Just curious if anyone takes their Drop All input rule and makes an address "Block" list from the source addresses that hit the drop all rule? I have been tracking all my drop all rules by creating a test list. Just wonder if anyone incorporates these addresses into an actual block list? Pros or Cons of doing this??

I kinda do something like that.. I don't save all the dropped addresses I just save the ones that bang on the door then block them from being forwarded across my network.

Here is the meat and potatoes of how I do that..



So I will start with that and add my other rules depending on if it will have OSPF, BGP or whatever else.. But that leads me to what I would like to do.. I just submitted a feature request for Mikrotik to add the ablity for me to share this Black_List across all the routers in a network on the fly!

Think about how much more ground you are covering if the cracker scans your prefix and hits each IP once every 5 min as to attempt to not trigger a security reaction, but your network is communicating in the back ground and still puts his ass in the Black_LIst !!

Hey guys thanks for the reply. I always like to see other people's firewall rules and thoughts. @samrock I see other people have these progress staged address lists. What is the thought behind that? Just to keep the ones that are knocking a lot in check for a longer period of time? I am currently adding anyone hitting port 22 or 23 to a dynamic block list, you have more extensive port list, will definitely look into that. On your Whitelist, do you just have your normal local LAN ip addresses?

I have 2 rules at the top of the filter chain to dump ALL TRAFFIC from IPs that hit any port I deem "interesting" in mangle prerouting.
The mangle rule adds them to an address list for 24 hours.
Then the drop rule drops that address list at the top of the firewall chain.

We use RFC1918 on our core network at one point my White_List had 10.0.0.0/8 but now I have bot nets inside my network that scan the whole RFC1918 so my White_List has my management IPs in it and I can add an IP to it on the fly if I need by port knocking.

The staged list started back when we did not have so many crackers banging on the door. I was in the process of bringing my guys up to speed on working in unix and they got a lot of passwords wrong.. I now have them set up with a connection manager called PAC. I also have them to the point that they allways VPN into tower routers to work on the network.

When I started noticing how the crackers were attempting to brute each address in my prefix once then moving on as to not trigger a security event I modded the old SSH filters to watch all the ports listed and keep the list on file for 2 days so that when they start back from the top they get put in the black list the second time around.

I have my edge router set to not forward any thing from any IP on the Black_List so I want to be sure they are attempting to brute before i put them in the shitter. I have had remote tech workers end up in my ssh filters before because they keep trying to ssh into the gateway. I hope some of those guys know more about SCADA than they do networking!

I dont want to attempt at blocking the whole internet by putting every one in a Black_List right away I am however thinking of setting up a longer term Black_List.. Right now once you get to the Black_List you are in time out for 30 days.. I am thinking of putting a rule in that if you are in the Black_List and keep banging on the door then you will get a permanent ban or maybe a tarpit..

As of today I have added port 10001 to my firewall also.. We have many people trying to scan for UBNT hardware! So my routers drop it by default now and log the IPs who are trying to use it..

The end goal of keeping a well vetted black list for us is to use it for protection of servers. I am also a Ham Radio Operator and we run this software that links radio repeaters over the internet. The front end of the controller needs to be public so other users can interact with the repeater, The vetted black list come in handy to keep that stuff safe! We cant drop port 80 to our webserver or 4569 to our repeaters but we can not let known assailant play with them..

As of today I have added port 10001 to my firewall also.. We have many people trying to scan for UBNT hardware! So my routers drop it by default now and log the IPs who are trying to use it..

Great write up and information, thanks for taking the time. Reference the 10001 and UBNT, I recently read about this. Just confirming this applies to UBNT gear on a public IP? The few UBNT radios I have are on my private LAN behind our firewall so I wouldn't think anything would get to them correct? I may through a RAW rule in for the fun of it in the meantime on my TIK.

As of today I have added port 10001 to my firewall also.. We have many people trying to scan for UBNT hardware! So my routers drop it by default now and log the IPs who are trying to use it..

Great write up and information, thanks for taking the time. Reference the 10001 and UBNT, I recently read about this. Just confirming this applies to UBNT gear on a public IP? The few UBNT radios I have are on my private LAN behind our firewall so I wouldn't think anything would get to them correct? I may through a RAW rule in for the fun of it in the meantime on my TIK.

At least on my network it is affecting radios on public and private space.. It looks like they are using bot nets on customers computers to scan the RFC1918 addresses. We are now running the RAN with client isolation and dropping everything on port 10001.

I am about to start looking the IPs up in from the logs and start sending customers notifications that something on their network is infected!