My first attempt at a honeypot/blacklist

Using a thread on the MikroTik forums as inspiration, I’ve taken the idea and made my first incarnation of a fairly brutal honeypot & blacklist. This is only the interesting part of the full router script but it’s my baseline for starting.

# SET WHITELIST IF NEEDED
# SET IN-INTERFACE
/ip firewall address-list
add address=8.8.8.8 list=WHITELIST
/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABLISHED & RELATED SERVICE" connection-state=established,related in-interface=WAN.INTERFACE
add action=accept chain=input comment="ACCEPT WHITELIST" src-address-list=WHITELIST in-interface=WAN.INTERFACE
add action=accept chain=input comment="ACCEPT PING" protocol=icmp in-interface=WAN.INTERFACE
add action=add-src-to-address-list address-list=honeypot-blacklist address-list-timeout=none-dynamic chain=input comment="BLACKLISTING TCP" in-interface=WAN.INTERFACE protocol=tcp src-address-list=!WHITELIST
add action=add-src-to-address-list address-list=honeypot-blacklist address-list-timeout=none-dynamic chain=input comment="BLACKLISTING UDP" in-interface=WAN.INTERFACE protocol=udp src-address-list=!WHITELIST
add action=drop chain=input comment="DROP BLACKLISTED INPUT" in-interface=WAN.INTERFACE src-address-list=honeypot-blacklist
add action=drop chain=input comment="DROP ALL (SHOULD NOT FILL UP)" in-interface=WAN-INTERFACE log=yes log-prefix=non-bl-dropped-traffic

It’s quite strict in that anything that sniffs at it gets added to the blacklist and then blocked until reboot. As I push it further I will probably time the sniffers out for a few days rather than perma-block.

Starting my blacklist journey

 

Recently with a lot of the “news” about MikroTik being that version X.XX has been compromised and then so has X.XX it got me looking a lot closer at security and what I can do to protect my own router and those that I manage.

The easiest answer primarily is don’t allow external access and make sure your firewall is impervious but then what about actual protection from these sources even before they get near your Winbox interface and what about enhancing that to protect client devices as well?

From reading through the MikroTik community I came across a thread by a guy called Dave who is offering brilliant blacklist capabilities for very cheap (when it comes to market) if you don’t mind running his script on your router ( forum thread here ). This consists of running his script on a scheduled basis and creating a firewall rule to block the traffic from the created list as both input & forward, source & destination with combinations thereof.

Dave’s list is brilliant, it takes from known sources of malicious software as well as his own network of honeypot servers so it will actively catch people trying to get at his servers. An advantage of this is it also does not take up much room as an exported RSC file as the script is to fetch a dynamic file which is imported and then deleted so keeping your file size low.

In addition to this I wanted my own form of very basic protection from specific geolocations, to do this I have found a site called mikrotikconfig.com.

There is an option here to generate an address list from selected countries, I simply chose the countries I don’t want with access, edited the file to use “myblocklist” instead of “countryip” and then created firewall rules to drop those also. The downside to doing this is all of the subnets are statically set so it will vastly increase your export RSC size but for mid to higher range devices this shouldn’t be an issue.

More to come as I develop and increase my blacklisting capabilities.

 

Securing RouterOS written guide is now Live!

This is probably one of the most important (and overlooked) aspects of using an internet capable router. Security of your device is paramount an you should always do everything you can to protect it. I’ve got both a written and video tutorial to show try and help you achieve a solid security solution so you can be safe in the knowledge that your router is unreachable from unauthorised sources.

MikroTik Bandwidth Test Removed!

MikroTik have recently removed this excellent little tool from their website. Whilst it is not known in the MikroTik community as being a “good” speed testing tool, it certainly has helped me out a few times testing bandwidth to one of a few co-hosted RouterOS devices and getting a good reading on the ISP delivered speeds.

This is in part to MikroTik now pushing the Traffic Generator as the new testing tool and whilst I really do hope they don’t drop the BTest server capability in future versions, I do ultimately see it coming.

