Honeypot and Blacklist v3

It’s been a while since I looked at updating this and that’s mostly due to how my working focus has shifted away from the firewall and onto some hotspot related things so the bulk of my research has gone into that however after a visitor to my website engaged with me regarding this I thought it the right time to drop this almost “final” implementation to my blacklist script.

As much as I’d like to have written a totally automated list that dynamically adjusted, there are far cleverer people out there doing this more or less as a day job. I’ve been using now the implementation from Joshaven, some loose geographic blocks and then the IntrusDave list from the MikroTik forum.

I’ve finished that up with a far less brutal approach on something to pick out port scanners and any other snoopers;

/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABLISHED & RELATED INTERNET" connection-state=established,related in-interface=ether2_INTERNET
add action=accept chain=input comment="ACCEPT WHITELIST" src-address-list=WHITELIST
add action=accept chain=input comment="ACCEPT PING" protocol=icmp
add action=drop chain=input comment="DROP BLACKLISTED INPUT" in-interface=ether2_INTERNET src-address-list=myblocklist
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING TCP" dst-port=22,23,80,123,1723,443,8080,10000,5060,5061 in-interface=ether2_INTERNET protocol=tcp src-address-list=!WHITELIST
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING UDP" dst-port=123,53,5060,5061,3478 in-interface=ether2_INTERNET protocol=udp src-address-list=!WHITELIST
add action=drop chain=input comment="DROP ALL" in-interface=ether2_INTERNET

This approach is roughly netting me about 500 blocked IP’s on my private connection and some 2000 on my colo unit.

Honeypot and Blacklist v2

My first attempt at a brutal honeypot worked to a degree however it did cause some problems. I’m not sure totally how but Amazon Prime Video stopped working (Amazon servers port scanning me??) but I managed to block Amazon which wasn’t the most helpful thing at bedtime when my 4 kids are trying to watch Shaun the Sheep before bed. I’ve had to make some changes to it. The previously stated timeout has now been employed so sources that sniff about are now only timed out for 24 hours rather than permanently and I’ve also added in an extra rule for ICMP traffic as there were a couple of ICMP type packets getting through and the owners not getting blocked.

So far Amazon is working and this combined with a geographic black list in addition to the Joshaven blacklist and I’m now getting towards the place I want to be.

/ip firewall filter
add action=drop chain=input comment="DROP Joshaven BL" src-address-list=blacklist
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1d chain=input comment="BL STRAY TCP" in-interface-list=WANs protocol=tcp src-address-list=!routeraccess
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1d chain=input comment="BL STRAY UDP" in-interface-list=WANs protocol=udp src-address-list=!routeraccess
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1d chain=input comment="BL STRAY ICMP" in-interface-list=WANs protocol=icmp src-address-list=!routeraccess
add action=drop chain=forward comment="DROP myblocklist outbound" dst-address-list=myblocklist

More to follow up and there will be a full firewall list to follow once I have something I feel is universal enough to distribute.

 

My first attempt at a honeypot/blacklist

Using a thread on the MikroTik forums as inspiration, I’ve taken the idea and made my first incarnation of a fairly brutal honeypot & blacklist. This is only the interesting part of the full router script but it’s my baseline for starting.

# SET WHITELIST IF NEEDED
# SET IN-INTERFACE
/ip firewall address-list
add address=8.8.8.8 list=WHITELIST
/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABLISHED & RELATED SERVICE" connection-state=established,related in-interface=WAN.INTERFACE
add action=accept chain=input comment="ACCEPT WHITELIST" src-address-list=WHITELIST in-interface=WAN.INTERFACE
add action=accept chain=input comment="ACCEPT PING" protocol=icmp in-interface=WAN.INTERFACE
add action=add-src-to-address-list address-list=honeypot-blacklist address-list-timeout=none-dynamic chain=input comment="BLACKLISTING TCP" in-interface=WAN.INTERFACE protocol=tcp src-address-list=!WHITELIST
add action=add-src-to-address-list address-list=honeypot-blacklist address-list-timeout=none-dynamic chain=input comment="BLACKLISTING UDP" in-interface=WAN.INTERFACE protocol=udp src-address-list=!WHITELIST
add action=drop chain=input comment="DROP BLACKLISTED INPUT" in-interface=WAN.INTERFACE src-address-list=honeypot-blacklist
add action=drop chain=input comment="DROP ALL (SHOULD NOT FILL UP)" in-interface=WAN-INTERFACE log=yes log-prefix=non-bl-dropped-traffic

It’s quite strict in that anything that sniffs at it gets added to the blacklist and then blocked until reboot. As I push it further I will probably time the sniffers out for a few days rather than perma-block.

Back to a CHR?

Friday 13th was an exciting one in my household! Not only did I kill the internet for everyone for a good 3 hour period whilst I swapped from an Ikea Lack table to a “real” 6U cabinet causing huge disruption when my planned single patch panel turned into 3! I also fired up old faithful and stuck on a fresh copy of the latest (6.42.6) CHR into my VM box.

Now I have my spare ESXi box housed in the attic in a real rack it means I don’t need it screaming away in the cave so I can finally move back to a CHR build and keep it. My rough maths says the CHR unit will have around 4-5 times the performance of the RB3011 which will now get moved to the cave as a dedicated VLAN breakout switch (or maybe sold) but ultimately I can employ some far more complex queues without worrying that I’m running the CPU up too far.

My long term plan is to SFQ my LAN traffic but then pick out particular traffic types from that and SFQ them against each other whilst doing some PFIFO pulling them all together. I’ll try to document as much as I can but in short it will be a huge amount of packet marking so CPU grunt is needed. I’m even now tempted to look at upgrading the CPU so it’s more than a dual core!

Fun times ahead.