Collating Kevin

Learn from my mistakes. Build it better.

Securing Mikrotik Routers: IP Blocklists

2024-04-14 Mikrotik Routeros Scripting Kevin Olynyk

If you’re only interested in the blocklist, skip to it, here.

Mikrotik

Mikrotik is a manufacturer of low cost and full featured routers and networking equipment. Routers built by Mikrotik run RouterOS, a customized Linux distribution and RouterOS utilizes iptables for filtering, shaping, and routing traffic and as such the interface is familiar to any seasoned Linux veteran.

Securing the Network

Unfortunately, since RouterOS is using iptables under the hood it lacks a good number of features that are found in modern next-generation firewalls (NGFW). There are a number of solutions to provide differing levels of security to networks behind Mikrotik routers and I recommend running them in tandem with a modern NGFW. This article’s purpose is to help provide a solid foundation of defense by implementing a IP blocklist which will take some of the burden off of a downstream firewall, as well as provide a decent level of security.

This article is going to be a rudimentary overview of filtering on Mikrotik devices.

Firewall Filtering

At it’s core, a firewall makes decisions based on a list of entries in a rule table and either allows, denies, or performs further processing on a packet or connection. RouterOS by default will allow all packets to traverse any interface without further processing. As one might imagine, this is extremely insecure, especially if the device is connected to internet.

I suggest that everyone reads the official documentation on securing their Mikrotik device found on the official documentation site. These instructions are for RouterOS version 7, but will work just fine for devices running the older version 6.

Once the firewall is set up with a basic configuration, we can start blocking bad actors.

A Hosted Solution

I’ve worked to compile a blocklist for the majority of bad actors utilizing various sources including:

  • Spamhaus
  • badpeers
  • webexploit

This list is automatically compiled with updated data every 24 hours, and is set to expire after 29.

IMPORANT: Please review the contents of the below script before running it on your router. I am not liable for any damages or interruptions in service that may be caused. Also note, this is a large list that can grow to over 80,000 entries, I suggest only using this on routers with more than 128M of free RAM.

Mikrotik Blocklist Script

You can download the script to your router directly using the command

/tool fetch url=\
"https://kevinolynyk.com/files/scripts/mikrotik/mikrotik-blocklist-generated.rsc"\ 
output=file \
dst-path=blocklist.rsc

Setting up Blocking

Setting up blocking once we have a blocklist is trivial. Once you have reviewed the script for safety, execute the following command to import the blocklist: /import blocklist.rsc

Now you can use this list however you desire, the list will be named x-bad-networks therefore, we can add a simple raw rule to block all inbound traffic coming in on the wan interface (ether5 in this case).

/ip firewall raw/ add src-address-list=x-bad-networks in-interface=ether5\
  action=drop comment="Drop suspected bad network traffic"

Automating the Process

It’s possible to automate the above process using a script and scheduler. Create the script to remove and re-add the list with the command:

/system script/ add dont-require-permissions=no name=download-blocklist owner=admin policy=\
    ftp,read,write,policy,test,sensitive source=\
    "/ip firewall address-list/\r\n
    remove [find where list=x-bad-networks]\r\
    \n/tool fetch \r\n
    url=\"https://kevinolynyk.com/files/scripts/mikrotik/mikrotik-blocklist-generated.rsc\" \r\n
    output=file dst-path=blocklist.rsc\r\
    \n/import blocklist.rsc"

Or in Winbox with:

/ip firewall address-list/ remove [find where list=x-bad-networks]
/tool fetch url="https://kevinolynyk.com/files/scripts/mikrotik/mikrotik-blocklist-generated.rsc"
output=file dst-path=blocklist.rsc
/import blocklist.rsc

It will then be possible to use the following to schedule the script (Which will run at 21:00, local time):

add interval=1d name=update-blocklists on-event=\
    "/system script/ run download-blocklist" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-04-04 start-time=21:00:00

You will now have a firewall set up with basic protection against bots, spam, and malware.

Modifying the List

We can perform some modifications to the blocklist to fit different use cases.

For instance, if we want to set the timeout to a longer value, you can issue the following command: /ip firewall address-list/ set timeout=1h [find where list=x-bad-networks]

This will update the timeout value on the list so that entires will expire in 1 hour instead of the default 29.

Wrapping Things Up

Hopefully now, you have a basic understanding of IP blocklists and you can use them to defend against attacks. Next in this series, we will cover setting up the same style of list, but for ipv6.

Cybersecurity Mikrotik Security Routeros Blocking Safety Blocklist Securing Routeros Securing Mikrotik Acl Filtering Iptables Denylist
© 2024 Kevin Olynyk
Built using Hugo and the Bilberry-Hugo-Theme