Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_blocklist
Trace:
networking:router:mikrotik_blocklist

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_blocklist [2017/11/30 09:35]
gcooper 		networking:router:mikrotik_blocklist [2024/02/24 14:44] (current)
gcooper
Line 1: Line 1:
 ====== Mikrotik Block Lists ====== ====== Mikrotik Block Lists ======
 +
 +FIXME **New Method**: https://forum.mikrotik.com/viewtopic.php?f=9&t=152632&p=758435
 +
 +**Another way to block ads**: https://stopad.hook.sh/
 +
 +**Block by Country**: https://mikrotikconfig.com/firewall/
  
 ===== Sources ===== ===== Sources =====
Line 23: Line 29:
   * The **DShield list** is small, but up to date.   * The **DShield list** is small, but up to date.
   * The **Spamhaus list** is also fairly small and up to date.   * The **Spamhaus list** is also fairly small and up to date.
-  * The **OpenBL default list** (linked to ''base_90days''is quite long and will cause the router's web interface to misbehave if you select the Address List page (this does not happen in Winbox).  A better choice for router use might be the ''base_30days'' list.+  * The **BDE All list** is quite long and will cause the router'**web** interface (not Winbox) to misbehave when viewing lists. 
 +  * The **BDE list** is made up of the most recent attackers and the size of the list can be adjusted by changing the number for 'time' (max is about 18 hours).  A better choice for a low end router might be the ''last hour'' list rather than the ''last four hours'' list (14400 seconds). 
 +    * https://api.blocklist.de/getlast.php?time=3600
   * The **VoIPBL list** is also quite long (over 12,000 entries) and will cause the router's web interface to misbehave even more.  **If implementing this list, use Winbox to access the Address List page**.   * The **VoIPBL list** is also quite long (over 12,000 entries) and will cause the router's web interface to misbehave even more.  **If implementing this list, use Winbox to access the Address List page**.
   * The **Combined list** is the longest list because it contains unique entries from all the four previous lists.  **Use Winbox**.   * The **Combined list** is the longest list because it contains unique entries from all the four previous lists.  **Use Winbox**.
Line 33: Line 41:
 === blocklists4mt.sh === === blocklists4mt.sh ===
  
-:!: We use a **7-day timeout** in an attempt at minimizing flash (NAND) writes.+:!: We use a **dynamic address-list with a 7-day timeout** in an attempt at eliminating cruft and minimizing flash (NAND) writes.
  
-:!: We use a very crude mechanism to **limit the size of the combined list**.  You can adjust the number of characters considered in sorting using the ''uniq -w'' argument.+:!: We use a very crude mechanism to **limit the size of the combined list**.  You can **carefully** adjust the number of characters considered in sorting using the ''uniq -w 36'' argument in the last line.  This can also eliminate errors running the script due to duplicate or overlapping entries.
  
 <file> <file>
 #!/bin/sh #!/bin/sh
-saveTo=/home/sonoracomm/public_html/blocklists+saveTo=/home/virtualarchitects/public_html/blocklists
 now=$(date); now=$(date);
  
 echo "# Generated by blocklists4mt.sh on $now" > $saveTo/dshield.rsc echo "# Generated by blocklists4mt.sh on $now" > $saveTo/dshield.rsc
 echo "/ip firewall address-list" >> $saveTo/dshield.rsc echo "/ip firewall address-list" >> $saveTo/dshield.rsc
-wget -q -O - http://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print "add list=blocklist address=" $1 "/24 timeout=1d comment=DShield";}' >> $saveTo/dshield.rsc+wget -q -O - https://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print "add list=blocklist address=" $1 "/24 timeout=7d comment=DShield";}' >> $saveTo/dshield.rsc
  
 echo "# Generated by blocklists4mt.sh on $now" > $saveTo/spamhaus.rsc echo "# Generated by blocklists4mt.sh on $now" > $saveTo/spamhaus.rsc
 echo "/ip firewall address-list" >> $saveTo/spamhaus.rsc echo "/ip firewall address-list" >> $saveTo/spamhaus.rsc
-wget -q -O - http://www.spamhaus.org/drop/drop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blocklist address=" $1 " timeout=1d comment=SpamHaus";}' >> $saveTo/spamhaus.rsc +wget -q -O - https://www.spamhaus.org/drop/drop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blocklist address=" $1 " timeout=7d comment=SpamHaus";}' >> $saveTo/spamhaus.rsc 
-wget -q -O - http://www.spamhaus.org/drop/edrop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blocklist address=" $1 " timeout=1d comment=SpamHaus";}' >> $saveTo/spamhaus.rsc+wget -q -O - http://www.spamhaus.org/drop/edrop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blocklist address=" $1 " timeout=7d comment=SpamHaus";}' >> $saveTo/spamhaus.rsc
  
-echo "# Generated by blocklists4mt.sh on $now" > $saveTo/openbl.rsc +echo "# Generated by blocklists4mt.sh on $now" > $saveTo/bde.rsc 
-echo "/ip firewall address-list" >> $saveTo/openbl.rsc +echo "/ip firewall address-list" >> $saveTo/bde.rsc 
-wget -q -O - http://www.openbl.org/lists/base_30days.txt.gz | gunzip | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blocklist address=" $1 " timeout=1d comment=OpenBL";}' >> $saveTo/openbl.rsc+wget -q -O - https://api.blocklist.de/getlast.php?time=14400 | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blocklist address=" $1 " timeout=7d comment=BDE";}' >> $saveTo/bde.rsc
  
 echo "# Generated by blocklists4mt.sh on $now" > $saveTo/voipbl.rsc echo "# Generated by blocklists4mt.sh on $now" > $saveTo/voipbl.rsc
 echo "/ip firewall address-list" >> $saveTo/voipbl.rsc echo "/ip firewall address-list" >> $saveTo/voipbl.rsc
-wget -q -O - http://www.voipbl.org/update/ | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blocklist address=" $1 " timeout=1d comment=VoIPBL";}' >> $saveTo/voipbl.rsc+wget -q -O - https://voipbl.org/update/ | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blocklist address=" $1 " timeout=7d comment=VoIPBL";}' >> $saveTo/voipbl.rsc 
 + 
 +# dshield, bde, spamhaus and voipbl lists 
 + 
 +#echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc 
 +#echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc 
 +#echo "# DShield, SpamHaus, BDE and VoIPBL blocklists." >> $saveTo/combined.rsc 
 +#echo "/ip firewall address-list" >> $saveTo/combined.rsc 
 +#cat $saveTo/dshield.rsc $saveTo/bde.rsc $saveTo/spamhaus.rsc $saveTo/voipbl.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 38 >> $saveTo/combined.rsc 
 + 
 +# dshield, bde and spamhaus lists 
 + 
 +#echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc 
 +#echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc 
 +#echo "# DShield, SpamHaus and BDE blocklists." >> $saveTo/combined.rsc 
 +#echo "/ip firewall address-list" >> $saveTo/combined.rsc 
 +#cat $saveTo/dshield.rsc $saveTo/bde.rsc $saveTo/spamhaus.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 39 >> $saveTo/combined.rsc 
 + 
 +# dshield, voipbl and spamhaus lists
  
 echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc
 echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc
-echo "# DShield, SpamHaus, OpenBL and VoIPBL blocklists." >> $saveTo/combined.rsc+echo "# DShield, SpamHaus and VoIPBL blocklists." >> $saveTo/combined.rsc
 echo "/ip firewall address-list" >> $saveTo/combined.rsc echo "/ip firewall address-list" >> $saveTo/combined.rsc
-cat $saveTo/dshield.rsc $saveTo/openbl.rsc $saveTo/spamhaus.rsc $saveTo/voipbl.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 36 >> $saveTo/combined.rsc +cat $saveTo/dshield.rsc $saveTo/voipbl.rsc $saveTo/spamhaus.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 36 >> $saveTo/combined.rsc
-</file>+
  
-==== Run the Script Daily ====+# dshield and spamhaus lists
  
-Here is one way to configure ''cron'' to run the script every day+#echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc 
- +#echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc 
-<file> +#echo "# DShield and SpamHaus blocklists." >> $saveTo/combined.rsc 
-chown root.root blocklists4mt.sh +#echo "/ip firewall address-list" >> $saveTo/combined.rsc 
-chmod +x blocklists4mt.sh +#cat $saveTo/dshield.rsc $saveTo/spamhaus.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 39 >> $saveTo/combined.rsc
-cp -a blocklists4mt.sh /etc/cron.daily/+
 </file> </file>
  
Line 82: Line 106:
 FIXME Bogons?  Should we not include bogons in the blocklist!?  Would the router drop internal traffic with these next rules?  If we specify in-interface as WAN interface, could we include bogons?  We can't specify out-interface in prerouting table. FIXME Bogons?  Should we not include bogons in the blocklist!?  Would the router drop internal traffic with these next rules?  If we specify in-interface as WAN interface, could we include bogons?  We can't specify out-interface in prerouting table.
  
-:!: At the time of this writing, the first three lists combined added **6,181 items** to the ''blocklist'' address-list and plays havoc with a web browser using the Mikrotik web interface when you click on the Address Lists tab.  The list is even longer if you use the OpenBL Default (base_90days) list.+:!: At the time of this writing, the combined list added **34,648 items** to the ''blocklist'' address-list and plays havoc with a web browser using the Mikrotik web interface when you click on the Address Lists tab.  Verify your Mikrotik router has enough memory if you use the combined list.
  
 === DShield === === DShield ===
Line 89: Line 113:
 # Script which will download the DShield drop list as a text file # Script which will download the DShield drop list as a text file
 /system script add name="Download_dshield" source={ /system script add name="Download_dshield" source={
-/tool fetch url="http://sonoracomm.com/blocklists/dshield.rsc" mode=http; +/tool fetch url="http://virtualarchitects.com/blocklists/dshield.rsc" mode=http; 
-:log info "Downloaded dshield.rsc from sonoracomm.com";+:log info "Downloaded dshield.rsc from virtualarchitects.com";
 } }
  
Line 100: Line 124:
 } }
 } }
-/import file-name=dshield.rsc; 
 :log info "Remove old DShield list and add new"; :log info "Remove old DShield list and add new";
 +/import file-name=dshield.rsc;
 } }
  
Line 118: Line 142:
 # Script which will download the Spamhaus drop list as a text file # Script which will download the Spamhaus drop list as a text file
 /system script add name="Download_spamhaus" source={ /system script add name="Download_spamhaus" source={
-/tool fetch url="http://sonoracomm.com/blocklists/spamhaus.rsc" mode=http; +/tool fetch url="http://virtualarchitects.com/blocklists/spamhaus.rsc" mode=http; 
-:log info "Downloaded spamhaus.rsc from sonoracomm.com";+:log info "Downloaded spamhaus.rsc from virtualarchitects.com";
 } }
  
Line 129: Line 153:
 } }
 } }
-/import file-name=spamhaus.rsc; 
 :log info "Remove old Spamhaus and add new"; :log info "Remove old Spamhaus and add new";
 +/import file-name=spamhaus.rsc;
 } }
  
Line 142: Line 166:
 </file> </file>
  
-=== OpenBL ===+=== BDE ===
  
 <file> <file>
-# Script which will download the OpenBl drop list as a text file +# Script which will download the BDE drop list as a text file 
-/system script add name="Download_openbl" source={ +/system script add name="Download_bde" source={ 
-/tool fetch url="http://sonoracomm.com/blocklists/openbl.rsc" mode=http; +/tool fetch url="http://virtualarchitects.com/blocklists/bde.rsc" mode=http; 
-:log info "Downloaded openbl.rsc from sonoracomm.com";+:log info "Downloaded bde.rsc from virtualarchitects.com";
 } }
  
-# Script which will Remove old OpenBL list and add new one +# Script which will Remove old BDE list and add new one 
-/system script add name="Replace_openbl" source={+/system script add name="Replace_bde" source={
 :foreach i in=[/ip firewall address-list find ] do={ :foreach i in=[/ip firewall address-list find ] do={
-:if ( [/ip firewall address-list get $i comment] = "OpenBL" ) do={+:if ( [/ip firewall address-list get $i comment] = "BDE" ) do={
 /ip firewall address-list remove $i /ip firewall address-list remove $i
 } }
 } }
-/import file-name=openbl.rsc; +:log info "Remove old BDE and add new"
-:log info "Remove old OpenBL and add new";+/import file-name=bde.rsc;
 } }
  
-# Schedule the download and application of the openbl list +# Schedule the download and application of the BDE list 
-/system scheduler add comment="Download OpenBL list" interval=7d name="DownloadOpenblList" \ +/system scheduler add comment="Download BDE list" interval=7d name="DownloadBDEList" \ 
-    on-event=Download_openbl start-date=jan/01/1970 start-time=01:25:00 +    on-event=Download_bde start-date=jan/01/1970 start-time=01:25:00 
-/system scheduler add comment="Apply OpenBL List" interval=7d name="ApplyOpenblList" \ +/system scheduler add comment="Apply BDE List" interval=7d name="ApplyBDEList" \ 
-    on-event=Replace_openbl start-date=jan/01/1970 start-time=01:30:00 +    on-event=Replace_bde start-date=jan/01/1970 start-time=01:30:00 
-/system scheduler add comment="Apply OpenBL List After Reboot" name="ApplyOpenblListAfterReboot" \ +/system scheduler add comment="Apply BDE List After Reboot" name="ApplyBDEListAfterReboot" \ 
-    on-event=Replace_openbl start-time=startup+    on-event=Replace_bde start-time=startup
 </file> </file>
  
Line 176: Line 200:
 # Script which will download the VoIPBL drop list as a text file # Script which will download the VoIPBL drop list as a text file
 /system script add name="Download_voipbl" source={ /system script add name="Download_voipbl" source={
-/tool fetch url="http://sonoracomm.com/blocklists/voipbl.rsc" mode=http; +/tool fetch url="http://virtualarchitects.com/blocklists/voipbl.rsc" mode=http; 
-:log info "Downloaded voipbl.rsc from sonoracomm.com";+:log info "Downloaded voipbl.rsc from virtualarchitects.com";
 } }
  
Line 187: Line 211:
 } }
 } }
-/import file-name=voipbl.rsc; 
 :log info "Remove old VoIPBL list and add new"; :log info "Remove old VoIPBL list and add new";
 +/import file-name=voipbl.rsc;
 } }
  
Line 207: Line 231:
 # Script which will download the combined drop list as a .rsc script file # Script which will download the combined drop list as a .rsc script file
 /system script add name="Download_combined" source={ /system script add name="Download_combined" source={
-/tool fetch url="http://sonoracomm.com/blocklists/combined.rsc" mode=http; +/tool fetch url="http://virtualarchitects.com/blocklists/combined.rsc" mode=http; 
-:log info "Downloaded combined.rsc from sonoracomm.com";+:log info "Downloaded combined.rsc from virtualarchitects.com";
 } }
  
Line 220: Line 244:
 /ip firewall address-list remove $i /ip firewall address-list remove $i
 } }
-:if ( [/ip firewall address-list get $i comment] = "OpenBL" ) do={+:if ( [/ip firewall address-list get $i comment] = "BDE" ) do={
 /ip firewall address-list remove $i /ip firewall address-list remove $i
 } }
networking/router/mikrotik_blocklist.1512059704.txt.gz · Last modified: 2017/11/30 09:35 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki