Honeypot and Blacklist v3

It’s been a while since I looked at updating this and that’s mostly due to how my working focus has shifted away from the firewall and onto some hotspot related things so the bulk of my research has gone into that however after a visitor to my website engaged with me regarding this I thought it the right time to drop this almost “final” implementation to my blacklist script.

As much as I’d like to have written a totally automated list that dynamically adjusted, there are far cleverer people out there doing this more or less as a day job. I’ve been using now the implementation from Joshaven, some loose geographic blocks and then the IntrusDave list from the MikroTik forum.

I’ve finished that up with a far less brutal approach on something to pick out port scanners and any other snoopers;

/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABLISHED & RELATED INTERNET" connection-state=established,related in-interface=ether2_INTERNET
add action=accept chain=input comment="ACCEPT WHITELIST" src-address-list=WHITELIST
add action=accept chain=input comment="ACCEPT PING" protocol=icmp
add action=drop chain=input comment="DROP BLACKLISTED INPUT" in-interface=ether2_INTERNET src-address-list=myblocklist
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING TCP" dst-port=22,23,80,123,1723,443,8080,10000,5060,5061 in-interface=ether2_INTERNET protocol=tcp src-address-list=!WHITELIST
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING UDP" dst-port=123,53,5060,5061,3478 in-interface=ether2_INTERNET protocol=udp src-address-list=!WHITELIST
add action=drop chain=input comment="DROP ALL" in-interface=ether2_INTERNET

This approach is roughly netting me about 500 blocked IP’s on my private connection and some 2000 on my colo unit.

Starting my blacklist journey

 

Recently with a lot of the “news” about MikroTik being that version X.XX has been compromised and then so has X.XX it got me looking a lot closer at security and what I can do to protect my own router and those that I manage.

The easiest answer primarily is don’t allow external access and make sure your firewall is impervious but then what about actual protection from these sources even before they get near your Winbox interface and what about enhancing that to protect client devices as well?

From reading through the MikroTik community I came across a thread by a guy called Dave who is offering brilliant blacklist capabilities for very cheap (when it comes to market) if you don’t mind running his script on your router ( forum thread here ). This consists of running his script on a scheduled basis and creating a firewall rule to block the traffic from the created list as both input & forward, source & destination with combinations thereof.

Dave’s list is brilliant, it takes from known sources of malicious software as well as his own network of honeypot servers so it will actively catch people trying to get at his servers. An advantage of this is it also does not take up much room as an exported RSC file as the script is to fetch a dynamic file which is imported and then deleted so keeping your file size low.

In addition to this I wanted my own form of very basic protection from specific geolocations, to do this I have found a site calledĀ mikrotikconfig.com.

There is an option here to generate an address list from selected countries, I simply chose the countries I don’t want with access, edited the file to use “myblocklist” instead of “countryip” and then created firewall rules to drop those also. The downside to doing this is all of the subnets are statically set so it will vastly increase your export RSC size but for mid to higher range devices this shouldn’t be an issue.

More to come as I develop and increase my blacklisting capabilities.

 

CHR CPU Upgrade

Its been on my mind for a while that the CPU in my CHR wasn’t setting the world on fire, it was great for what it was doing and it was low powered but as I start and do more with my CHR, maybe start to look at a dude server and do some more advanced packet marking and processing I wanted something with more oomph!

I’ve now upgraded from a Xeon E3-1220L to an E3-1270. That’s a boost in base clock from 2.2Ghz to 3.4Ghz and a big step from 2c4t to 4c8t. I managed to do a small amount of testing before and after and whilst the difference from what has been done is negligible at this point, I’m expecting that as I burden the CPU more it will withstand the pressure for longer.

Before upgrade;

After CPU upgrade, same ESXi settings so this is “just” the core speed improvement;

This is the performance after shutting the machine down and applying the additional CPU cores;

 

Concluding my testing, a 400Mb increase in pushing traffic to itself from the CPU core speed upgrade, nothing to be sniffed at I guess, the traffic was also a bit more stable at this speed as opposed to the previous CPU.

More CHR router updates

My iDrac kit has arrived and a lot faster than I thought it would. I’ve got it installed and I’m ready to battle with it and try to learn how to get into it and access the iDrac interface.

Now to get it powered up and updated to latest firmware. Also I’ve been looking at OS for routers and OPNSense has come onto my radar, I may be tempted to spin up one of each on ESXi so I can switch between the two.

Testing the UBIQUITI Unifi USG3

As I’ve been shifting the home network around a lot lately I’ve taken the chance to have a test of the Unifi USG3 router. Whilst I have used it very briefly previously, I have never given it a good chance to stretch its legs and implement a lot of the features always having shelved it in favour of a MikroTik system.

unifi1

The cherry on the icing with the USG range of routers has to be the brilliantly executed DPI (more about that later).

The home screen of the controller lights up the 2 left hand bubbles and the left hand middle (WAN) with information relating to the connection, the latency is a bit off as it pings ubnt.com and there is a variable but I found that this broke it completely so reverted it to UBNT. A couple of neat graphs under showing average throughput and latency over time with a summary of wireless channels and users to the right. Some more information towards the bottom of screen about device totals, user totals and then a brief overview of traffic and protocols causing it.

DPI is where the router comes to life though, if you want a nice user friendly interface to see who is smashing through your connection then the USG is definitely for you. the statistics page comes to life and clearly displays your traffic types for you in a format that even a networking noob could take in.

unifi2

Which can be expanded upon category by category by clicking on the protocol identified

unifi3

It also has a users option so you can see exactly who is causing the most or how vibrant a particular user is on each protocol

unifi4

You can also click onto the clients tab (down the left) and click on a client and choose the DPI option to seeĀ  that users history exclusively

unifi5

The Unifi routing is where I start to lose interest though, it’s basic with some room for more advanced features and I can only but hope the Ubiquiti development team will expand upon this, for a basic consumer device this would be brilliant but the more corporate or power users will begin to feel hindered by this. I’m currently feeling like both hands are tied together coming from a MikroTik RB3011.

I will admit the lack of L2TP client (through the gui) is a bit of a pain for me and not being able to create lists of either IP’s or self resolving hostnames is also a major let down. Static routing you can do without any issues if you know the destination IP range but that’s about as far as I could take it in testing.

I will admit though that I am very taken by the Unifi App, it manages to cram all of the information which can looked crammed on a full screen down onto my iPhone SE screen. I often find myself sitting there flicking through the pages just out of pure interest.

All in all, I’m really happy with the USG3. I love having the clarity of seeing what device is putting traffic where but there is a downside, I miss the overwhelming control I get from having a MikroTik in there. If the USG were to be developed on a bit further and I could appease myself that the Pro rack mounted model could be quiet then I’d probably convert. For now though it will stay where it is until I convince myself that a CCR is really what I need.