#### Select your list size ####
#### large - 10 to 20 Megabyte download - 100k+ entries - intended for firewalls protecting internet servers
#### megium - 2 to 5 Megabyte download - 40k+ entries - intended for corporate networks
#### small - 200 to 700 Kilobyte download - 2k+ entries - intended for networks with no open ports
:local listSize "small"
Small mistake.. its normalSmall typo, megium ...Code: Select all#### Select your list size #### #### large - 10 to 20 Megabyte download - 100k+ entries - intended for firewalls protecting internet servers #### megium - 2 to 5 Megabyte download - 40k+ entries - intended for corporate networks #### small - 200 to 700 Kilobyte download - 2k+ entries - intended for networks with no open ports :local listSize "small"
I can not change the format, as there are still several hundred units that have never (and likely will never) update the script. The first version of the script removed the entries based on the comment (RouterOS was unable to remove by list name at the time) So removing the comments would stop them from working. Versions over the last year remove based on the list name. Again, many have never and will never update.I went through different options how to reduce traffic and the quick and easy one is removing the comment in the medium and large file and that gives a reduction in traffic of over 20% assuming that the users of the medium and large file know what that addresslist is named dynamicBlacklist stands for...you can shorten also that name "dynamicBlacklist" and saves an other 5 to 10 percent.
With more than 80% of the routers pulling the list only having a MIPS CPU, passing only the IPs in CIDR format would cause 100% for more than 10 minutes. (up to 30 minutes in some of my testing). During this time, the router would experience dramatic pocket loss. It also complicates the script. Same reason I won't do BGP - it's just far too complicated for most to setup.Next thought is to only supply the addresses itself and that would shrink the size of the medium file from 4.1MB to 729KB but then we have to split it up in more than 177 files due to 4096 bytes String limit present in RouterOS.
It's not a problem. The only issue is with the CHR. The CHR license often has a "/" in it, which needs to be replaced or encoded.I had a quick peek at 2017.7.3f and I have to admit that I am a bit lost on it.
Update: Before the v [ScriptVer] would undergo a cleaning of spaces which are replaced by %20 for use in the URL which is not not more done. I have still the word (testing) in my version string with a space in front.
@IntrusDave, Your primary post still says your list is updated only once a day and I was still under the impression pulling it more than 4 times a day will result in being banned. Please update your recommendation and limit if needed.please keep in mind that with all the chaos in the world now, the list is regenerated every 4 hours. I don't recommend holding on to an older list for more than 8 hours. Also, I have no bandwidth caps so I have no issue with people downloading several times a day - But I don't want it abused and pulled every 5 minutes. My router does limit the connection speed to 100mbps, so no one can saturate the full gigabit WAN.
I corrected my typo. Also changed the one global to local. (It was global on my dev unit because another script was using it too)
Fair enough. So I can do my own investigation, would you please post (and keep updated) the block lists you are including? Of course, you do not need to disclose anything proprietary, but where you are using public lists, it would help to know.Unfortunately it's not possible to tell the source of the block. The lists are generated from 12 different high profile blocklists, as well as a network of over 200 routers.
That is completely fair and understandable and I thank you again for providing this free service. I have tried to contribute to your effort with more efficient code and better error handling in the same spirit.I've stated here many time before - this list and the script are built for my own routers that I manage.... If a recommendation helps my clients or myself, I will likely implement it. If I see no benefit, it will not likely be added.
#/system logging enable [find topics="info"]; and disable logging: #/system logging disable [find topics="info"];
I'll include that in the next update.I have a request. I was testing with a more informative disabling and enabling from the log entries and when I did not disable and enable again as normal is done on an import I did not get only the normal logging but not the huge numbers of the removals and adds to the list in the log. I was very nice to see that other services were still logging during import.
I had defined ! firewall on info, removed that again and applied but still no removal or add logging by script.Code: Select all#/system logging enable [find topics="info"]; and disable logging: #/system logging disable [find topics="info"];
I see still the blocking by the dynamicBlaclist so the firewall is making log entries.
I'm not sure if that was directed at me, but in case it was, I want to say I was never asking you to include a change log. What I wanted was for you to keep up-to-date whatever is true about the current system, things like when it is generated and how often people can and cannot download it, etc.New script updated. I'm not including a change log on in the first post.
Thanks for the changelog and that save al lot of scrolling the the code in posting one to see what has changed.I'll include that in the next update.I have a request. I was testing with a more informative disabling and enabling from the log entries and when I did not disable and enable again as normal is done on an import I did not get only the normal logging but not the huge numbers of the removals and adds to the list in the log. I was very nice to see that other services were still logging during import.
I had defined ! firewall on info, removed that again and applied but still no removal or add logging by script.Code: Select all#/system logging enable [find topics="info"]; and disable logging: #/system logging disable [find topics="info"];
I see still the blocking by the dynamicBlaclist so the firewall is making log entries.
Glad we are all laughing.ROFL oops. I fixed it. Should have been NOW not NOT
#instead of: /system logging set numbers=0 topics=info;
:local logTopics [/system logging get number=0 value-name=topics]
/system logging set number=0 topics=info,!firewall,!system
#...
/system logging set number=0 topics=$logTopic
:execute "sub-script-remove"; :delay 10; :execute "sub-script-import"
/ip firewall address-list remove [find list="dynamicBlacklist"];
/import file-name="disk1/dynamic.rsc";
I am really puzzled why I don't any logging of the adding of the addresses in my Mikrotik while I don't disable/enable logging in any way.Glad we are all laughing.ROFL oops. I fixed it. Should have been NOW not NOT
Here is a "best practices" tweak: save and restore log state rather than reset it
For my setup, I had to include "!system" to the first setting because sometimes the adds and removes show up there instead of under firewall.
/system logging> print
Flags: X - disabled, I - invalid, * - default
# TOPICS ACTION
0 * info memory
1 * error memory
2 * warning memory
3 * critical echo
:local logTopics [/system logging get [find topics="info"] value-name=topics]
/system logging set number=0 topics=info,!firewall,!system
.
.
/system logging set [find topics="info"] topics=$logTopic;
###### DO NOT EDIT BELOW THIS POINT ######
##### Delay for 5 seconds to allow the WAN to come online after a reboot
##### You can change this if you need more or less time. Loading the list
##### on reboot will not work without this delay.
:local d 0;
:put "Delaying $d seconds to allow WAN to stabilize.";
:log warning "Blacklist update in $d seconds";
:delay $d;
Thank you. Corrected.In your posted code, you have the delay set to 0. It's fine in the hosted code at https://mikrotikfilters.com/updateBlacklist.rsc
I'm going to test with the various devices I have. I may just include code to make a choice between one-at-a-time and both-at-once.Great new that you are going to take the next step, to have better control of and more flexible way of initiating updates by means of DNS.
I have managed this morning to not have any need any more for smaller files now I can remove and import the dynamicBlacklist at same moment. This reduces the exposure during renewing the Blacklist. This may work for me and similar devices but older equipment can have problems with doing two things at the same time.
I want to share what I noticed today. After erasing the Blacklist the memory is still reserved in RouterOS and not given back to the pool. Importing the Blacklist will reuse that reserved memory so no loss there of space. After the next start the pool will be back to it original size.
/ip firewall address-list
:do { add address=X.X.X.X list=blackmail timeout=25h } on-error={set [find where address=X.X.X.X] timeout=25h}
:do { add address=Y.Y.Y.Y list=blackmail timeout=25h } on-error={set [find where address=Y.Y.Y.Y] timeout=25h}
/ip firewall address-list
:do { add address=X.X.X.X list=blackmail timeout=25h } on-error={set [find where address=X.X.X.X list=blackmail ] timeout=25h}
:do { add address=Y.Y.Y.Y list=blackmail timeout=25h } on-error={set [find where address=Y.Y.Y.Y list=blackmail ] timeout=25h}
/ip firewall address-list
# Update timeouts of addresses from old list as they are on the current so they stay and just need new timeout
set [find where address=X.X.X.X list=blackmail ] timeout=25h
set [find where address=Y.Y.Y.Y list=blackmail ] timeout=25h
....
# add new address
add address=Z.Z.Z.Z list=blackmail timeout=25h
...
:do {/ip fi ad add address=101.231.46.34 list=blackmail ti=25h} on-error={set [fi wh address=101.231.46.34 list=blackmail] ti=25h}
add li=dynamicBlacklist ad=1.0.128.0/17 ti="1d"
add l=IDDBL a=1.0.128.0/17 t=25h
You can slim it even more and be backwards compatible with this:Change fromto IDDBL=IntrusDaveDynamicBlackListCode: Select alladd li=dynamicBlacklist ad=1.0.128.0/17 ti="1d"
saves statistically 27% of size but breaks current filters as list name changesCode: Select alladd l=IDDBL a=1.0.128.0/17 t=25h
a l=dynamicBlacklist a=xxx.xxx.xxx.xxx/xx t=1d
a l=IDDBL a=1.0.128.0/17 t=25h
:local l "dynamicBlacklist"
/ip f a
a l=$l a=127.0.0.1
I have an idea for you:
Code: Select all:local l "dynamicBlacklist" /ip f a a l=$l a=127.0.0.1
I like this. going to see how much it slows things down.I have an idea for you:
Code: Select all:local l "dynamicBlacklist" /ip f a a l=$l a=127.0.0.1
..[CUT]..
