Community discussions

MikroTik App
 
PeterDoBrasil
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Sun Aug 23, 2015 6:55 pm

Block Bad Host Names on DHCP Lease

Sat Oct 24, 2015 12:21 pm

# Block Bad Host Name, ARP Spoofing etc. #
# host-name, edit t1 -> t15 #
# then add the script to scheduler and run every two minutes #
# Mikrotik RouterOS v6.33rc30 #
:foreach i in=[/ip dhcp-server lease find host-name="t1" || host-name="t2" || host-name="t3" \
|| host-name="t4" || host-name="t5" || host-name="t6" || host-name="t7" \
|| host-name="t8" || host-name="t9" || host-name="t10" || host-name="t11" \
|| host-name="t12" || host-name="t13" || host-name="t14" || host-name="t15" ] do={
:local ip [/ip dhcp-server lease get $i address ];
:local mac [/ip dhcp-server lease get $i mac-address ];
:local host [/ip dhcp-server lease get $i host-name ];
/ip dhcp-server lease make-static [ find ];
/ip dhcp-server lease set [ find where dynamic=no mac-address=$mac ] use-src-mac=yes client-id="1:$mac" \
server=dhcp1 block-access=yes comment=BadHost
:log warning ("Bad Host Name $host " . "with Mac $mac " . "and IP $ip blocked on dhcp server lease ")
}


# Remove Bad Host Name, ARP Spoofing etc. #
# then add the script to scheduler and run every 12 hours #
# Mikrotik RouterOS v6.33rc30 #
:foreach i in=[/ip dhcp-server lease find comment=BadHost ] do={
:local ip [/ip dhcp-server lease get $i address ];
:local mac [/ip dhcp-server lease get $i mac-address ];
:local host [/ip dhcp-server lease get $i host-name ];
/ip dhcp-server lease remove [ find where comment=BadHost ];
:log warning ("Bad Host Name $host " . "with Mac $mac " . "and IP $ip Removing from dhcp server lease ")
}
:lol:

# Other Option to Block bad Elements is with Bridge Filter #
# Block Bad Host Name, ARP Spoofing etc. #
# host name, edit t1 -> t15 #
# then add the script to scheduler and run every two minutes #
# Mikrotik RouterOS v6.33rc30 #
:foreach i in=[/ip dhcp-server lease find host-name="t1" || host-name="t2" || host-name="t3" \
|| host-name="t4" || host-name="t5" || host-name="t6" || host-name="t7" \
|| host-name="t8" || host-name="t9" || host-name="t10" || host-name="t11" \
|| host-name="t12" || host-name="t13" || host-name="t14" || host-name="t15" ] do={
:local ip [/ip dhcp-server lease get $i address ];
:local mac [/ip dhcp-server lease get $i mac-address ];
:local host [/ip dhcp-server lease get $i host-name ];
:if ([/interface bridge filter find src-mac-address="$mac/FF:FF:FF:FF:FF:FF" ] = "") do={
/interface bridge filter add chain=input src-mac-address="$mac/FF:FF:FF:FF:FF:FF"\
mac-protocol=ip action=drop comment=BadHost
/interface bridge filter add chain=output src-mac-address="$mac/FF:FF:FF:FF:FF:FF"\
mac-protocol=ip action=drop comment=BadHost
/interface bridge filter add chain=forward src-mac-address="$mac/FF:FF:FF:FF:FF:FF"\
mac-protocol=ip action=drop comment=BadHost
:log warning ("Bad Host Name $host " . "with Mac $mac " . "and IP $ip add to bridge filter ")
}
}

