Protecting your network is very important and the best place to do this is on your perimeter device, by blocking bad traffic before it gets into your network is not only safer but your servers are not wasting resources on unnecessary traffic. A good example of this is to block spammers even before a connection is made to your mail server.
This solution is not intended to replace your other filters and security measures completely but will aid in dropping a majority of bad traffic.
This script makes use of the new parameter “output=user” recently made available in RouterOS
– the script does not need third-party servers, since address lists are downloaded directly from the source and processed directly on the router.
– the script does NOT save the downloaded files to the disk (thereby preventing premature wear and failure of the disk).
– the script can be adapted to download and process any number of address lists of a similar format (the maximum file size is 63 KiB (64512 bytes). It is better than 4 KiB.
At the moment the script can download and update next lists:
– DShield
– Spamhaus DROP
– Spamhaus EDROP
– Bambenek High-Confidence C2
– Abuse.ch SSLBL
– MalC0de
– Tor Exit Nodes
But can be modified to add more lists that support the same format as the above lists
To make use of the script create a new script/schedule and copy the below text
ip firewall address-list
:local update do={
:do {
:local data ([:tool fetch url=$url output=user as-value]->”data”)
remove [find list=blacklist comment=$description]
:while ([:len $data]!=0) do={
:if ([:pick $data 0 [:find $data “\n”]]~”^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}”) do={
:do {add list=blacklist address=([:pick $data 0 [:find $data $delimiter]].$cidr) comment=$description timeout=1d} on-error={}
}
:set data [:pick $data ([:find $data “\n”]+1) [:len $data]]
}
} on-error={:log warning “Address list <$description> update failed”}
}
$update url=http://feeds.dshield.org/block.txt description=DShield delimiter=(“\t”) cidr=/24
$update url=http://www.spamhaus.org/drop/drop.txt description=”Spamhaus DROP” delimiter=(“\_”)
$update url=http://www.spamhaus.org/drop/edrop.txt description=”Spamhaus EDROP” delimiter=(“\_”)
$update url=http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt description=”Bambenek High-Confidence C2″ delimiter=(“\2C”)
$update url=https://sslbl.abuse.ch/blacklist/sslipblacklist.txt description=”Abuse.ch SSLBL” delimiter=(“\r”)
$update url=http://malc0de.com/bl/IP_Blacklist.txt description=”Malc0de” delimiter=(“\n”)
$update url=https://check.torproject.org/torbulkexitlist description=”TorExitNode” delimiter=(“\n”)
Required policy: read, write, test.
I would like to credit Shumkov on the Mikrotik Forums for this script (https://forum.mikrotik.com/viewtopic.php?t=152632#)