So, whilst the tool has been removed from the website and it’s not even being kept in the archives, I did manage to rescue a copy from my laptop and am happily hosting on my site should there ever be a need for it.

You can download a copy of the last version of the tester from within my website here.

 

CHR completed! But not how I hoped it would be

My long ongoing build of a 1U ESXi server to run CHR on has come to an end, a frustrating end that meant I simply couldn’t live with the noise it was kicking out because of the 40mm fans and constantly comparing it to my massively overpowered i7 mATX fileserver.

As a fairly large change to the home setup I decided to pull apart about 3 of my home servers and rebuild the main storage into the spare N54L and then rebuild the “Node” into an ESXi server to host the CHR. Quad port NIC in the Node and a quick install onto the Crucial M4 128GB and it was up and running, installed the CHR and it’s moving along really well and actually turning about double the traffic capability of what the “older” Xeon was doing!

So a really big shuffle around but now I feel like I’m actually starting to do my i7 some justice and not just using it for a ridiculously overpowered power hungry file server.

Whilst doing the work I had the dog in the cave with me (not that she was much help)

More CHR router updates

My iDrac kit has arrived and a lot faster than I thought it would. I’ve got it installed and I’m ready to battle with it and try to learn how to get into it and access the iDrac interface.

Now to get it powered up and updated to latest firmware. Also I’ve been looking at OS for routers and OPNSense has come onto my radar, I may be tempted to spin up one of each on ESXi so I can switch between the two.

CHR build pushes forwards again

The RB3011 is starting to aggravate with it’s high CPU usage under VPN and the ports flapping, a major network change around is due I think and I’m hoping the CHR is going to be the start of it.

iDrac express and enterprise have been ordered to try and rein in some of the fan noise further.

Today I’ve managed to get the CPU re-pasted as the old stuff was just genuinely crusty and also manage to strip out a load of not needed bulk in the case.

Before:

After:

The CHR is fully installed an so far I’ve managed to push a very strong 7Gb through it internally testing so I’m relatively confident it will handle my 100/50 connection even when I do start using VPN.

What’s happening? 04/03/2018

I’ve pumped out a fair amount of tutorials recently and then had a bit of a hard stop. The work is carrying on in the background. I have loads of plans for more tutorials primarily based on MikroTik but there will be some Ubiquiti elements thrown in.

Project home router is at an odd point, I’ve re-ignited it but not done any further work to it. I’m currently waiting for a full iDrac setup to come through from China to see if I can quiet it off and I’m also waiting for the opportunity to re-paste the CPU to make sure I’m getting the best possible thermal setup out of it. I’m still undecided what to do with it, I have a quad port NIC but reality is I wish it was an SFP card and I can’t run both. Either way it can’t be any worse (apart from noise) than the RB3011 which is dropping ports and getting a lot of hard CPU usage under load.

I’ve also had to reinstall my trusty laptop, Ubuntu was aggravating me and some apps just weren’t what I wanted so have reinstalled to Windows 10 and have spent a few days getting it set up exactly how I want it. Some new editions to my Windows portfolio include Notepad++ which I’d never used until now but is absolutely awesome especially when combined with a user defined RouterOS language and the biggest surprise was the Bash on Windows functionality that W10 offers, simply it’s brilliant and now I genuinely have no drawbacks to moving back to Windows. I may drop a few posts about that in the future as simple stuff like SSH tunnelling is now so much easier from the Windows desktop.

As time has been short I’ve not managed to put a lot up to YouTube however have had a couple of gaming sessions which I’ve streamed to Twitch. I’ve been playing with some frames and scrolling text and I think I’m about there with those now. I’ve also ony just discovered StreamLabs which I have set up but am still waiting to sit down and learn intimately and get it set up to the standards I want.

Having a great time with my tech at the moment, I never seem to have enough time to do what I want and I’m eagerly waiting the launch of the new Ryzen+ or Ryzen2 kit in a couple weeks time as I’m definitely upgrading. 4Ghz seems to be the way to go!