# Turn the logging back on
:if (\$blDebug = 1) do={ \$log t=\"Enabling firewall info logging...\"; }
/system logging set numbers=0 topics=\$cl;
..[CUT]..
Okay, I give. Can you point me to a basic setup for BGP. I don't even know where to start.were there thoughts about BGP feed?..
I will say that the BGP method would be simpler to manage over a large distribution, and the implementation on the client side is brain-dead simple:
enable BGP (if not already using BGP) with any private ASN other than 64567. (or just use their real ASN if they're already running BGP).
in-filter=accept all -> action=set route type=blackhole
out-filter=discard all
enable strict RPF in IP options.
# Medium Blacklist Generated on Sa=t Jul 8 02:00:16 PDT 2017 by Intrus Technologies
:global blSerial 60
:global blDate 1499504416
:local i do={/ip f a a l=dynamicBlacklist t=25h a=$a }
$i a=1.0.128.0/17
$i a=1.1.128.0/17
$i a=1.2.128.0/17
$i a=1.4.128.0/17
$i a=1.9.69.35/32
.
.
.
# remove entries removed by diff
/ip firewall address-list
:do { remove [find where address=192.168.1.0/24 list=dynamicBlacklist]}
:do { remove [find where address=192.168.2.0/24 list=dynamicBlacklist]}
.....
# update list with new one entries
/ip firewall address-list
add address=192.168.3.1 list=dynamicBlacklist ti=25h
add address=192.168.3.1 list=dynamicBlacklist ti=25h
.....
:foreach i in=[ find where list=dynamicBlacklist ] do={set $i ti=25h }
add address=20170709 list=dynamicBlacklistTimeSstampFullTable
add address=20170709 list=dynamicBlacklistTimeStampDaily ti=25h
:set ts :put [/ip firewall address-list get [/ip firewall address-list find where list=dynamicBlacklistTimeSstampFullTable] address]]
:do {/import file-name=$ts.rsc }
/ip firewall filter set src-address-list=intrusBL [find where src-address-list="dynamicBlacklist"]
/ip firewall raw set src-address-list=intrusBL [find where src-address-list="dynamicBlacklist"]
/ip firewall filter set dst-address-list=intrusBL [find where dst-address-list="dynamicBlacklist"]
/ip firewall raw set dst-address-list=intrusBL [find where dst-address-list="dynamicBlacklist"]
A few things to note - the implementation is different depending on whether the client and server peer using eBGP or iBGP.Can you post an export rsc to give me a basic BGP setup to drop incoming packets from 10.252.0.7/32?
I'm hoping you can give me a starting point so I can understand how this works.
/ip settings
set rp-filter=strict
/routing bgp instance
set default as=65530 router-id=10.10.10.10
/routing bgp peer
add in-filter=BlackholeDestination multihop=yes name=BlacklistServer1 out-filter=NoRoutes \
remote-address=192.0.2.100 remote-as=65000 ttl=default
/routing filter
add action=accept chain=BlackholeDestination set-type=blackhole
add action=discard chain=NoRoutes
/routing bgp instance
set default as=65000 router-id=192.0.2.100 redistribute-static=yes
/routing bgp peer
add in-filter=NoRoutes multihop=yes name=Client1 out-filter=OnlyRedistributeBlackholes \
remote-address=10.10.10.10 remote-as=65530 ttl=default
/routing filter
add action=discard chain=NoRoutes
add action=accept bgp-communities=65000:666 chain=OnlyBlackholes
add action=discard chain=OnlyBlackholes
chain=prerouting action=drop in-interface=pppoe-out1 dst-port=!25,80,443,554 log=yes log-prefix="TCP hacker" protocol=tcp tcp-flags=syn,!fin,!rst,!ack,!urg,!ece,!cwr
chain=prerouting action=drop in-interface=pppoe-out1 src-port="" dst-port=!53,546,547,5060-5070,7078-7098 port="" log=yes log-prefix="hacker drop" protocol=udp
chain=prerouting action=drop log=no log-prefix="" src-address-list=intrusBL
Hi Amt, have a look at an posting by Dave and put the whitelist above blacklist linesHi all,
Im using this list and sometimes my ip addreses comes with list. what should i do ? and further more some customers cant see their cameras when their ip comes in blacklist they cant connect to their system.
Im using only this rule at raw table to drop;one of my customer has an internet at another country and his ip also in black list and he can not accses his system. I would like to learn that, with this rule in raw table Im thinking I only block incoming from these src address list but i cant ping any of them also. should i select an in-interface in here ?Code: Select allchain=prerouting action=drop log=no log-prefix="" src-address-list=intrusBL
Thanks
chain=prerouting action=drop log=no log-prefix="" src-address-list=intrusBL
Use a filter drop instead of a raw drop.Hi msatter,
thank you very much for your quick answer.
