Community discussions

 
User avatar
Squidblacklist
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Jun 26, 2013 11:06 am

Spamhaus + Dshield + Malc0de + OpenBL Malicious Ip Blacklists!

Wed Jan 20, 2016 4:21 am

For some this is nothing new, but for others it might prove to be quite a valued resource, so we decided to make it available gratis for the public as a way of giving back and saying thank you to all those who have supported us, besides, we cant really charge for it, it isnt our work!

Spamhaus and DShield malicious ips combined into a single import script.

Blog post about it http://blog.squidblacklist.org/?p=297

Can be downloaded at the following url.
http://www.squidblacklist.org/downloads ... icious.rsc

And heres a couple of bonus free blacklists.

Tor Nodes IP Firewall Blacklist
http://www.squidblacklist.org/downloads ... rnodes.rsc
An ads blacklist for RouterOS DNS:
http://www.squidblacklist.org/downloads/tik-dns-ads.rsc

Firewall Rules Here:
ip firewall filter add chain=input src-address-list=drop.dshield action=drop log=drop.dshield
ip firewall filter add chain=input src-address-list=drop.spamhaus1 action=drop log=drop.spamhaus1
ip firewall filter add chain=input src-address-list=drop.spamhaus2 action=drop log=drop.spamhaus2
And a couple more to help secure your networks!
http://joshaven.com/malc0de.rsc
http://joshaven.com/openbl.rsc

Credit to the Author for making these resources available.
Read more from the publisher http://joshaven.com/resources/tricks/mi ... ress-list/

The following single firewall rule will setup BOTH of the Josh Aven blacklists.
ip firewall filter add chain=input src-address-list=drop.blacklist action=drop log=drop.blacklist
Login To Winbox - Scheduling update tasks for your blacklists.
Go to System - Scheduler. and create a new task by clicking the blue plus button.

Image


First schedule a download task:
/ip firewall address-list remove [find where comment="OpenBL"] 
/tool fetch address=joshaven.com host=joshaven.com mode=http src-path=/openbl.rsc
Next schedule an import task: ( We disable logging temporarily to alleviate excessive disk writes that could result in early nand memory failures.)


(paste this into the scheduler box)
:log warning "Disabling system Logging";
import openbl.rsc
/system logging enable 0
Now do the same for the rest of your blacklists.
 /tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/drop.malicious.rsc
:log warning "Disabling system Logging";
import drop.malicious.rsc
/system logging enable 0
/ip firewall address-list remove [find where comment="malc0de"] 
/tool fetch address=joshaven.com host=joshaven.com mode=http src-path=/malc0de.rsc
:log warning "Disabling system Logging";
import malc0de.rsc
/system logging enable 0
( Heads up: Issue with Spamhaus2 missing text: Fixed )
Last edited by Squidblacklist on Mon May 15, 2017 10:59 am, edited 18 times in total.
 
proximus
Member Candidate
Member Candidate
Posts: 107
Joined: Tue Oct 04, 2011 1:46 pm

Re: Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS!

Sun Feb 07, 2016 4:40 am

Thank you for providing this. However, the script is currently (as of 2/6/16) exiting to an error after the spamhaus1 import update. It appears to be missing the following:
:log info "drop.spamhaus2 script import started"
:foreach subnet in [/ip firewall address-list find list=drop.spamhaus2] do={ /ip firewall address-list remove $subnet }
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1282
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS!

Sun Feb 07, 2016 7:33 am

I've been offering this for a while, with a few advantages.

http://forum.mikrotik.com/viewtopic.php?f=9&t=98804

I use Dynamic address lists. This keeps the IP's in memory and dramatically reduces the number of flash writes. The script tells the server the some basics about the router, and the server is able to send more or less addresses, based on the CPU and memory. This is helpful because in addition to the DShield and Spamhaus blocklists, My server collects IPs from just over 100 other Mikrotik routers and IDS boxes looking for active attacks. So, there are days that the list can ballon up to over 50k IPs during an active DDOS attack.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
proximus
Member Candidate
Member Candidate
Posts: 107
Joined: Tue Oct 04, 2011 1:46 pm

Re: Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS!

Sun Feb 07, 2016 3:28 pm

Very nice. Thanks, David!
 
User avatar
Squidblacklist
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Jun 26, 2013 11:06 am

Re: Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS!

Wed May 04, 2016 1:45 am

Thank you for providing this. However, the script is currently (as of 2/6/16) exiting to an error after the spamhaus1 import update. It appears to be missing the following:
:log info "drop.spamhaus2 script import started"
:foreach subnet in [/ip firewall address-list find list=drop.spamhaus2] do={ /ip firewall address-list remove $subnet }


Oh boy, Ill get that fixed right away. (3 months later)
 
User avatar
Squidblacklist
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Jun 26, 2013 11:06 am

Re: Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS!

Wed May 04, 2016 2:01 am

I've been offering this for a while, with a few advantages.

http://forum.mikrotik.com/viewtopic.php?f=9&t=98804

I use Dynamic address lists. This keeps the IP's in memory and dramatically reduces the number of flash writes. The script tells the server the some basics about the router, and the server is able to send more or less addresses, based on the CPU and memory. This is helpful because in addition to the DShield and Spamhaus blocklists, My server collects IPs from just over 100 other Mikrotik routers and IDS boxes looking for active attacks. So, there are days that the list can ballon up to over 50k IPs during an active DDOS attack.

NICE! Im earger to check it out!
 
User avatar
Squidblacklist
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Jun 26, 2013 11:06 am

Re: Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS!

Wed May 04, 2016 2:14 am

Thank you for providing this. However, the script is currently (as of 2/6/16) exiting to an error after the spamhaus1 import update. It appears to be missing the following:
:log info "drop.spamhaus2 script import started"
:foreach subnet in [/ip firewall address-list find list=drop.spamhaus2] do={ /ip firewall address-list remove $subnet }

Issue resolved. ( Now if youll excuse me I have to go wipe this egg off my face ) :shock: :shock: :lol:
 
User avatar
Bigfoot
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Sat Jan 15, 2011 10:41 am
Location: South Africa

Re: Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS!

Thu May 05, 2016 10:36 am

Hi Squidblacklist
Can you please add the filter rules that you are using.

Bigfoot
 
User avatar
amt
Long time Member
Long time Member
Posts: 525
Joined: Fri Jan 16, 2015 2:05 pm

Re: Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS!

Fri Jul 01, 2016 11:46 am

is this work ?
 
User avatar
Squidblacklist
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Jun 26, 2013 11:06 am

Re: Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS!

Sat Oct 01, 2016 4:19 am

is this work ?

Sure does, I have been using it for over a year on my units without issue, updating every 3 hours.
 
User avatar
Squidblacklist
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Jun 26, 2013 11:06 am

Re: Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS!

Sat Oct 01, 2016 4:22 am

Hi Squidblacklist
Can you please add the filter rules that you are using.

Bigfoot
Sure. I have updated the original post with more detailed instructions as well as two more free blacklists.
 
User avatar
Squidblacklist
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Jun 26, 2013 11:06 am

Re: Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS!

Sat Oct 01, 2016 4:50 am

I've been offering this for a while, with a few advantages.
.
Hey Dave, I know you are big into this stuff, so I wanted to give you the heads up on these other blacklists now available for RouterOS thanks to Josh Aven.

http://joshaven.com/malc0de.rsc
http://joshaven.com/openbl.rsc

He has taken the time to write up a few comprehensive pages so I thought you might be interested.
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1282
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Spamhaus + Dshield + Malc0de + OpenBL Malicious Ip Blacklists!

Mon Oct 03, 2016 7:33 pm

Been using them already for years. My server can take just about any blacklist in any format and puts it into RouterOS format.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
Bigfoot
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Sat Jan 15, 2011 10:41 am
Location: South Africa

Re: Spamhaus + Dshield + Malc0de + OpenBL Malicious Ip Blacklists!

Mon Oct 10, 2016 8:58 am

Hi Squidblacklist
The filer rules is no correct, I belief it must look like this.
/ip firewall filter add chain=input src-address-list=drop.dshield action=drop log=yes comment="drop.dshield"
/ip firewall filter add chain=input src-address-list=drop.spamhaus1 action=drop log=yes comment="drop.spamhaus1"
/ip firewall filter add chain=input src-address-list=drop.spamhaus2 action=drop log=yes comment="drop.spamhaus2"
Bigfoot 8)
 
User avatar
Squidblacklist
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Jun 26, 2013 11:06 am

Re: Spamhaus + Dshield + Malc0de + OpenBL Malicious Ip Blacklists!

Fri Nov 18, 2016 12:25 pm

Hi Squidblacklist
The filer rules is no correct, I belief it must look like this.
/ip firewall filter add chain=input src-address-list=drop.dshield action=drop log=yes comment="drop.dshield"
/ip firewall filter add chain=input src-address-list=drop.spamhaus1 action=drop log=yes comment="drop.spamhaus1"
/ip firewall filter add chain=input src-address-list=drop.spamhaus2 action=drop log=yes comment="drop.spamhaus2"
Bigfoot 8)
Yes and No, Yes in that you would only require the qoutes if you were manually entering it into a terminal or including the commands in a script.

And No, in that when you use commands in winbox scheduler, you dont need the quotes.
 
User avatar
Bigfoot
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Sat Jan 15, 2011 10:41 am
Location: South Africa

Re: Spamhaus + Dshield + Malc0de + OpenBL Malicious Ip Blacklists!

Fri Nov 18, 2016 1:22 pm

Sharp 8)

Who is online

Users browsing this forum: No registered users and 6 guests