Using a thread on the MikroTik forums as inspiration, I’ve taken the idea and made my first incarnation of a fairly brutal honeypot & blacklist. This is only the interesting part of the full router script but it’s my baseline for starting.
# SET WHITELIST IF NEEDED # SET IN-INTERFACE /ip firewall address-list add address=8.8.8.8 list=WHITELIST /ip firewall filter add action=accept chain=input comment="ACCEPT ESTABLISHED & RELATED SERVICE" connection-state=established,related in-interface=WAN.INTERFACE add action=accept chain=input comment="ACCEPT WHITELIST" src-address-list=WHITELIST in-interface=WAN.INTERFACE add action=accept chain=input comment="ACCEPT PING" protocol=icmp in-interface=WAN.INTERFACE add action=add-src-to-address-list address-list=honeypot-blacklist address-list-timeout=none-dynamic chain=input comment="BLACKLISTING TCP" in-interface=WAN.INTERFACE protocol=tcp src-address-list=!WHITELIST add action=add-src-to-address-list address-list=honeypot-blacklist address-list-timeout=none-dynamic chain=input comment="BLACKLISTING UDP" in-interface=WAN.INTERFACE protocol=udp src-address-list=!WHITELIST add action=drop chain=input comment="DROP BLACKLISTED INPUT" in-interface=WAN.INTERFACE src-address-list=honeypot-blacklist add action=drop chain=input comment="DROP ALL (SHOULD NOT FILL UP)" in-interface=WAN-INTERFACE log=yes log-prefix=non-bl-dropped-traffic
It’s quite strict in that anything that sniffs at it gets added to the blacklist and then blocked until reboot. As I push it further I will probably time the sniffers out for a few days rather than perma-block.
You must be logged in to post a comment.