Community discussions

 
kakaxa
just joined
Posts: 12
Joined: Thu Feb 01, 2018 5:46 am

Re: Blacklist Filter (Development Topic)

Tue Aug 07, 2018 7:21 pm

Due to people like this guy ^^^ the beta list will be limited to the "free" list of about 1800 IP's.
I do not want my 150,000 IP's collected by my honeypots being used for other people's services.
Dave, please don't do it. I very little in all this understand, but your creation is a masterpiece. It isn't necessary to spoil all because of one fool. :(
I apologize for the Google Translate :oops:
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Tue Aug 07, 2018 7:25 pm

Has anyone here worked with tr069 at all? I've never played with it and I'm curious if it offers anything useful to this project.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Tue Aug 07, 2018 7:42 pm

Oh BTW guys, my Honeypots alone are reporting over 37,000 ACTIVE botnet IP's for the last 12 hours.
Those IP's will NOT be included in the free list.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
43north
Member Candidate
Member Candidate
Posts: 192
Joined: Fri Nov 14, 2014 7:06 am

Re: Blacklist Filter (Development Topic)

Tue Aug 07, 2018 7:59 pm

Oh BTW guys, my Honeypots alone are reporting over 37,000 ACTIVE botnet IP's for the last 12 hours.
Those IP's will NOT be included in the free list.
Dave please don't limit the Beta, don't let this guy be the driver for that. It is not worth it and hurts us that are your loyal followers. I am using your Priority 3 list and will start paying for it whenever you want. It is helping me immensely. Please don't limit the beta list to the small list......
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Wed Aug 08, 2018 1:34 am

It's limited for now, hoping to have a very basic auth system in place by tomorrow morning. My server logs show at least 2 people trying VERY hard to figure out how to trick the server to sending the list to a wget/curl client. Sorry, but the blaintant abuse won't be tolerated.
I'll post a simple Google Form for registering ASAP.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 763
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Blacklist Filter (Development Topic)

Wed Aug 08, 2018 11:03 am

It's limited for now, hoping to have a very basic auth system in place by tomorrow morning. My server logs show at least 2 people trying VERY hard to figure out how to trick the server to sending the list to a wget/curl client. Sorry, but the blaintant abuse won't be tolerated.
I'll post a simple Google Form for registering ASAP.
I was just about to post and say that my blacklist had decreased overnight from 140K+ to 2K!
It's a real shame that people abuse your good nature like this.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
43north
Member Candidate
Member Candidate
Posts: 192
Joined: Fri Nov 14, 2014 7:06 am

Re: Blacklist Filter (Development Topic)

Wed Aug 08, 2018 8:44 pm

on the flip side, if anyone is in Southern California (Rancho Cucamonga / Ontario / Pomona / San Bernardino) you are hit me up and I'd love to grab coffee and chat.
Dave, although I am not in your area, I am next door in Idaho. I am very interested in setting up honeypots where I am at to contribute to the database however you see fit. How can we catch up on the phone etc to discuss more information that I don't want to post on the forum?
 
grusu
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: Blacklist Filter (Development Topic)

Thu Aug 09, 2018 11:02 am

Dave,

Have you considered using external to your network honeypots as source of offending IPs?
I use as the first frontier such RAW drop rules and all the time there are some IPs on the list of attackers.
add action=add-src-to-address-list address-list=RAWATTACK2 address-list-timeout=127m chain=prerouting comment=RAW2ADD in-interface-list=WAN_LIST log-prefix="RAW2ADD: " src-address-list=RAWATTACK
add action=drop chain=prerouting comment=RAW2 in-interface-list=WAN_LIST log-prefix="RAW2: " src-address-list=RAWATTACK2
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=37m chain=prerouting comment=RAW1ADD dst-port=8291,21,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=37m chain=prerouting comment=RAW1ADD dst-port=8291,21,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=udp
add action=drop chain=prerouting disable=yes  comment=RAW1 in-interface-list=WAN_LIST log-prefix="RAW1: " src-address-list=RAWATTACK
Hi BartoszP,

It's a good starting point. I have used your rules but set it so that I do not block the IPs from where I administer the router.
How can I collect offending IPs?

