Community discussions

 
ehbowen
newbie
Topic Author
Posts: 35
Joined: Tue Sep 05, 2017 6:13 am
Location: Houston, Texas
Contact:

Implementing a Blacklist

Tue Jun 11, 2019 5:28 pm

I'm getting persistent and repeated attacks on my home office network, mostly from similar IP ranges (which are well away from the main user base of my web site). I've got account protection on my server which cuts an IP address off after repeated unsuccessful connection attempts and I do use strong passwords, but I'd like to implement a blacklist at my router to shut off known pesthole IPs and IP ranges completely. What's the simplest/best way to accomplish this?
Image There are very few problems which cannot be solved by a suitable application of high explosives....
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1694
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Implementing a Blacklist  [SOLVED]

Tue Jun 11, 2019 5:54 pm

My simple solution:
/ip service
set winbox port=18291
/interface list
add name=WAN_LIST
/interface list member
add interface=ETH1-WAN list=WAN_LIST
/ip firewall raw
#
# accept packets to nonstandard WinBox port ... could be tailored for access from particular subnets etc.
#
add action=accept chain=prerouting dst-port=18291 protocol=tcp
#
# if IP is registered on level 1 blacklist add it to level 2 and drop ASAP .. timeout is 27 minutes so if make an error then after 1/2 h you can
# access your own router
#
add action=add-src-to-address-list address-list=RAWATTACK2 address-list-timeout=27m chain=prerouting comment=RAW2ADD in-interface-list=WAN_LIST log-prefix="RAW2ADD: " src-address-list=RAWATTACK
add action=drop chain=prerouting comment=RAW2 in-interface-list=WAN_LIST log-prefix="RAW2: " src-address-list=RAWATTACK2
#
# if IP scans for these ports from WAN side than traet it as attack and add to level 1 blacklist
#
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment=RAW1ADD dst-port=8291,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log-prefix="RAW1: " protocol=tcp
#
# you can add more blocking list if you want
#
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment="sbl spamhaus" disabled=yes in-interface-list=WAN_LIST src-address-list="sbl spamhaus"
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment="sbl blocklist.de" disabled=yes in-interface-list=WAN_LIST src-address-list="sbl blocklist.de"
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment="sbl dshield" disabled=yes in-interface-list=WAN_LIST src-address-list="sbl dshield"
#
# drop any packet if it is on a blacklist
#
add action=drop chain=prerouting comment=RAW1 in-interface-list=WAN_LIST log-prefix="RAW1: " src-address-list=RAWATTACK
Real admins use real keyboards.
 
anav
Forum Guru
Forum Guru
Posts: 2716
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Implementing a Blacklist

Tue Jun 11, 2019 6:14 pm

The easiest solution.................. Thats easy.....
Let someone else do all the work.........
viewtopic.php?f=2&t=137632

(for basically $10 a month, or 4 cups a coffee a month)

I would be using that except I am using Axiom Shield (as I can claim it as a business expense).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: Bing [Bot] and 31 guests