I have a few filter rules that will add the incoming IP to an address list on the first attempt to access a specific port.
After that, it will add that incoming IP to a second address list, then a third address list on the third attempt. On the third attempt it will block that IP address from the third address list.
This works fine but I would like to do change this to block that IP address range x.x.x.x/24 at the third stage.
So far I haven't been able figure out how to do that from the filter rules. Guessing it may take a script to do this which is fine but I would like to have a few options to test/investigate and really would like to keep it in the filter rules without a script, if possible.
Any help would be appreciated.
Thanks in advance.
Re: How to add automatic address range from single IP
You cannot do that from filter lists.
It also is not a good idea, in general.
You may inadvertently block legitimate traffic!
It also is not a good idea, in general.
You may inadvertently block legitimate traffic!
Re: How to add automatic address range from single IP
This is very easy with scripts. Add the visiting IP to a collections list. set a time-out on those detected IP for lets say 15 minutes on the list.
Then an other script goes regularly trough the list and takes the first IP in the list. Then it counts how many that IP converted to .0/24 is found in that list. If it counts for example three times you can add that .0/24 range to the block-list.
Then remove all IP in that range and repeat with the next IP in the detected list till you reach the end.
You can keep those blocked ones permanently or let those time-out after a few days.
You need so only one script.
Example for in Script:
This script can be still running while you schedule a other run so in scheduler an other script is checking first if the previous one is still running.
Schedule:
Then an other script goes regularly trough the list and takes the first IP in the list. Then it counts how many that IP converted to .0/24 is found in that list. If it counts for example three times you can add that .0/24 range to the block-list.
Then remove all IP in that range and repeat with the next IP in the detected list till you reach the end.
You can keep those blocked ones permanently or let those time-out after a few days.
You need so only one script.
Example for in Script:
Code: Select all
## change to address-lists
{
/ip firewall address-list
# define empty array
:local arrayRange [:toarray ""]
:local arrayRange2list [:toarray ""]
:local arrayRange24 [:toarray ""]
# fill array
:foreach k,b in=[find where list="detectedTCP"] do={
:set $IPAddress [get value-name=address number=$b]
:set ($arrayRange->$k) $IPAddress;
:set ($arrayRange24->$k) (($IPAddress&255.255.255.0)."/24");
}; # foreach
## Loops through the address-list in the array till all entries are handled
:foreach a,IP2check in=$arrayRange24 do={
## resets the used variable in the foreach loop
:local countRange 0;
:set $rangeComment;
:set $numberOffFields (([:len $arrayRange24]) - $a);
:foreach g in=$arrayRange2list do={:if ($g = $IP2check) do={:set $countRange 499}};
:for b from=$a to=$numberOffFields do={ :if (($arrayRange24->$b) = $IP2check) do={ :set countRange ($countRange + 1) };
# three hits, promotes to bloklist
:if (($countRange = 3) && (($arrayRange24->$b) = $IP2check)) do={
:set $arrayRange2list ($arrayRange2list, ($arrayRange24->$b));
:foreach r in=$arrayRange do={:if ($r in $IP2check) do={:set $rangeComment ($rangeComment."$r ")}};
:do {add address=($arrayRange24->$b) list=perm24Block comment=$rangeComment} on-error={};
:log warning "$IP2check range added to perm2Block"
}; # if
}; # for
}; # foreach
## remove detected matching when adding to the perm24block
:foreach g in=$arrayRange2list do={remove [find where list=detectedTCP && address in $g]};
## Clean-up used arrays
#:set arrayRange
#:set arrayRange2list
#:set arrayRange24
}Schedule:
Code: Select all
## Check if this this script is already running
/system script job
:foreach b in=[find where script="checkRange"] do={:log warning "script checkRange already executed"; error Script is already running; };
/system script run checkRange
Last edited by msatter on Mon Sep 30, 2024 5:50 pm, edited 2 times in total.
Re: How to add automatic address range from single IP
My experience with this is that you will soon block subnets from cloud VPS services that host both legitimate webservices and "researchers" (or hackers) that use the VPS to scan for open ports.
So your rules will surely block /24 networks but after shorter or longer time you will get complaints about certain sites not being reachable.
So your rules will surely block /24 networks but after shorter or longer time you will get complaints about certain sites not being reachable.
