Honeypot and Blacklist v2

My first attempt at a brutal honeypot worked to a degree however it did cause some problems. I’m not sure totally how but Amazon Prime Video stopped working (Amazon servers port scanning me??) but I managed to block Amazon which wasn’t the most helpful thing at bedtime when my 4 kids are trying to watch Shaun the Sheep before bed. I’ve had to make some changes to it. The previously stated timeout has now been employed so sources that sniff about are now only timed out for 24 hours rather than permanently and I’ve also added in an extra rule for ICMP traffic as there were a couple of ICMP type packets getting through and the owners not getting blocked.

So far Amazon is working and this combined with a geographic black list in addition to the Joshaven blacklist and I’m now getting towards the place I want to be.

/ip firewall filter
add action=drop chain=input comment="DROP Joshaven BL" src-address-list=blacklist
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1d chain=input comment="BL STRAY TCP" in-interface-list=WANs protocol=tcp src-address-list=!routeraccess
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1d chain=input comment="BL STRAY UDP" in-interface-list=WANs protocol=udp src-address-list=!routeraccess
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1d chain=input comment="BL STRAY ICMP" in-interface-list=WANs protocol=icmp src-address-list=!routeraccess
add action=drop chain=forward comment="DROP myblocklist outbound" dst-address-list=myblocklist

More to follow up and there will be a full firewall list to follow once I have something I feel is universal enough to distribute.

 

My first attempt at a honeypot/blacklist

Using a thread on the MikroTik forums as inspiration, I’ve taken the idea and made my first incarnation of a fairly brutal honeypot & blacklist. This is only the interesting part of the full router script but it’s my baseline for starting.

# SET WHITELIST IF NEEDED
# SET IN-INTERFACE
/ip firewall address-list
add address=8.8.8.8 list=WHITELIST
/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABLISHED & RELATED SERVICE" connection-state=established,related in-interface=WAN.INTERFACE
add action=accept chain=input comment="ACCEPT WHITELIST" src-address-list=WHITELIST in-interface=WAN.INTERFACE
add action=accept chain=input comment="ACCEPT PING" protocol=icmp in-interface=WAN.INTERFACE
add action=add-src-to-address-list address-list=honeypot-blacklist address-list-timeout=none-dynamic chain=input comment="BLACKLISTING TCP" in-interface=WAN.INTERFACE protocol=tcp src-address-list=!WHITELIST
add action=add-src-to-address-list address-list=honeypot-blacklist address-list-timeout=none-dynamic chain=input comment="BLACKLISTING UDP" in-interface=WAN.INTERFACE protocol=udp src-address-list=!WHITELIST
add action=drop chain=input comment="DROP BLACKLISTED INPUT" in-interface=WAN.INTERFACE src-address-list=honeypot-blacklist
add action=drop chain=input comment="DROP ALL (SHOULD NOT FILL UP)" in-interface=WAN-INTERFACE log=yes log-prefix=non-bl-dropped-traffic

It’s quite strict in that anything that sniffs at it gets added to the blacklist and then blocked until reboot. As I push it further I will probably time the sniffers out for a few days rather than perma-block.

Starting my blacklist journey

 

Recently with a lot of the “news” about MikroTik being that version X.XX has been compromised and then so has X.XX it got me looking a lot closer at security and what I can do to protect my own router and those that I manage.

The easiest answer primarily is don’t allow external access and make sure your firewall is impervious but then what about actual protection from these sources even before they get near your Winbox interface and what about enhancing that to protect client devices as well?

From reading through the MikroTik community I came across a thread by a guy called Dave who is offering brilliant blacklist capabilities for very cheap (when it comes to market) if you don’t mind running his script on your router ( forum thread here ). This consists of running his script on a scheduled basis and creating a firewall rule to block the traffic from the created list as both input & forward, source & destination with combinations thereof.

Dave’s list is brilliant, it takes from known sources of malicious software as well as his own network of honeypot servers so it will actively catch people trying to get at his servers. An advantage of this is it also does not take up much room as an exported RSC file as the script is to fetch a dynamic file which is imported and then deleted so keeping your file size low.

In addition to this I wanted my own form of very basic protection from specific geolocations, to do this I have found a site called mikrotikconfig.com.

There is an option here to generate an address list from selected countries, I simply chose the countries I don’t want with access, edited the file to use “myblocklist” instead of “countryip” and then created firewall rules to drop those also. The downside to doing this is all of the subnets are statically set so it will vastly increase your export RSC size but for mid to higher range devices this shouldn’t be an issue.

More to come as I develop and increase my blacklisting capabilities.

 

CHR CPU Upgrade

Its been on my mind for a while that the CPU in my CHR wasn’t setting the world on fire, it was great for what it was doing and it was low powered but as I start and do more with my CHR, maybe start to look at a dude server and do some more advanced packet marking and processing I wanted something with more oomph!

I’ve now upgraded from a Xeon E3-1220L to an E3-1270. That’s a boost in base clock from 2.2Ghz to 3.4Ghz and a big step from 2c4t to 4c8t. I managed to do a small amount of testing before and after and whilst the difference from what has been done is negligible at this point, I’m expecting that as I burden the CPU more it will withstand the pressure for longer.

Before upgrade;

After CPU upgrade, same ESXi settings so this is “just” the core speed improvement;

This is the performance after shutting the machine down and applying the additional CPU cores;

 

Concluding my testing, a 400Mb increase in pushing traffic to itself from the CPU core speed upgrade, nothing to be sniffed at I guess, the traffic was also a bit more stable at this speed as opposed to the previous CPU.

Back to a CHR?

Friday 13th was an exciting one in my household! Not only did I kill the internet for everyone for a good 3 hour period whilst I swapped from an Ikea Lack table to a “real” 6U cabinet causing huge disruption when my planned single patch panel turned into 3! I also fired up old faithful and stuck on a fresh copy of the latest (6.42.6) CHR into my VM box.

Now I have my spare ESXi box housed in the attic in a real rack it means I don’t need it screaming away in the cave so I can finally move back to a CHR build and keep it. My rough maths says the CHR unit will have around 4-5 times the performance of the RB3011 which will now get moved to the cave as a dedicated VLAN breakout switch (or maybe sold) but ultimately I can employ some far more complex queues without worrying that I’m running the CPU up too far.

My long term plan is to SFQ my LAN traffic but then pick out particular traffic types from that and SFQ them against each other whilst doing some PFIFO pulling them all together. I’ll try to document as much as I can but in short it will be a huge amount of packet marking so CPU grunt is needed. I’m even now tempted to look at upgrading the CPU so it’s more than a dual core!

Fun times ahead.