Thanks,
Geo
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 763
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Blacklist Filter (Development Topic)

Sun Aug 12, 2018 7:25 pm

@IntrusDave
Have you changed the beta availability again? I've just checked my list to make sure it's still updating nicely and noticed I've jumped form some 2K to 16K entries!
Thank you 8)
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Sun Aug 12, 2018 9:56 pm

Yes, I've blocked most of the IP's that are trying to leach the lists.
Still working on an auth system that is reliable. I think it's going to have to be based on the the Cloud DNS.. [/ip cloud set ddns-enable=yes] is going to be required, unless MikroTik gives me a way to authenticate better than that.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 763
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Blacklist Filter (Development Topic)

Mon Aug 13, 2018 9:44 am

Yes, I've blocked most of the IP's that are trying to leach the lists.
Still working on an auth system that is reliable. I think it's going to have to be based on the the Cloud DNS.. [/ip cloud set ddns-enable=yes] is going to be required, unless MikroTik gives me a way to authenticate better than that.
Good times, thankyou.
“Oh bugger” he says with his CHR! I may end up notifying you of my static IP and hoping you’d do me a solid then?

A question, do I need BOTH a firewall filter rule AND a raw drop rule? I’m currently using just raw drop rules for source and then another for destination of the BL but wondered if there was any gain in running a filter rule of each as well? (Appreciate I could create rules and watch counters but wondering on your recommendation).
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8070
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Blacklist Filter (Development Topic)

Mon Aug 13, 2018 7:03 pm

“Oh bugger” he says with his CHR! I may end up notifying you of my static IP and hoping you’d do me a solid then?
CHR even with trial license has IP Cloud now (starting v6.43) :)
Russian-speaking forum: http://forum.mikrotik.by. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.
 
amity2kare
newbie
Posts: 32
Joined: Tue Feb 13, 2007 4:24 pm
Location: INDIA

Re: Blacklist Filter (Development Topic)

Thu Aug 16, 2018 3:34 pm

Hi Dave,

I agree with everyone when I say the beta should not be restricted just because one guy decided to go another route. We would be most happy to pay and I would happily be a part of your beta program and even get my clients on board just because it saves them money they would instead spend on a firewall or something.

Regards

Amit
 
eddieb
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: Blacklist Filter (Development Topic)

Sat Aug 18, 2018 10:00 am

Dave ?

I noticed a problem in my logging, is downloading the ?priority=1 not working anymore ?

Eddie
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Sat Aug 18, 2018 5:08 pm

sorry about that, reboot the server and forgot to start a service.
I don't have anything auto-starting yet.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Sun Aug 19, 2018 8:02 pm

As you can tell, I've slowed down on development.
Out of the 100+ people who filled out the notification form, more than 60% says they will not pay for this type of service.
Only about 15 say they will pay a commercial product. So, I'm going to take my time with it and try earning some income in other ways.
I'm sure I'll post more updates when I get more time.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
43north
Member Candidate
Member Candidate
Posts: 192
Joined: Fri Nov 14, 2014 7:06 am

Re: Blacklist Filter (Development Topic)

Sun Aug 19, 2018 8:27 pm

As you can tell, I've slowed down on development.
Out of the 100+ people who filled out the notification form, more than 60% says they will not pay for this type of service.
Only about 15 say they will pay a commercial product. So, I'm going to take my time with it and try earning some income in other ways.
I'm sure I'll post more updates when I get more time.
Ah man that is crazy, especially for the low cost you were looking to charge. Thank you Dave for the work you are putting in to this. It is a great service. Would still love to learn how to setup a honeypot to help contribute.
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Sun Aug 19, 2018 10:32 pm

I've implemented some of the new security functions. You will need to update the download script.