Re: How to add automatic address range from single IP
When setting also a time-out it will be be de-blocked after a defined time.My experience with this is that you will soon block subnets from cloud VPS services that host both legitimate webservices and "researchers" (or hackers) that use the VPS to scan for open ports.
So your rules will surely block /24 networks but after shorter or longer time you will get complaints about certain sites not being reachable.
This changed line will set a 4 hour time out. This will make it maintenance free.
Code: Select all
:do {add address=($arrayRange24->$b) list=perm24Block timeout=4h comment=$rangeComment} on-error={};Re: How to add automatic address range from single IP
You did not understand!!!If someone is port scanning you then it's not really legitimate is it.
When the VPS at IP address a.b.c.25 is scanning for ports and you block a.b.c.0/24 you also affect the legitimate webservice running at address a.b.c.86 that has nothing to do with the portscanning.
You live under the stone of assuming that if one out of 256 users of some VPS service is misbehaving, the company hosting the service must be rotten so it is a good idea to block all of their hosts.
While at first that seems like a good starting point, it WILL bite you, I promise.
It is even dangerous to block single IP addresses without scrutiny. There are jokers that send around spoofed TCP SYN packets from addresses like 8.8.8.8 to ports like 23. When you add 8.8.8.8 to your blocklist you will cut yourself off from Google DNS, which you or some of your devices may be using as DNS server. Don't say that won't happen, happened to me.
Re: How to add automatic address range from single IP
We understand that this and it is big hammer. I am using it since 2021 and any offending IP addresses are banned permanently with me. To avoid any valid addresses being blocked that are automatically added I have a second list that is call DoNotBlock, that is manually maintained.You did not understand!!!If someone is port scanning you then it's not really legitimate is it.
When the VPS at IP address a.b.c.25 is scanning for ports and you block a.b.c.0/24 you also affect the legitimate webservice running at address a.b.c.86 that has nothing to do with the portscanning.
You live under the stone of assuming that if one out of 256 users of some VPS service is misbehaving, the company hosting the service must be rotten so it is a good idea to block all of their hosts.
While at first that seems like a good starting point, it WILL bite you, I promise.
It is even dangerous to block single IP addresses without scrutiny. There are jokers that send around spoofed TCP SYN packets from addresses like 8.8.8.8 to ports like 23. When you add 8.8.8.8 to your blocklist you will cut yourself off from Google DNS, which you or some of your devices may be using as DNS server. Don't say that won't happen, happened to me.
So if 8.8.8.8 does misbehave I can add it to the DoNotBlock list. Then even it is present on the permanent blocked list it will not be blocked when it replies to a DNS request.
I have those lines in RAW firewall and the do not block is a return so it will skip the permanent blocked underneath being a drop.
I am in full control so and can exempt one specific IP address or a range in a .0/24 range from being blocked or being blocked again on a later moment when it misbehaves again.
Re: How to add automatic address range from single IP
My apologies folks. Had a lot of work coming my way so was not able to respond.
I have read through the responses and it gives me a good idea that likely a script with a schedule may be what is needed.
Also, to the point of blocking an IP range rather than a specific address could possibly cause an issue, however, there are reasons to do this and methods to mitigate this. Doing this for a large organization would require a more methodical and investigative approach.
This is for home use and I usually set a timer for certain connections so that they fail if enough attempts are made and go back through logs to monitor what is going on.
I have encountered some IP addresses from my country doing port scans or more --- some of them are from security companies, most are not. I did report one recently and got a response back that it was a security company and I could opt out my IP address from their scanning.
I have read through the responses and it gives me a good idea that likely a script with a schedule may be what is needed.
Also, to the point of blocking an IP range rather than a specific address could possibly cause an issue, however, there are reasons to do this and methods to mitigate this. Doing this for a large organization would require a more methodical and investigative approach.
This is for home use and I usually set a timer for certain connections so that they fail if enough attempts are made and go back through logs to monitor what is going on.
I have encountered some IP addresses from my country doing port scans or more --- some of them are from security companies, most are not. I did report one recently and got a response back that it was a security company and I could opt out my IP address from their scanning.
Re: How to add automatic address range from single IP
Thanks @msatter that is the type of thing I was imagining I would need to do. The only script I had done previously was one that will email me if my router's IP has changed.This is very easy with scripts. Add the visiting IP to a collections list. set a time-out on those detected IP for lets say 15 minutes on the list.
Then an other script goes regularly trough the list and takes the first IP in the list. Then it counts how many that IP converted to .0/24 is found in that list. If it counts for example three times you can add that .0/24 range to the block-list.
Then remove all IP in that range and repeat with the next IP in the detected list till you reach the end.
You can keep those blocked ones permanently or let those time-out after a few days.
You need so only one script.
Example for in Script:
This script can be still running while you schedule a other run so in scheduler an other script is checking first if the previous one is still running.Code: Select all## change to address-lists { /ip firewall address-list # define empty array :local arrayRange [:toarray ""] :local arrayRange2list [:toarray ""] :local arrayRange24 [:toarray ""] # fill array :foreach k,b in=[find where list="detectedTCP"] do={ :set $IPAddress [get value-name=address number=$b] :set ($arrayRange->$k) $IPAddress; :set ($arrayRange24->$k) (($IPAddress&255.255.255.0)."/24"); }; # foreach ## Loops through the address-list in the array till all entries are handled :foreach a,IP2check in=$arrayRange24 do={ ## resets the used variable in the foreach loop :local countRange 0; :set $rangeComment; :set $numberOffFields (([:len $arrayRange24]) - $a); :foreach g in=$arrayRange2list do={:if ($g = $IP2check) do={:set $countRange 499}}; :for b from=$a to=$numberOffFields do={ :if (($arrayRange24->$b) = $IP2check) do={ :set countRange ($countRange + 1) }; # three hits, promotes to bloklist :if (($countRange = 3) && (($arrayRange24->$b) = $IP2check)) do={ :set $arrayRange2list ($arrayRange2list, ($arrayRange24->$b)); :foreach r in=$arrayRange do={:if ($r in $IP2check) do={:set $rangeComment ($rangeComment."$r ")}}; :do {add address=($arrayRange24->$b) list=perm24Block comment=$rangeComment} on-error={}; :log warning "$IP2check range added to perm2Block" }; # if }; # for }; # foreach ## remove detected matching when adding to the perm24block :foreach g in=$arrayRange2list do={remove [find where list=detectedTCP && address in $g]}; ## Clean-up used arrays #:set arrayRange #:set arrayRange2list #:set arrayRange24 }
Schedule:
Code: Select all## Check if this this script is already running /system script job :foreach b in=[find where script="checkRange"] do={:log warning "script checkRange already executed"; error Script is already running; }; /system script run checkRange
Re: How to add automatic address range from single IP
@wfburton I actually do have a timer that will block an IP after three attempts on specific ports.I would think you would need some type of script but add a time limit say 20 minutes before another attempt.You cannot do that from filter lists.
It also is not a good idea, in general.
You may inadvertently block legitimate traffic!
Just my thought...
If each of those first two attempts occurs within a certain timeframe, I add that IP to a list. On the third attempt, if that IP is still on the list I block it for a much longer time.
Re: How to add automatic address range from single IP
Port scans can be legitimate and if we lived in a world where there were no people with bad intent there would be far less reasons for port scanning.If someone is port scanning you then it's not really legitimate is it.My experience with this is that you will soon block subnets from cloud VPS services that host both legitimate webservices and "researchers" (or hackers) that use the VPS to scan for open ports.
So your rules will surely block /24 networks but after shorter or longer time you will get complaints about certain sites not being reachable.
I would go with just the ip address and not whole CIDR block and maybe add a Blocked Site Exceptions list.
MikroTik does have a kid control but I never played with it. Might be to complicated or messy and I don't know if you can control it with a script.
It would a a work in progress type of thing to fine tune it.
It is good for testing applications and firewall configurations even if there were no people with bad intent.
Scanning is also a part of the process where we get statistical data on open ports on equipment. From there attempts to access ports that are possibly susceptible to intrusion is another piece of data. You can pull some basic information from some open ports without attempting to log in and just from the responses received.
Re: How to add automatic address range from single IP
I am aware of blocking legitimate traffic.You cannot do that from filter lists.
It also is not a good idea, in general.
You may inadvertently block legitimate traffic!
There needs to be a process where the intended results are monitored, changes are made then tested and the process is repeated.
Re: How to add automatic address range from single IP
Unless you have a fast internet connection with a large subnet and a slow network behind that, it is mostly a waste of time.
You better spend your time on securing your services e.g. not putting services like SSH, telnet, RDP, winbox etc open on internet.
You better spend your time on securing your services e.g. not putting services like SSH, telnet, RDP, winbox etc open on internet.