Honeypot and Blacklist v3

It’s been a while since I looked at updating this and that’s mostly due to how my working focus has shifted away from the firewall and onto some hotspot related things so the bulk of my research has gone into that however after a visitor to my website engaged with me regarding this I thought it the right time to drop this almost “final” implementation to my blacklist script.

As much as I’d like to have written a totally automated list that dynamically adjusted, there are far cleverer people out there doing this more or less as a day job. I’ve been using now the implementation from Joshaven, some loose geographic blocks and then the IntrusDave list from the MikroTik forum.

I’ve finished that up with a far less brutal approach on something to pick out port scanners and any other snoopers;

/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABLISHED & RELATED INTERNET" connection-state=established,related in-interface=ether2_INTERNET
add action=accept chain=input comment="ACCEPT WHITELIST" src-address-list=WHITELIST
add action=accept chain=input comment="ACCEPT PING" protocol=icmp
add action=drop chain=input comment="DROP BLACKLISTED INPUT" in-interface=ether2_INTERNET src-address-list=myblocklist
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING TCP" dst-port=22,23,80,123,1723,443,8080,10000,5060,5061 in-interface=ether2_INTERNET protocol=tcp src-address-list=!WHITELIST
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING UDP" dst-port=123,53,5060,5061,3478 in-interface=ether2_INTERNET protocol=udp src-address-list=!WHITELIST
add action=drop chain=input comment="DROP ALL" in-interface=ether2_INTERNET

This approach is roughly netting me about 500 blocked IP’s on my private connection and some 2000 on my colo unit.

Starting my blacklist journey

 

Recently with a lot of the “news” about MikroTik being that version X.XX has been compromised and then so has X.XX it got me looking a lot closer at security and what I can do to protect my own router and those that I manage.

The easiest answer primarily is don’t allow external access and make sure your firewall is impervious but then what about actual protection from these sources even before they get near your Winbox interface and what about enhancing that to protect client devices as well?

From reading through the MikroTik community I came across a thread by a guy called Dave who is offering brilliant blacklist capabilities for very cheap (when it comes to market) if you don’t mind running his script on your router ( forum thread here ). This consists of running his script on a scheduled basis and creating a firewall rule to block the traffic from the created list as both input & forward, source & destination with combinations thereof.

Dave’s list is brilliant, it takes from known sources of malicious software as well as his own network of honeypot servers so it will actively catch people trying to get at his servers. An advantage of this is it also does not take up much room as an exported RSC file as the script is to fetch a dynamic file which is imported and then deleted so keeping your file size low.

In addition to this I wanted my own form of very basic protection from specific geolocations, to do this I have found a site called mikrotikconfig.com.

There is an option here to generate an address list from selected countries, I simply chose the countries I don’t want with access, edited the file to use “myblocklist” instead of “countryip” and then created firewall rules to drop those also. The downside to doing this is all of the subnets are statically set so it will vastly increase your export RSC size but for mid to higher range devices this shouldn’t be an issue.

More to come as I develop and increase my blacklisting capabilities.

 

CHR CPU Upgrade

Its been on my mind for a while that the CPU in my CHR wasn’t setting the world on fire, it was great for what it was doing and it was low powered but as I start and do more with my CHR, maybe start to look at a dude server and do some more advanced packet marking and processing I wanted something with more oomph!

I’ve now upgraded from a Xeon E3-1220L to an E3-1270. That’s a boost in base clock from 2.2Ghz to 3.4Ghz and a big step from 2c4t to 4c8t. I managed to do a small amount of testing before and after and whilst the difference from what has been done is negligible at this point, I’m expecting that as I burden the CPU more it will withstand the pressure for longer.

Before upgrade;

After CPU upgrade, same ESXi settings so this is “just” the core speed improvement;

This is the performance after shutting the machine down and applying the additional CPU cores;

 

Concluding my testing, a 400Mb increase in pushing traffic to itself from the CPU core speed upgrade, nothing to be sniffed at I guess, the traffic was also a bit more stable at this speed as opposed to the previous CPU.

More CHR router updates

My iDrac kit has arrived and a lot faster than I thought it would. I’ve got it installed and I’m ready to battle with it and try to learn how to get into it and access the iDrac interface.

Now to get it powered up and updated to latest firmware. Also I’ve been looking at OS for routers and OPNSense has come onto my radar, I may be tempted to spin up one of each on ESXi so I can switch between the two.