# Remove Bad Host Name, ARP Spoofing etc. #
/interface bridge filter remove [ find comment=BadHost ]
 
piyaservice
just joined
Posts: 20
Joined: Fri May 15, 2015 11:16 am

Re: Block Bad Host Names on DHCP Lease

Thu Jun 02, 2016 10:15 am

dear sir
Please explain me . I don't understand
question
1. Script where is install or copy
2. If I want block active host name "anroidxxxx" this is script can do or not

best regard
 
yosdeny
just joined
Posts: 19
Joined: Wed Apr 18, 2018 7:32 pm

Re: Block Bad Host Names on DHCP Lease

Thu Apr 19, 2018 7:31 pm

quiero hacer algo parecido. Al detectar un antaque interno en la LAN la ip del atacante es enviada a una lista de vaneo, pero no se como hacer para que dicha ip sea blokeada en el dhcp, ya que todas mis ip son por dhcp estatico amarrado por mac y con ARP en modo reply-only

I want to do something similar. When detecting an internal antaque in the LAN the ip of the attacker is sent to a list of vaneo, but I do not know how to do that ip is blocked in the dhcp, since all my ip are by static dhcp moored by mac and with ARP in reply-only mode
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block Bad Host Names on DHCP Lease

Sat Apr 21, 2018 12:00 pm

Are you fine with the fact that the ban will take place minutes or hours after the malicious activity has been detected, because the DHCP server cannot withdraw a lease from a DHCP client during its validity period, it can only not renew the lease when the clients asks for the renewal?

Are all devices in the LAN connected directly to Mikrotik Ethernet ports, each by its own cable, or are there any other switchec/hubs between the Mikrotik and the devices in LAN?
 
yosdeny
just joined
Posts: 19
Joined: Wed Apr 18, 2018 7:32 pm

Re: Block Bad Host Names on DHCP Lease

Sun Apr 22, 2018 8:40 pm

si se que el dhcp le da un tiempo de vida, pero si a la pc le blokeo el tikec se queda fuera de la red al perder su leased, el tikec normal es de 1 minuto

if I know that the dhcp gives you a time to live, but if the pc is blocked the tikec stays out of the network when losing its leased, the normal tikec is 1 minute
 
yosdeny
just joined
Posts: 19
Joined: Wed Apr 18, 2018 7:32 pm

Re: Block Bad Host Names on DHCP Lease

Sun Apr 22, 2018 8:43 pm

si yo le bloqueo su asignacion de ip en el dhcp queda blokeado automaticamente, ya que la red esta cerrada conrtra el arp, y el dhcp tira directo las ip al arp segun son asignadas

if I blocked your ip assignment in the dhcp is automatically blocked, since the network is closed conrtra the arp, and the dhcp directly shoots the ip to the arp as they are assigned
 
yosdeny
just joined
Posts: 19
Joined: Wed Apr 18, 2018 7:32 pm

Re: Block Bad Host Names on DHCP Lease

Mon Apr 30, 2018 8:13 pm

Quisiera tu ayuda para ver como logro hacer que este script funcione con una lista y no con una ip asignada a una variable.
I would like your help to see how I can make this script work with a list and not with an ip assigned to a variable.

:local hacklist "172.23.4.1"
:foreach host in $hacklist do={
:local busyaddr [ip dhcp-server lease find address="$host"]
:local i
:foreach i in $busyaddr do={
/ip dhcp-server lease set block-access=yes $i;
}
}
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block Bad Host Names on DHCP Lease

Mon Apr 30, 2018 9:00 pm

I would like your help to see how I can make this script work with a list and not with an ip assigned to a variable.
:local hacklist "172.23.4.1"
:foreach host in $hacklist do={
  :local busyaddr [ip dhcp-server lease find address="$host"]
  :local i
  :foreach i in $busyaddr do={
    /ip dhcp-server lease set block-access=yes $i;
  }
}

I'm afraid I don't understand exactly why you've used two cycles where one should be sufficient, but I'm afraid there is no way to match the leased addresses against a list directly, without any cycle at all.

$hacklist
contains the addresses of all dhcp clients you want to block, right? So the inner cycle should only run once each time, because the each
$host
should not exist more than once in the leases, so
$busyaddr
should always contain a reference to a single lease. Is that not the case?

