Starting my blacklist journey

 

Recently with a lot of the “news” about MikroTik being that version X.XX has been compromised and then so has X.XX it got me looking a lot closer at security and what I can do to protect my own router and those that I manage.

The easiest answer primarily is don’t allow external access and make sure your firewall is impervious but then what about actual protection from these sources even before they get near your Winbox interface and what about enhancing that to protect client devices as well?

From reading through the MikroTik community I came across a thread by a guy called Dave who is offering brilliant blacklist capabilities for very cheap (when it comes to market) if you don’t mind running his script on your router ( forum thread here ). This consists of running his script on a scheduled basis and creating a firewall rule to block the traffic from the created list as both input & forward, source & destination with combinations thereof.

Dave’s list is brilliant, it takes from known sources of malicious software as well as his own network of honeypot servers so it will actively catch people trying to get at his servers. An advantage of this is it also does not take up much room as an exported RSC file as the script is to fetch a dynamic file which is imported and then deleted so keeping your file size low.

In addition to this I wanted my own form of very basic protection from specific geolocations, to do this I have found a site called mikrotikconfig.com.

There is an option here to generate an address list from selected countries, I simply chose the countries I don’t want with access, edited the file to use “myblocklist” instead of “countryip” and then created firewall rules to drop those also. The downside to doing this is all of the subnets are statically set so it will vastly increase your export RSC size but for mid to higher range devices this shouldn’t be an issue.

More to come as I develop and increase my blacklisting capabilities.

 

Securing RouterOS written guide is now Live!

This is probably one of the most important (and overlooked) aspects of using an internet capable router. Security of your device is paramount an you should always do everything you can to protect it. I’ve got both a written and video tutorial to show try and help you achieve a solid security solution so you can be safe in the knowledge that your router is unreachable from unauthorised sources.

MikroTik Bandwidth Test Removed!

MikroTik have recently removed this excellent little tool from their website. Whilst it is not known in the MikroTik community as being a “good” speed testing tool, it certainly has helped me out a few times testing bandwidth to one of a few co-hosted RouterOS devices and getting a good reading on the ISP delivered speeds.

This is in part to MikroTik now pushing the Traffic Generator as the new testing tool and whilst I really do hope they don’t drop the BTest server capability in future versions, I do ultimately see it coming.

So, whilst the tool has been removed from the website and it’s not even being kept in the archives, I did manage to rescue a copy from my laptop and am happily hosting on my site should there ever be a need for it.

You can download a copy of the last version of the tester from within my website here.

 

CHR completed! But not how I hoped it would be

My long ongoing build of a 1U ESXi server to run CHR on has come to an end, a frustrating end that meant I simply couldn’t live with the noise it was kicking out because of the 40mm fans and constantly comparing it to my massively overpowered i7 mATX fileserver.

As a fairly large change to the home setup I decided to pull apart about 3 of my home servers and rebuild the main storage into the spare N54L and then rebuild the “Node” into an ESXi server to host the CHR. Quad port NIC in the Node and a quick install onto the Crucial M4 128GB and it was up and running, installed the CHR and it’s moving along really well and actually turning about double the traffic capability of what the “older” Xeon was doing!

So a really big shuffle around but now I feel like I’m actually starting to do my i7 some justice and not just using it for a ridiculously overpowered power hungry file server.

Whilst doing the work I had the dog in the cave with me (not that she was much help)

More CHR router updates

My iDrac kit has arrived and a lot faster than I thought it would. I’ve got it installed and I’m ready to battle with it and try to learn how to get into it and access the iDrac interface.

Now to get it powered up and updated to latest firmware. Also I’ve been looking at OS for routers and OPNSense has come onto my radar, I may be tempted to spin up one of each on ESXi so I can switch between the two.