I solve the problem as here but I wonder that when i add my ip block in here like 123.123.32.0/22, is this not make problem to me ? because when i add rule to accept for my ip blocks, blacklisted ip's can attack to my ip range if I true.
further more I wonder that also why i cant ping any of this blacklisted ip. if i disable that rulethere is no problem. when i enable rule ping stop. Im trying to drop blacklist ip to can acsses to me. but i want to acsses to them. I need it cause some of my customers have some VPN, DVR and they cant acces to them.Code: Select allchain=prerouting action=drop log=no log-prefix="" src-address-list=intrusBL
Thanks.
chain=Filter action=drop in-interface=wan0 connection-state=new src-address-list=intrusBL log=no log-prefix=""
You should be very very careful in allowing clients to inject blackhole information into a publicly distributed list. One malicious actor could very easily black list tons of legitimate addresses, either by directly advertising addresses into the master list (if he controls a subscribed client), or by sending spoofed packets to a client that will trigger the spoofed source's IP into an automatic blacklist.I have question on BGP. Is it possible to have clients to sent back IP addresses of attacking addresses up to the main BGP and that after certain threshold the address will be merged into that BGP. An client is only allowed to sent once in the 24h the same address to that you get a balanced threshold for an address to be blacklisted.
:put [find address=x.xx.172.2];
*154c53
:do { /ip firewall address-list add timeout="25h" list=intrusBL address=x.x.172.2} on-error={set *154c53 timeout=25h};
How do I call directly the .id this because I think that on the moment of the error the .id is filled and so the set can use the .id (index) directly to change the timeout.151 D intrusBL x.xx.172.2 jul/13/2017 11:52:58 1d59m50s
:local blListName "intrusBL";
:global blScriptVersion "2.0.1";
:local cc $blCount;
:local bn [ $urlEncode t=[/system resource get board-name ]];
:local rv [ $urlEncode t=[/system resource get version ]];
:local tm [ /system resource get total-memory ];
:local cl [ /system logging get number=0 value-name=topics ]
:local bs [ :resolve server=$blDnsHost server-port=$blDnsPort domain-name=127.0.0.3 ]
:local sv $blScriptVersion
:if ($blDebug = 1) do={
:put "System ID: $si";
:put "Board Name: $bn";
:put "RouterOS Version: $rv";
:put "Total Memory: $tm";
:put "Script Version: $sv";
:log info "System ID: $si";
:log info "Board Name: $bn";
:log info "RouterOS Version: $rv";
:log info "Total Memory: $tm";
:log info "Script Version: $blScriptVersion";
:global blScriptVersion;
if ($blScriptVersion != "2.0.1") do={
:local sourceServer "https://mikrotikfilters.com/";
:local scriptName "blInstaller.rsc";
.
.
:do { /ip firewall address-list remove [find where list=dynamicBlacklist] } on-error={}
/system script run blacklistUpdate
} else={ :put "script is current" }
So I can't even test with the huge...really huge file how the filter scoring is? ......it is really huge! With the medium list in....not that huge...I have 187MB free RAM.in my testing, the 64M units are struggling with anything other than the small list. I'm seeing about 60% of the 64M units pull the medium list 10+ times in a row. That is telling me that the 64M units are having kernel panics and rebooting.
At this time, the server is now forcing the small list on 32M and 64M, medium for 128M and 256M, and large for 512M and up.
Hi Dave, I support you block anyone that tries to collect your list and misuse it, however 'poisoning' your list in a way is not good practice.I've shut down the old service (pre 2.0 script).
I found that several users were leaching the large list and rebranding it as their own. They were also trying to probe the server side for exploits.
Again, I offer my list as a free service to the MikroTik community. If people continue to abuse it, I will shut it down completely.
(I've also added one of the offending IP's to the blacklist... I'm sure that will get some attention)
Im first on 2.0.2.1 Dave if you don't mind, please reach out to me: ------@planetcoop.com I am in the general forum running a btest server with Tom and I am seeing real benefits to this list on spam and attackers of the btest.Just released 2.0.2 with minor bug fixes. Run the auto-update/install script to update.
Hi Dave,
tnx for the updates, it seems to work fine on my RB2011 and my RB1100.
But, I have a very strange problem on my test VM CHR ...
Until 2.0.1 it worked fine, with the latest it wipes my blacklistUpdate and blacklistScriptUpdater ... they are EMPTY ...
Screen Shot 2017-07-19 at 07.29.28.png
in winbox they show up red because they are empty ...
nothing in the logs
even when I copy the content back into the scripts from my RB1100 and run again, the scripts are empty after the run
Eddie
It's a bit beyond the scope of the blacklist. But I do agree.Hi Dave,
First of all thanks for an amazing job and all effort you're putting into this. It's working just fantastic on my hAP-ac router.
