Community discussions

MikroTik App
 
ehbowen
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Tue Sep 05, 2017 6:13 am
Location: Houston, Texas
Contact:

Creating a 2000 entry personal Blacklist

Sun Aug 01, 2021 1:55 pm

My routers have been under attack lately. I have MOAB service installed and running on both of them; however, in the past week my server logs have recorded more than 2000 attempts on my admin account which got past MOAB. I have the list filtered down to bare IPv4 addresses (IPv6 is currently disabled); what is the most efficient way to create my own supplemental blacklist (obviously, I haven't time to enter 2000 individual firewall entries!)?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Creating a 2000 entry personal Blacklist

Sun Aug 01, 2021 2:12 pm

Add any src-adr that try to reach your admin account to address-list. Make second address-list with your valid source addresses.

Then filter out in RAW any incoming for admin account who is on the list except for those that are on your valid list.

If that is working then you could decide to only use the valid list and block any other.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Creating a 2000 entry personal Blacklist

Sun Aug 01, 2021 2:59 pm

Ok, for reply correctly to OP question: "import 2000 IP address list inside MikroTik firewall"

1) Paste the list in one address aggregator: https://tehnoblog.org/ip-tools/ip-address-aggregator/
2) put the result on some decent text editor than permit the replace the "enter" (new line / carriage retourn / anynameyouwantforthat etc.) key with
 list=blacklist
add address=
do not forget space before list
3) add to the top of the file
/ip firewall address-list
4) check if the file appear like:

blacklist code

/ip firewall address-list
add address=31.13.64.0/18 list=lista_ip_facebook
add address=31.13.64.0/19 list=lista_ip_facebook
add address=31.13.64.0/24 list=lista_ip_facebook
add address=31.13.65.0/24 list=lista_ip_facebook
add address=31.13.66.0/24 list=lista_ip_facebook
add address=31.13.67.0/24 list=lista_ip_facebook
add address=31.13.68.0/24 list=lista_ip_facebook
add address=31.13.69.0/24 list=lista_ip_facebook
add address=31.13.70.0/24 list=lista_ip_facebook
add address=31.13.71.0/24 list=lista_ip_facebook
add address=31.13.72.0/24 list=lista_ip_facebook
add address=31.13.73.0/24 list=lista_ip_facebook
add address=31.13.74.0/24 list=lista_ip_facebook
add address=31.13.75.0/24 list=lista_ip_facebook
add address=31.13.76.0/24 list=lista_ip_facebook
add address=31.13.77.0/24 list=lista_ip_facebook
add address=31.13.79.0/24 list=lista_ip_facebook
add address=31.13.80.0/24 list=lista_ip_facebook
add address=31.13.81.0/24 list=lista_ip_facebook
add address=31.13.82.0/24 list=lista_ip_facebook
add address=31.13.83.0/24 list=lista_ip_facebook
add address=31.13.84.0/24 list=lista_ip_facebook
add address=31.13.85.0/24 list=lista_ip_facebook
add address=31.13.86.0/24 list=lista_ip_facebook
add address=31.13.87.0/24 list=lista_ip_facebook
add address=31.13.89.0/24 list=lista_ip_facebook
add address=31.13.90.0/24 list=lista_ip_facebook
add address=31.13.91.0/24 list=lista_ip_facebook
add address=31.13.92.0/24 list=lista_ip_facebook
add address=31.13.93.0/24 list=lista_ip_facebook
add address=31.13.94.0/24 list=lista_ip_facebook
add address=31.13.95.0/24 list=lista_ip_facebook
add address=31.13.96.0/19 list=lista_ip_facebook
add address=45.64.40.0/22 list=lista_ip_facebook
5a) save the file and import on routerboard.
5b) paste 400 lines at a time on the terminal
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Creating a 2000 entry personal Blacklist

Sun Aug 01, 2021 3:30 pm

Almost good suggestion but it will stop if the entry is duplcated. viewtopic.php?t=91437#p555095
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Creating a 2000 entry personal Blacklist

Sun Aug 01, 2021 4:40 pm

Addressing the symptoms is not necessarily addressing the root cause.
Perhaps I am wrong but lets look at it from another viewpoint

Stepping back at the problem ---> How is your admin account accessible to anybody on the internet.
Since you have not provided your config its hard to tell.

The first question that came to mind.... Does your input chain allow WAN access to the router?
Is that WAN access encrypted (VPN, port knocking etc.....)

/export hide-sensitive file=anynameyouwish.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Creating a 2000 entry personal Blacklist

Sun Aug 01, 2021 5:29 pm

why pay for a useless blacklist?
secure your device properly.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Creating a 2000 entry personal Blacklist

Sun Aug 01, 2021 6:23 pm

I am in contact with @ehbowen ... His Router is not under attack .... its his Synology Webserver admin account that is under attack .... Lots of issues with his RoS config plus his ATT Gateway. So hopefully will have that resolved soon. Its not a MOAB issue :D
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Creating a 2000 entry personal Blacklist

Sun Aug 01, 2021 7:21 pm

Thanks that there is a foe list.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Creating a 2000 entry personal Blacklist

Sun Aug 01, 2021 9:49 pm

ahh the homeowner that runs a server on his network with no protection trick.
that one sounds familiar, gluck straightening out the situation.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Creating a 2000 entry personal Blacklist

Mon Aug 02, 2021 10:37 am

Almost good suggestion but it will stop if the entry is duplcated. viewtopic.php?t=91437#p555095
It does NOT stop if my method 5b) is followed, it just continue, not caring about the "duplicate".
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Creating a 2000 entry personal Blacklist

Mon Aug 02, 2021 12:34 pm

Darn, the personal Blacklist only works when I am logged in.

Who is online

Users browsing this forum: Bing [Bot], gkoleff, outtahere and 55 guests