My script would be
:local hacklist "172.23.4.1"
:foreach host in $hacklist do={
  /ip dhcp-server lease set [ip dhcp-server lease find address="$host"] block-access=yes;
}


But I still maintain that by blocking a MAC address on DHCP level as you do above, you cannot prevent the blocked client from contacting other clients in the same subnet until the lease expires, because even if Mikrotik would ignore the arp requests coming from the blocked client (I don't know where you've found that), the other clients on the LAN will not ignore them. So until the lease expires, that malicious client will still be able to attack other devices on its LAN.
 
yosdeny
just joined
Posts: 19
Joined: Wed Apr 18, 2018 7:32 pm

Re: Block Bad Host Names on DHCP Lease

Tue May 01, 2018 12:10 am

si es como dices, pero quiero que lo haga para una address-list con varias ip dentro, se que el ya estara otorgada, pero al blokearla como esta puesto en el dhcp que envie al la tabla arp, su leased quedara interunpido, siempre puedo luego hacer otro laso y eliminarlo del la tabla arp. pero quiero hacer este primero.

if it is as you say, but I want it to do it for an address-list with several ip's inside, I know that it will already be granted, but when you block it as it is in the dhcp that you send to the arp table, your leased will remain interunited, I can always Then do another laso and remove it from the arp table. but I want to do this first.

sample:
:local numeroipext [/ip firewall address-list find comment=”ip_ext”];
 
yosdeny
just joined
Posts: 19
Joined: Wed Apr 18, 2018 7:32 pm

Re: Block Bad Host Names on DHCP Lease

Tue May 01, 2018 12:18 am

algo asi:
something like that:

:local hacklist [/ip firewall address-list name=ban];
:foreach host in $hacklist do={
/ip dhcp-server lease set [ip dhcp-server lease find address="$host"] block-access=yes;
}

pero con ip pk el comentario no se pone cuando se genera automaticamente de uan lista de baneo.
but with ip pk the comment is not put when it is automatically generated from a ban list
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block Bad Host Names on DHCP Lease

Tue May 01, 2018 12:31 am

I'm afraid google translator's performance on Spanish->English translation is not as good as you believe because I have problems to understand what you wrote.

Is the code below inspirative enough for you?

foreach item in=[ip firewall address-list find list=troublemaker] do={put [/ip firewall address-list get $item address]}
 
yosdeny
just joined
Posts: 19
Joined: Wed Apr 18, 2018 7:32 pm

Re: Block Bad Host Names on DHCP Lease

Tue May 01, 2018 5:03 pm

lo siento pero como no escribo el ingles tengo que usarlo.
tratare de ser mas explicito.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block Bad Host Names on DHCP Lease

Tue May 01, 2018 5:40 pm

It is useful to translate the sentence from Spanish into English and then translate the result into Spanish. If the result in Spanish has the same meaning as the original, it is quite likely that the sentence in English also makes sense.
 
yosdeny
just joined
Posts: 19
Joined: Wed Apr 18, 2018 7:32 pm

Re: Block Bad Host Names on DHCP Lease

Wed May 02, 2018 7:30 pm

I'm afraid google translator's performance on Spanish->English translation is not as good as you believe because I have problems to understand what you wrote.

Is the code below inspirative enough for you?

foreach item in=[ip firewall address-list find list=troublemaker] do={put [/ip firewall address-list get $item address]}
Ya logre que funcionara todo. Pero aun no logro que el tiket se resetee.

:foreach item in=[ip firewall address-list find list=prueba] do={
:set $ipList value=[/ip firewall address-list get $item address]
:local busyaddr [ip dhcp-server lease find address="$ipList"]
:ip dhcp-server lease set block-access=yes $busyaddr lease-time=1 comment=bloqueando-ataque-lan
:local daddr [ip arp find address=$ipList]
:ip arp remove $daddr
}

Who is online

Users browsing this forum: No registered users and 20 guests