A small idea to consider: how about extending firewall filter rules with autoblock functionality for intruders trying to get to a router or network? A dynamic list with banned IP's trying to do excessive pings, scanning ports, attempting DoS attacks, etc?
I'm using your rules from post #2 and having this autoban functionality will just make them more complete and make the network more secure, I think.
I have an ethical standpoint in this and what laws enable is not always sane. If you attack the attacker than you find yourself both back on the same level.So two things... Some users are simply blocked at my firewall, and now two users have been added to the list itself. I don't see this as "poisoning" as they are the ones that were actively trying to find security holes. (They have been trying SQL injections) Given that they are active attacks, I see them as no different than the botnets and spammers that the list is intended to block.
I find it VERY sad that MikroTik users on this forum would stoop this level. And frankly, if the USA passes this current bill that will allow sys-admins to "hack back" then the next time they pull my list, it will include a command to clear their config. until that time - they will remain blacklisted.
I have been there and you are building a list of your own however the chance to have a secondary hit on that address is small. There are many devices in the net that are trying yo have a response.Hi Dave,
First of all thanks for an amazing job and all effort you're putting into this. It's working just fantastic on my hAP-ac router.
A small idea to consider: how about extending firewall filter rules with autoblock functionality for intruders trying to get to a router or network? A dynamic list with banned IP's trying to do excessive pings, scanning ports, attempting DoS attacks, etc?
I'm using your rules from post #2 and having this autoban functionality will just make them more complete and make the network more secure, I think.
Only use the first one TCP and thee has as avaiable services mail and website."I have the blacklist running which filters 2048 tries and after that I have a filter port 22 and 23 which result in another 2163 hits and then I have the service filter that then filters an other 1280 tries which makes over 5000 tries in a little more than four days."
Greetings msatter, can you share those filter rules for a beginner? Thank you !
set the blDebug in the config to 1Hi all
i'm running in my ccr-1009-8G-1S-1S+
log is show notthing
but
Script List show this messeage https://goo.gl/yYE2do
messeage is "
LOG 【;(eval (eval /putmessage=$t) (eval /log warningmessage=$t))】
urlEncode【;(eval (eval /localname=$temp) (eval /forcounter=$i;do=;(eval (eval /localname=$char;value=(eval (eval /pickbegin=$i;counter=$t))) (eval /ifcondition=(= $char );do=;(eval (eval /setname=$char;value=%20) /)) (eval /ifcondition=(= $char -);do=;(eval (eval /setname=$char;value=%2D) /)) (eval /ifcondition=(= $char /);do=;(eval (eval /setname=$char;value=%2D) /)) (eval /ifcondition=(= $char &);do=;(eval (eval /setname=$char;value=%26) /)) (eval /ifcondition=(= $char =);do=;(eval (eval /setname=$char;value=%3D) /)) (eval /setname=$temp;value=( . $temp $char)) /);from=0;to=(- (eval (eval /lenvalue=$t)) 1)) (eval /returnvalue=$temp) /)】
how can i do?
release notes are in the first post. 2.0.3 is included there.Morning,
tnx for explaining the script rights issue, to bad we are struggling with that, for now it works here.
@Dave
I noticed the script got updated to 2.0.3 in the past 12 hours, it would be nice to see some kind of changelog if possible ?
Keep up the good work !
Eddie
Yes, unfortunately, Google is now allowing spammers to use their servers for a price. You are welcome to create a whitelist of servers that you do not want blocked. Unfortunately Google is using their size to try and force admins to stop using block lists. They make money on spam. For this reason, I do not use or support google.Thank you for the script, but I have to say that, as least in my limited testing, I stumbled upon too many blocked gmail servers.
I couldn't even send an email from my gmail account to my corporate address.
The worst part is that gmail somehow didn't even alert me that the message did not go through. Even after one day.
So I have to pass on this one.
Add this to the config file. Auto-update is not disabled by default, and can be enabled by setting this to "yes"I go away for a week and everything has changed.
@IntrusDave, thank you again for all your work on this blacklist.
Unfortunately for me, the automated scripting is now too intrusive and is itself a serious security risk, so I'm out. If in the future you resume publishing a blacklist of addresses/networks that I can import using my own scripting I will probably use that. Meanwhile, I will just use the service from squidblacklist.org that repackages a few public lists and has not caused me any false positive problems.
:global blScriptUpdate "no";
:do { /ip firewall address-list remove [find where dynamic && list=intrusBL] } on-error={}
That would be a pity but understandable.I found that several users were leaching the large list and rebranding it as their own. They were also trying to probe the server side for exploits.
