.
http://www.squidblacklist.org/downloads/drop.malicious.rsc

And heres a couple of bonus free blacklists.

Tor Nodes IP Firewall Blacklist
http://www.squidblacklist.org/downloads/sbl-tornodes.rsc
An ads blacklist for RouterOS DNS:
http://www.squidblacklist.org/downloads/tik-dns-ads.rsc

Firewall Rules Here:

ip firewall filter add chain=input src-address-list=drop.dshield action=drop log=drop.dshield




ip firewall filter add chain=input src-address-list=drop.spamhaus1 action=drop log=drop.spamhaus1




ip firewall filter add chain=input src-address-list=drop.spamhaus2 action=drop log=drop.spamhaus2

And a couple more to help secure your networks!
http://joshaven.com/malc0de.rsc
http://joshaven.com/openbl.rsc

Credit to the Author for making these resources available.
Read more from the publisher http://joshaven.com/resources/tricks/mikrotik-automatically-updated-address-list/

The following single firewall rule will setup BOTH of the Josh Aven blacklists.

ip firewall filter add chain=input src-address-list=drop.blacklist action=drop log=drop.blacklist

Login To Winbox - Scheduling update tasks for your blacklists.
Go to System - Scheduler. and create a new task by clicking the blue plus button.




First schedule a download task:

/ip firewall address-list remove [find where comment="OpenBL"] 
/tool fetch address=joshaven.com host=joshaven.com mode=http src-path=/openbl.rsc

Next schedule an import task: ( We disable logging temporarily to alleviate excessive disk writes that could result in early nand memory failures.)


(paste this into the scheduler box)

:log warning "Disabling system Logging";
import openbl.rsc
/system logging enable 0

Now do the same for the rest of your blacklists.

 /tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/drop.malicious.rsc




:log warning "Disabling system Logging";
import drop.malicious.rsc
/system logging enable 0




/ip firewall address-list remove [find where comment="malc0de"] 
/tool fetch address=joshaven.com host=joshaven.com mode=http src-path=/malc0de.rsc




:log warning "Disabling system Logging";
import malc0de.rsc
/system logging enable 0

( Heads up: Issue with Spamhaus2 missing text: Fixed )

MOAB mother of all blacklists
2

Thank you for providing this. However, the script is currently (as of 2/6/16) exiting to an error after the spamhaus1 import update. It appears to be missing the following:

:log info "drop.spamhaus2 script import started"
:foreach subnet in [/ip firewall address-list find list=drop.spamhaus2] do={ /ip firewall address-list remove $subnet }
3

I’ve been offering this for a while, with a few advantages.

http://forum.mikrotik.com/t/blacklist-filter-update-script/89817/1

I use Dynamic address lists. This keeps the IP’s in memory and dramatically reduces the number of flash writes. The script tells the server the some basics about the router, and the server is able to send more or less addresses, based on the CPU and memory. This is helpful because in addition to the DShield and Spamhaus blocklists, My server collects IPs from just over 100 other Mikrotik routers and IDS boxes looking for active attacks. So, there are days that the list can ballon up to over 50k IPs during an active DDOS attack.

4

Very nice. Thanks, David!

5

Oh boy, Ill get that fixed right away. (3 months later)

MOAB mother of all blacklists
6

NICE! Im earger to check it out!

7

Issue resolved. ( Now if youll excuse me I have to go wipe this egg off my face ) :open_mouth: :open_mouth: :laughing:

8

Hi Squidblacklist
Can you please add the filter rules that you are using.

Bigfoot

9

is this work ?

10

Sure does, I have been using it for over a year on my units without issue, updating every 3 hours.

11

Sure. I have updated the original post with more detailed instructions as well as two more free blacklists.

12

Hey Dave, I know you are big into this stuff, so I wanted to give you the heads up on these other blacklists now available for RouterOS thanks to Josh Aven.

http://joshaven.com/malc0de.rsc
http://joshaven.com/openbl.rsc

He has taken the time to write up a few comprehensive pages so I thought you might be interested.

13

Been using them already for years. My server can take just about any blacklist in any format and puts it into RouterOS format.

14

Hi Squidblacklist
The filer rules is no correct, I belief it must look like this.

/ip firewall filter add chain=input src-address-list=drop.dshield action=drop log=yes comment="drop.dshield"
/ip firewall filter add chain=input src-address-list=drop.spamhaus1 action=drop log=yes comment="drop.spamhaus1"
/ip firewall filter add chain=input src-address-list=drop.spamhaus2 action=drop log=yes comment="drop.spamhaus2"

Bigfoot :sunglasses:

15

Yes and No, Yes in that you would only require the qoutes if you were manually entering it into a terminal or including the commands in a script.

And No, in that when you use commands in winbox scheduler, you dont need the quotes.

16

Sharp :sunglasses: