Community discussions

 
kakaxa
just joined
Posts: 12
Joined: Thu Feb 01, 2018 5:46 am

Re: Blacklist Filter (Development Topic)

Tue Aug 07, 2018 7:21 pm

Due to people like this guy ^^^ the beta list will be limited to the "free" list of about 1800 IP's.
I do not want my 150,000 IP's collected by my honeypots being used for other people's services.
Dave, please don't do it. I very little in all this understand, but your creation is a masterpiece. It isn't necessary to spoil all because of one fool. :(
I apologize for the Google Translate :oops:
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1226
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Tue Aug 07, 2018 7:25 pm

Has anyone here worked with tr069 at all? I've never played with it and I'm curious if it offers anything useful to this project.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1226
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Tue Aug 07, 2018 7:42 pm

Oh BTW guys, my Honeypots alone are reporting over 37,000 ACTIVE botnet IP's for the last 12 hours.
Those IP's will NOT be included in the free list.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
43north
Member Candidate
Member Candidate
Posts: 181
Joined: Fri Nov 14, 2014 7:06 am

Re: Blacklist Filter (Development Topic)

Tue Aug 07, 2018 7:59 pm

Oh BTW guys, my Honeypots alone are reporting over 37,000 ACTIVE botnet IP's for the last 12 hours.
Those IP's will NOT be included in the free list.
Dave please don't limit the Beta, don't let this guy be the driver for that. It is not worth it and hurts us that are your loyal followers. I am using your Priority 3 list and will start paying for it whenever you want. It is helping me immensely. Please don't limit the beta list to the small list......
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1226
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Wed Aug 08, 2018 1:34 am

It's limited for now, hoping to have a very basic auth system in place by tomorrow morning. My server logs show at least 2 people trying VERY hard to figure out how to trick the server to sending the list to a wget/curl client. Sorry, but the blaintant abuse won't be tolerated.
I'll post a simple Google Form for registering ASAP.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
Steveocee
Long time Member
Long time Member
Posts: 673
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Blacklist Filter (Development Topic)

Wed Aug 08, 2018 11:03 am

It's limited for now, hoping to have a very basic auth system in place by tomorrow morning. My server logs show at least 2 people trying VERY hard to figure out how to trick the server to sending the list to a wget/curl client. Sorry, but the blaintant abuse won't be tolerated.
I'll post a simple Google Form for registering ASAP.
I was just about to post and say that my blacklist had decreased overnight from 140K+ to 2K!
It's a real shame that people abuse your good nature like this.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
43north
Member Candidate
Member Candidate
Posts: 181
Joined: Fri Nov 14, 2014 7:06 am

Re: Blacklist Filter (Development Topic)

Wed Aug 08, 2018 8:44 pm

on the flip side, if anyone is in Southern California (Rancho Cucamonga / Ontario / Pomona / San Bernardino) you are hit me up and I'd love to grab coffee and chat.
Dave, although I am not in your area, I am next door in Idaho. I am very interested in setting up honeypots where I am at to contribute to the database however you see fit. How can we catch up on the phone etc to discuss more information that I don't want to post on the forum?
 
grusu
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: Blacklist Filter (Development Topic)

Thu Aug 09, 2018 11:02 am

Dave,

Have you considered using external to your network honeypots as source of offending IPs?
I use as the first frontier such RAW drop rules and all the time there are some IPs on the list of attackers.
add action=add-src-to-address-list address-list=RAWATTACK2 address-list-timeout=127m chain=prerouting comment=RAW2ADD in-interface-list=WAN_LIST log-prefix="RAW2ADD: " src-address-list=RAWATTACK
add action=drop chain=prerouting comment=RAW2 in-interface-list=WAN_LIST log-prefix="RAW2: " src-address-list=RAWATTACK2
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=37m chain=prerouting comment=RAW1ADD dst-port=8291,21,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=37m chain=prerouting comment=RAW1ADD dst-port=8291,21,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=udp
add action=drop chain=prerouting disable=yes  comment=RAW1 in-interface-list=WAN_LIST log-prefix="RAW1: " src-address-list=RAWATTACK
Hi BartoszP,

It's a good starting point. I have used your rules but set it so that I do not block the IPs from where I administer the router.
How can I collect offending IPs?

Thanks,
Geo
 
User avatar
Steveocee
Long time Member
Long time Member
Posts: 673
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Blacklist Filter (Development Topic)

Sun Aug 12, 2018 7:25 pm

@IntrusDave
Have you changed the beta availability again? I've just checked my list to make sure it's still updating nicely and noticed I've jumped form some 2K to 16K entries!
Thank you 8)
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
IntrusDave
Forum Guru
Forum Guru
Topic Author
Posts: 1226
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Blacklist Filter (Development Topic)

Sun Aug 12, 2018 9:56 pm

Yes, I've blocked most of the IP's that are trying to leach the lists.
Still working on an auth system that is reliable. I think it's going to have to be based on the the Cloud DNS.. [/ip cloud set ddns-enable=yes] is going to be required, unless MikroTik gives me a way to authenticate better than that.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
Steveocee
Long time Member
Long time Member
Posts: 673
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Blacklist Filter (Development Topic)

Mon Aug 13, 2018 9:44 am

Yes, I've blocked most of the IP's that are trying to leach the lists.
Still working on an auth system that is reliable. I think it's going to have to be based on the the Cloud DNS.. [/ip cloud set ddns-enable=yes] is going to be required, unless MikroTik gives me a way to authenticate better than that.
Good times, thankyou.
“Oh bugger” he says with his CHR! I may end up notifying you of my static IP and hoping you’d do me a solid then?

A question, do I need BOTH a firewall filter rule AND a raw drop rule? I’m currently using just raw drop rules for source and then another for destination of the BL but wondered if there was any gain in running a filter rule of each as well? (Appreciate I could create rules and watch counters but wondering on your recommendation).
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8029
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Blacklist Filter (Development Topic)

Mon Aug 13, 2018 7:03 pm

“Oh bugger” he says with his CHR! I may end up notifying you of my static IP and hoping you’d do me a solid then?
CHR even with trial license has IP Cloud now (starting v6.43) :)
Russian-speaking forum: http://forum.mikrotik.by. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.

Who is online

Users browsing this forum: twbtlvs and 3 guests