Cloud DDNS is *REQUIRED*. Which means you need the latest CHR with Cloud support.
/ip cloud set ddns-enabled=yes

Here is the new script.
:local destPath "disk1/filterImport.rsc";
:local priority "2";

:local sn [:pick [/ip cloud get dns-name] 0 [:find [/ip cloud get dns-name] "."]];
/tool fetch mode=https url="https://bl.mikrotikfilters.com/secureFetch.php?priority=$priority" http-method=post http-data="$sn" dst-path="$destPath" output=file; /import file-name=$destPath;  /file remove $destPath;
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
boldsuck
newbie
Posts: 39
Joined: Sun Sep 01, 2013 1:07 am
Location: Germany

Re: Blacklist Filter (Development Topic)

Mon Aug 20, 2018 3:22 am

As you can tell, I've slowed down on development.
Out of the 100+ people who filled out the notification form, more than 60% says they will not pay for this type of service.
Only about 15 say they will pay a commercial product. So, I'm going to take my time with it and try earning some income in other ways.

Too bad that there is so little interest in this service. There were so many users in the old thread who wanted to pay.
I signed up today as a willing to pay. Actually, this is exaggerated for my 2 Home Router but I would like to contribute something to this project.

Edit:
I mean the huge IP list for my home router, not the money. :wink:
╰_╯ Ciao Marco!
 
dmercer
just joined
Posts: 3
Joined: Sat Jul 08, 2017 3:53 am

Re: Blacklist Filter (Development Topic)

Tue Aug 21, 2018 5:34 am

My company would like to contribute $1000 to the development of this solution. We are still happy to pay the monthly fee once things are up and running. We have benefitted over the years of many volunteer and or open source projects. We do not have the programming skills to give back but we can offer up some money. I will send you my contact info directly. Please send me an invoice for development work and I will get a cheque sent out in the next week or so
 
webix
just joined
Posts: 12
Joined: Fri May 04, 2018 3:34 pm

Re: Blacklist Filter (Development Topic)

Tue Aug 21, 2018 10:22 am

ok... when i run the script, i get this:
/system script> /tool fetch mode=https url="https://bl.mikrotikfilters.com/secureFetch.php\?priority=$priority" http-met
hod=post http-data="$sn" dst-path="$destPath" output=file; /import file-name=$destPath;  /file remove $destPath;
      status: finished
  downloaded: 0KiBC-z pause]
    duration: 1s


Script file loaded and executed successfully
invalid value for argument numbers
Any clue on what it can be?
 
User avatar
hilton
Long time Member
Long time Member
Posts: 631
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Blacklist Filter (Development Topic)

Tue Aug 21, 2018 12:18 pm

I've implemented some of the new security functions. You will need to update the download script.

Cloud DDNS is *REQUIRED*. Which means you need the latest CHR with Cloud support.
/ip cloud set ddns-enabled=yes

Here is the new script.
:local destPath "disk1/filterImport.rsc";
:local priority "2";

:local sn [:pick [/ip cloud get dns-name] 0 [:find [/ip cloud get dns-name] "."]];
/tool fetch mode=https url="https://bl.mikrotikfilters.com/secureFetch.php?priority=$priority" http-method=post http-data="$sn" dst-path="$destPath" output=file; /import file-name=$destPath;  /file remove $destPath;
Dave does this script replace your old 'blacklistUpdate' script that was scheduled? Must I just schedule this new script as per before?
Regards
Hilton
 
dmercer
just joined
Posts: 3
Joined: Sat Jul 08, 2017 3:53 am

Re: Blacklist Filter (Development Topic)

Tue Aug 21, 2018 8:40 pm

for some reason many of my firewalls do not seem to have the version of the code that supports the ddns. So when I go to /ip there is no "cloud". This is true for both x86 versions and CHR running 6.42.7. Has anybody else seen this?
 
Rico40
just joined
Posts: 7
Joined: Sun Aug 19, 2018 8:53 pm
Location: Poland

Re: Blacklist Filter (Development Topic)

Tue Aug 21, 2018 9:20 pm

For me, CHR works with the rc version
 
User avatar
boldsuck
newbie
Posts: 39
Joined: Sun Sep 01, 2013 1:07 am
Location: Germany

Re: Blacklist Filter (Development Topic)

Wed Aug 22, 2018 12:18 am

Dave does this script replace your old 'blacklistUpdate' script that was scheduled? Must I just schedule this new script as per before?
Hi, I'm not Dave but:
Yes and Yes :)
╰_╯ Ciao Marco!
 