Again, I offer my list as a free service to the MikroTik community. If people continue to abuse it, I will shut it down completely.
+1So two things... Some users are simply blocked at my firewall, and now two users have been added to the list itself. I don't see this as "poisoning" as they are the ones that were actively trying to find security holes. (They have been trying SQL injections) Given that they are active attacks, I see them as no different than the botnets and spammers that the list is intended to block.
I find it VERY sad that MikroTik users on this forum would stoop this level.
The huge list is taking a lot of memory and 64 is not enough certainly if you do a remove and read in. I am not trying for the first time the huge list and it took 7 minutes to push it into the addresslist.I've updated the server side to prevent units with 64M or less from pulling list 3. It's simply too big and causes the units to panic with an out of memory error. I watched one unit download the list and reboot more than 30 times last night, until I forced it to grab list two on the server side.
{
:local list1 [ :resolve server=mikrotikfilters.com server-port=6502 domain-name=127.0.0.4 ];
:local list2 [ :resolve server=mikrotikfilters.com server-port=6502 domain-name=127.0.0.5 ];
:local list3 [ :resolve server=mikrotikfilters.com server-port=6502 domain-name=127.0.0.6 ];
:put "List 1 Entries: $list1\n\rList 2 Entries: $list2\n\rList 3 Entries: $list3";
:log warning "List 1 Entries: $list1\n\rList 2 Entries: $list2\n\rList 3 Entries: $list3";
}
:do { /ip firewall address-list remove [find where dynamic && list=intrusBL] } on-error={}
:do { /ip firewall address-list remove [find where dynamic && list=intrusWL] } on-error={}
181.225.100.117Either your firewall is blocking DNS to my server, or your IP is blocked by the list already.
What is your public IP?
181.225.100.117Either your firewall is blocking DNS to my server, or your IP is blocked by the list already.
What is your public IP?
190.253.66.37
Unfortunately, both of your IP's fall into ASN's that are blocked.Your ISP /AS262186 is UCEPROTECT-Level3 listed for hosting a total of 462 abusers.
Your ISP COLOMBIA TELECOMUNICACIONES S.A. ESP/AS3816 is UCEPROTECT-Level3 listed for hosting a total of 5478 abusers.
Thanks, Put the version 2.0.5 and OK. is posible that you share ip rules and filters again or update?181.225.100.117Either your firewall is blocking DNS to my server, or your IP is blocked by the list already.
What is your public IP?
190.253.66.37Unfortunately, both of your IP's fall into ASN's that are blocked.Your ISP /AS262186 is UCEPROTECT-Level3 listed for hosting a total of 462 abusers.
Your ISP COLOMBIA TELECOMUNICACIONES S.A. ESP/AS3816 is UCEPROTECT-Level3 listed for hosting a total of 5478 abusers.
If you are using script version 2.0.5, then you should be able to pull the current blacklist, as the DNS and HTTPS servers are on unfiltered ports.
Thank you for the insight Dave. I'll keep an eye on that.Yes. If you notice in your log, it is telling you that the script is out of date. The server inserts an alarm into the script when your local script version is out of sync with the server. You can run the code in the first post to keep your script up to date with the latest big fixes.
THE solution is to output only raw ip addresses' list. But this solution collides with the length of variables in routeros.That would truly be bad.
I've been working on other solutions to push out the list, but have yet to find a good process that is simple and available to all users / firewalls.
Unfortunately, it's only a solution if it's possible. The amount of 4kb files needed to be downloaded and processes would cause so much wear on the NAND and take up so many filesystem blocks, it would kill most of the routers pulling the list.THE solution is to output only raw ip addresses' list. But this solution collides with the length of variables in routeros.
Thanks for your efforts.
Is it an option to change script to download file to USB drive and use external flash drive instead of internal NAND?Unfortunately, it's only a solution if it's possible. The amount of 4kb files needed to be downloaded and processes would cause so much wear on the NAND and take up so many filesystem blocks, it would kill most of the routers pulling the list.
Yes, the path is set in the config file.Is it an option to change script to download file to USB drive and use external flash drive instead of internal NAND?
Awesome! Have to check the config file then.Yes, the path is set in the config file.Is it an option to change script to download file to USB drive and use external flash drive instead of internal NAND?
Agree.have you tried remove the scripts and schedules and reinstalling?
There is not much I can do to help, as I have no access to your router.
Dave, which list do we get?The list comes in three sizes. The smallest is meant for home users. It just filters botnets and such. The medium list adds spam hosts and is intended for small to medium businesses. The large filters everything that we can, over 200,000 entries and is only intended for the larger CCR routers protecting servers.
It's not really intended for your mother.For you and other posters here its obvious, but not for my mother....
That's your choice. Select the list that fits your needs, and set it in the config file.Dave, which list do we get?
Welcome to the board. Not sure why your first post would be to trash someone's work instead of asking a question about it, but okay..This blacklist is blocking, among other things, Github. It has been for a while.
It's a great idea, but clearly is not curated or monitored. I would recommend not using it.
yup, it show dns server failureHas anyone had difficulty getting a "Blacklist" update today?
Thanks,
-tp
Yes it appears to be failing today.Has anyone had difficulty getting a "Blacklist" update today?
Thanks,
-tp
Yes, today does not work well!Has anyone had difficulty getting a "Blacklist" update today?
Thanks,
-tp
The firewall list intrusBL is empty.10:46:56 script,warning Checking server for current blacklist serial number.
10:46:56 script,warning Blacklist is already up to date. Nothing to do.
10:46:56 system,info log rule changed by admin
10:46:57 script,error Download failed. Received bytes.
I had to manually lower the serial number to get the blacklist back, it thought it had the latest blacklist but it was actually empty. (under Scripts in the Environment tab)Very sorry about that guys. I had to upgrade some server hardware, so I migrated the VM's to a different server. The new server didn't import the DNS vm. The old server if back online now and the VM's returned to their home. All should be good now.
Then, what I'm doing wrong? Can smb help me out. Thank you.The script works very well! Thanks IntrusDave, you are a Wizard Master!
Jacka,Then, what I'm doing wrong? Can smb help me out. Thank you.
Any help IntrusDave?Script works fine at my end. However the address list entries (IntrusBL) disappear in a couple of hours. I have been noticing this behavior since i installed this script and have tried upgrading my routeros version as well but to no avail. My current config is routeros 6.39.3 on CCR1072-1G-8S+.
I'm use the default, path is not change.Make sure you blDataPath does not start with a /
i.e. it should read "disk1/blTemp.rsc" NOT "/disk1/blTemp.rsc"
bw is cheap i can get a server for 8 bucks a month with 12TB of bw. i feel its more than cost as to why you're stopping it.It's been a nice run. Almost 3 years, and over 2200 active users. But I am shutting down the this service. With the new US tax laws and this new US "sex trafficking law" (which isn't really about sex trafficking) I simply can't afford to keep the service running. Bandwidth and rack space is just too expensive now, and I'm making $0.
Thank you all for the support.
If you think $8/month is the cost of a real server, a real firewall, real rack space, real bandwidth, real maintenance, real electricity... Then you are either delusional or have never owned/operated a true network. My servers are not shared VPS servers at some bulk hosting company. My firewalls are not software firewalls. For the last 17 years I have maintained a 48U rack, with 10gbps redundant fiber, a diesel generator with enough fuel for 7 days, a double-conversion UPS with 8 hours of backup time. The rack holds 13 servers, the smallest is an 8 core xeon with 8TB storage and 64GB ram. The largest being dual 12 core xeon, 384GB ram and 64TB. I have 3 CCR1016's and 2 CCR1072's.bw is cheap i can get a server for 8 bucks a month with 12TB of bw. i feel its more than cost as to why you're stopping it.
Need any help?
Never said my company was dedicated to the blacklist. It's BS like this that helped me decide to shut it down.I would be fine with keeping the service alive. Having a 48u rack for such a piss easy and small script is a bit outrageous. I think you're the delusional one. I"m sure you used that rack for way more than this script.
I'm simply saying you can keep the script stuff online for way cheaper if you wanna still help the community.
You did, otherwise why would we care if you had to pay for a 48u rack? Why even mention that? That has nothing to do with this script.Never said my company was dedicated to the blacklist. It's BS like this that helped me decide to shut it down.I would be fine with keeping the service alive. Having a 48u rack for such a piss easy and small script is a bit outrageous. I think you're the delusional one. I"m sure you used that rack for way more than this script.
I'm simply saying you can keep the script stuff online for way cheaper if you wanna still help the community.
Thank you, Dave, for a valiant effort.It's been a nice run. Almost 3 years, and over 2200 active users. But I am shutting down the this service.
# File path for squid blacklist. Change to use attached storage if available (e.g. "disk1/bl/drop.malicious.rsc")
:local sblPath "flash/bl/drop.malicious.rsc"
:log warning "Downloading squidblacklist malicious BL to $sblPath"
/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/drop.malicious.rsc dst-path=$sblPath ;
:log warning "Importing squidblacklist malicious BL from $sblPath"
/import $sblPath ;
/ip firewall raw
add action=drop chain=prerouting comment="Attack from sbl dshield" log=yes log-prefix="BL dshield" src-address-list="sbl dshield"
add action=drop chain=prerouting comment="Attack from sbl blocklist.de" log=yes log-prefix="BL blocklist.de" src-address-list="sbl blocklist.de"
add action=drop chain=prerouting comment="Attack from sbl spamhaus" src-address-list="sbl spamhaus"
Unfortunately no. The server side (contrary to what a few hear think) isn't just a "script" it's a network of over 300 honeypots and some very advanced AI code to analyze threats. That system is proprietary and is still in use for the paying clients that I have left. Even if it wasn't in use, it's not just a simple script that I can post. Nor do I want to give away thousands of hours of code.Thank you Dave.
Could you be so kind and shere your valuable technology? Could you publish all scripts?
what should i use for storage ? I have 72 core and there is no any attached storage. should i add for this job ? now its using flash. is make any problem for using flash for this job ?Thank you, Dave, for a valiant effort.It's been a nice run. Almost 3 years, and over 2200 active users. But I am shutting down the this service.
For everyone who was using Dave's Blacklist, let me recommend the Malicious IP blacklist from SquidBlackList.org, available for download from https://www.squidblacklist.org/download ... licous.rsc . I've been using it for a while and have not run into any problems because of it.
You can download and import it with a simple script:The downloaded blacklist does not actually block anything, it just creates 3 address lists you can do what you want with (1 for each of the 3 sources they use to compose the final list). I have:Code: Select all# File path for squid blacklist. Change to use attached storage if available (e.g. "disk1/bl/drop.malicious.rsc") :local sblPath "flash/bl/drop.malicious.rsc" :log warning "Downloading squidblacklist malicious BL to $sblPath" /tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/drop.malicious.rsc dst-path=$sblPath ; :log warning "Importing squidblacklist malicious BL from $sblPath" /import $sblPath ;
Code: Select all/ip firewall raw add action=drop chain=prerouting comment="Attack from sbl dshield" log=yes log-prefix="BL dshield" src-address-list="sbl dshield" add action=drop chain=prerouting comment="Attack from sbl blocklist.de" log=yes log-prefix="BL blocklist.de" src-address-list="sbl blocklist.de" add action=drop chain=prerouting comment="Attack from sbl spamhaus" src-address-list="sbl spamhaus"
I highly doubt MikroTik are going to take on a project like this. Maybe it could be something we do as a community?How about MikroTik company will pick up this effort, and provide the service to all the MikroTik owners ?
That would be great (and I will be even totaly willing to pay extra, like a per-year subscription or such),
and
most importantly,
this will provide a specific chain of trust - on getting the correct IP black-list from the manufacturer, that could be actually trusted.
The active black-list is a must-have for anyone running any network.
Also, there are many free, respectable services, that do publish blacklists coming from honeypots.
Example: https://project.turris.cz/en/greylist
So there should be not so much issue on getting the inputs for the official service.
I do definitelly vote for this. Anyone else ?
But it is imported as static entries because of missing timeout parameter in the script, so they are written to NAND on every change. They should change it in the scriptIt is temporary locations to download ... it does not matter where it is ... after importing lists script could be removed form flash, disk etc.
You cannot just because everyone is doing like this? Google Play Music, Battlenet Shop - they all have different prices for Russia, for example.you can't ask for a lower price for parts of the world
You just need to do what makes you happy. It's fine not to know what to do with your life as long as you enjoy not knowing what to do.Not really an update, just information.
I'm still trying to figure out what to do with my life. At 43, I started not liking what I was doing for work. I've tried a few different things, including running a large non-profit for a while. Now I'm closing in on 45 and I still don't know. Fact is, I'm best at tech stuff and car stuff.
Anyway. I've shutdown all of my hardware servers and pulled them from the datacenter. It was just costing too much.
I'm currently experimenting with Google Cloud Compute platform to see if it will be a viable home for a new blacklist service. I hope to have new servers completed this week, and hope to start building a new Blacklist from scratch maybe next week. I still haven't found any decent subscription management systems. Anyone have suggestions on something Open Source?
You need "grown-up gap year"...
I'm still trying to figure out what to do with my life. At 43, I started not liking what I was doing for work. I've tried a few different things, including running a large non-profit for a while. Now I'm closing in on 45 and I still don't know.
To the first point, you gotta do what you love. Often the things we're good at aren't what we love though...so that's a tricky one.[...]
I'm still trying to figure out what to do with my life. At 43, I started not liking what I was doing for work. I've tried a few different things, including running a large non-profit for a while. Now I'm closing in on 45 and I still don't know. Fact is, I'm best at tech stuff and car stuff.
[...]
I'm currently experimenting with Google Cloud Compute platform to see if it will be a viable home for a new blacklist service. I hope to have new servers completed this week, and hope to start building a new Blacklist from scratch maybe next week. I still haven't found any decent subscription management systems. Anyone have suggestions on something Open Source?