User avatar
hilton
Long time Member
Long time Member
Posts: 631
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Blacklist Filter (Development Topic)

Wed Aug 22, 2018 9:14 am

Dave does this script replace your old 'blacklistUpdate' script that was scheduled? Must I just schedule this new script as per before?
Hi, I'm not Dave but:
Yes and Yes :)
Ta!
Regards
Hilton
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 763
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Blacklist Filter (Development Topic)

Wed Aug 22, 2018 10:43 am

for some reason many of my firewalls do not seem to have the version of the code that supports the ddns. So when I go to /ip there is no "cloud". This is true for both x86 versions and CHR running 6.42.7. Has anybody else seen this?
You need 6.43 on your CHR to run IP>Cloud and it has been confirmed there will be no IP>Cloud for x86 platform.

@IntrusDave Can I ask if there is any way to relax this "need" for cloud? With 6.43 being an RC candidate many people won't run this on their "normal" equipment and only on test stuff. I love your script, I really do but I don't want to run a potentially unstable routerOS release on my main router.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8070
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Blacklist Filter (Development Topic)

Wed Aug 22, 2018 11:56 am

@IntrusDave Can I ask if there is any way to relax this "need" for cloud? With 6.43 being an RC candidate many people won't run this on their "normal" equipment and only on test stuff. I love your script, I really do but I don't want to run a potentially unstable routerOS release on my main router.
Well, the answer is simple: wait for the 6.43 release. Don't you want to run a potentially unstable Blacklist Filter (which is still in development from scratch) on your main router? :)
Russian-speaking forum: http://forum.mikrotik.by. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 763
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Blacklist Filter (Development Topic)

Wed Aug 22, 2018 12:29 pm

@IntrusDave Can I ask if there is any way to relax this "need" for cloud? With 6.43 being an RC candidate many people won't run this on their "normal" equipment and only on test stuff. I love your script, I really do but I don't want to run a potentially unstable routerOS release on my main router.
Well, the answer is simple: wait for the 6.43 release. Don't you want to run a potentially unstable Blacklist Filter (which is still in development from scratch) on your main router? :)
I know Dave's script is fine though. Moving into RC channel and back can cause huge problems and sometimes full re-installation.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
wanos
just joined
Posts: 1
Joined: Thu Aug 16, 2018 12:43 pm

Re: Blacklist Filter (Development Topic)

Wed Aug 22, 2018 2:13 pm

Well that was a helluva ride ... I read 700 posts in 3 or 4 days ... still available or not, BGP and DNS shot down, ... fingers itching halfway thru reading to go back to first post and download-install, read code and run ... but I'm patient and waited until the end. And I'm relieved to find this is being revived in a new form.

Looking for blacklists on the net brought me here. I have a rb2011 that will work, and happy to find in an old box ... a micro USB to female USB A adapter cable ... plugged in an old stick and now I have temp storage to wear out instead of NAND on the device.

Being a software dev in a previous lifetime, I have an idea of just how much effort this involves. My hats is off to you Dave. We all owe you a debt of gratitude for the perseverance to keep this project alive for the MikroTik community. Software like this elevates and distinguishes MikroTik from the other major players in a big way. Thank-you. I have no more need for

fyi:
- running the hwlist.txt creation boots the rb2011 cpu to almost 30% for 1 sec. I have changed it to run every 2 days instead. Good enough for home.
- importing level 2, at only 16k addresses currently, keeps the cpu at 100% for about 50 secs. After importing, the cpu rests from 3 to 8%.

Once again, thanks Dave.
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Wed Aug 22, 2018 5:09 pm

Unfortunately, requiring IP Cloud to be enabled is the only way that I have found to try and reducing the amount of piracy and unauthorized redistribution. As at least two of the people in this thread have already shown, they feel my work should be done for free and that they (and the rest of the internet) should have full access to my list.

Using IP Cloud, it allows me to match the device serial number to the registered IP with the sn.mynetname.net service. I would love to use a simple http-auth, but with no way to encrypt the script on the client side, it's too easily forged. There is no great, or even good solution at this time, other than maybe username and password, but those get shared too easily.

I would LOVE it if MikroTik would just build a service into RouterOS to sync address-lists... but I doubt that would happen.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Wed Aug 22, 2018 5:11 pm

ANd yes, you need the RC for the CHR to get IP Cloud. Given that the development is in "beta" it shouldn't be run on production devices (although I do..), the requirement for IP CLoud isn't going away. As for x86... Well, I have one of those too, but it's being moved to CHR to get pasted the x86 limits.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
tippenring
Member Candidate
Member Candidate
Posts: 150
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Blacklist Filter (Development Topic)

Sun Aug 26, 2018 6:13 am

Please keep up the great work. I've been running the BL on my home router as an experiment for a few weeks now. No trouble so far here.

I would be interested in assisting with dev if I can. I'm not sure what I could do to help though. I'm not a good coder (unless my years-ago basic and quickbasic coding counts). I manage a few hundred routers and networks for clients. I expect many would be interested in a commercial version of your service.

I could easily and securely host a honeypot on my home network or my work network if that would be useful.
 
HZsolt
just joined
Posts: 8
Joined: Tue Apr 24, 2018 7:31 pm

Re: Blacklist Filter (Development Topic)

Sun Aug 26, 2018 10:38 am

Where can I find the active blacklist script?
 
Rico40
just joined
Posts: 7
Joined: Sun Aug 19, 2018 8:53 pm
Location: Poland

Re: Blacklist Filter (Development Topic)

Sun Aug 26, 2018 10:50 am

Is on this page
 
HZsolt
just joined
Posts: 8
Joined: Tue Apr 24, 2018 7:31 pm

Re: Blacklist Filter (Development Topic)

Sun Aug 26, 2018 10:53 am

But I get error in the log: Blacklist Authorization failed

Which is the active and good script?
 
grusu
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: Blacklist Filter (Development Topic)

Sun Aug 26, 2018 11:27 am

But I get error in the log: Blacklist Authorization failed

Which is the active and good script?
You must enable IP Cloud service first.
 
HZsolt
just joined
Posts: 8
Joined: Tue Apr 24, 2018 7:31 pm

Re: Blacklist Filter (Development Topic)

Sun Aug 26, 2018 11:37 am

But I get error in the log: Blacklist Authorization failed

Which is the active and good script?
You must enable IP Cloud service first.
Thank you! :) Works!!!!
 
HZsolt
just joined
Posts: 8
Joined: Tue Apr 24, 2018 7:31 pm

Re: Blacklist Filter (Development Topic)

Sun Aug 26, 2018 12:39 pm

Drop or redirect? Which one is better on firewall?

Question for IntrusDave: Do you have any IPv6 blacklist and domain (IPv4/IPv6) blacklist?
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Sun Aug 26, 2018 6:53 pm

Unfortunately, I don't have IPv6 yet. The system is designed for it, but I have no routers in IPv6 networks that I can test with. My home internet supports it, but it's so unstable, I don't bother with it.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
HZsolt
just joined
Posts: 8
Joined: Tue Apr 24, 2018 7:31 pm

Re: Blacklist Filter (Development Topic)

Sun Aug 26, 2018 7:46 pm

Unfortunately, I don't have IPv6 yet. The system is designed for it, but I have no routers in IPv6 networks that I can test with. My home internet supports it, but it's so unstable, I don't bother with it.
OK! Thanks!!!

And domain blacklist?
 
User avatar
boldsuck
newbie
Posts: 39
Joined: Sun Sep 01, 2013 1:07 am
Location: Germany

Re: Blacklist Filter (Development Topic)

Mon Aug 27, 2018 1:13 am

And domain blacklist?
No only IP based.
But more than 135,000 if you want :D and your router can handle. (I get priority "1" on a RB2011UAS.)

This is a further development of the old project / service:
viewtopic.php?f=9&t=98804
╰_╯ Ciao Marco!
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Mon Aug 27, 2018 2:14 am

Unfortunately, I don't have IPv6 yet. The system is designed for it, but I have no routers in IPv6 networks that I can test with. My home internet supports it, but it's so unstable, I don't bother with it.
OK! Thanks!!!

And domain blacklist?
I don't find domain blacklisting very effective. Most botnets and viruses have their own DNS resolver and use hard codes servers, so it doesn't really help at the router level. And more and more are moving to dns over https.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Mon Aug 27, 2018 2:15 am

Drop or redirect? Which one is better on firewall?
Personally, I use a RAW Drop rule.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Mon Aug 27, 2018 2:23 am

But I get error in the log: Blacklist Authorization failed

Which is the active and good script?
IP Cloud is used for identification now. Once the service is live, the serial number from IP cloud will be used for authorization. The script gets the serial number from the IP cloud, submits it via the http-post over TLS, this keeps your serial from being sent in the clear. When the server receives the request, the http-post data is pulled, the serial number is then used to do a DNS lookup via {xxxxxxxxx.sn.mynetname.net} and that IP is then matched to the IP that is making the request. If the IP's don't match, then the odds are that the serial number is a fake, or someone is trying to leach the list. It's not a perfect system, but as long as the mynetname service isn't hacked, it should be good enough to stop most from leaching the list.

Other ideas were along the lines of assigning every router a UUID and then sending that, but again, no way to verify that the http-post is authentic. Nothing to keep someone from putting that UUID on other routers, or just faking it and using a script to clone the list.

I would love for MikroTik to put in a service that allows the routers to authenticate themselves, download and apply a list, Hell, I would even code the service for them.. but I'm fairly certain that will never happen.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
HZsolt
just joined
Posts: 8
Joined: Tue Apr 24, 2018 7:31 pm

Re: Blacklist Filter (Development Topic)

Mon Aug 27, 2018 8:45 am

Unfortunately, I don't have IPv6 yet. The system is designed for it, but I have no routers in IPv6 networks that I can test with. My home internet supports it, but it's so unstable, I don't bother with it.
OK! Thanks!!!

And domain blacklist?
I don't find domain blacklisting very effective. Most botnets and viruses have their own DNS resolver and use hard codes servers, so it doesn't really help at the router level. And more and more are moving to dns over https.
OK! :) Thanks!

For example domain blacklist: https://blog.squidblacklist.org/?p=1658 It would works for effective? The script saves the file to flash.

Download domain blacklist script:

/tool fetch url="https://www.squidblacklist.org/download ... ns-ads.rsc" mode=http;
:log info "tik-dns-ads.rsc from http://www.squidblacklist.org";

Replace downloaded domain blacklist script:

/ip firewall address-list remove [find where comment="sbl ads"]
/import file-name=tik-dns-ads.rsc;
:log info "Removed old DomainBlackList and imported new list";

viewtopic.php?t=113770
 
User avatar
43north
Member Candidate
Member Candidate
Posts: 192
Joined: Fri Nov 14, 2014 7:06 am

Re: Blacklist Filter (Development Topic)

Tue Aug 28, 2018 3:35 am

Dave,
Still very interested in learning how to setup a honeypot to collect addresses. Even if you are not to the point to accept other people's honeypot lists, could you do a brief write up to teach us the best way to setup a honeypot? Thanks!
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1250
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Tue Aug 28, 2018 5:43 am

i haven't gotten far enough on the honeypot side. I've started from scratch on the RouterOS script. I'll post it once it's stable enough to test.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
tippenring
Member Candidate
Member Candidate
Posts: 150
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Blacklist Filter (Development Topic)

Tue Aug 28, 2018 6:34 am

Unfortunately, I don't have IPv6 yet. The system is designed for it, but I have no routers in IPv6 networks that I can test with. My home internet supports it, but it's so unstable, I don't bother with it.
Have you seen HE's free IPv6 tunnel https://tunnelbroker.net/? I've had one up for nearly a year.
 
tippenring
Member Candidate
Member Candidate
Posts: 150
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Blacklist Filter (Development Topic)

Tue Aug 28, 2018 6:37 am

Dave,
Still very interested in learning how to setup a honeypot to collect addresses. Even if you are not to the point to accept other people's honeypot lists, could you do a brief write up to teach us the best way to setup a honeypot? Thanks!
Here are a couple of Honeypot projects from my notes. I'm sure there are many more. It's one of those things I've been wanting to do one of these days.

https://github.com/desaster/kippo
https://trustfoundry.net/honeypi-easy-h ... pberry-pi/

Who is online

Users browsing this forum: raisch and 2 guests