Mikrotik Malicious Spam IP Blacklist – Firewall Auto Update Script

We have published a malicious ip blacklist for free! Combined dshield and spamhaus malicious blacklists formatted for Mikrotik RouterOS .rsc import script to firewall address list, updated daily and formatted by our servers for easy import and download into your Mikrotik Router.


It can be downloaded directly here. Or follow the instructions below to setup firewall rules and schedule automatic daily updates on any Mikrotik Router.



To automatically download, update, and apply the combind Dshield, Spamhaus ip blacklists on your Mikrotik Router:
First: Log into Winbox.


Open a terminal and add the following firewall rules

ip firewall raw add chain=prerouting dst-address-list="sbl malc0de" action=drop comment="sbl malc0de"
ip firewall raw add chain=prerouting dst-address-list="sbl dshield" action=drop comment="sbl dshield"
ip firewall raw add chain=prerouting dst-address-list="sbl spamhaus" action=drop comment="sbl spamhaus"
ip firewall raw add chain=prerouting dst-address-list="sbl blocklist.de" action=drop comment="sbl blocklist.de"

Now we need to schedule the automated update: Go to system scheduler and create a new task.

/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/drop.malicious.rsc

Now we schedule the import task: Go to system scheduler and create a new task.

:log warning "Disabling system Logging";
import drop.malicious.rsc
/system logging enable 0

Block registration spam bot using jquery html

THIS SCRIPT DISABLE SUBMIT BUTTON IF THE HIDDEN FORM TEXT AREA IS AUTO FILLED BY BOT

<script src='http://code.jquery.com/jquery-1.7.1.min.js'></script>
<input type="text" id="message" style="display:none;">
                <input class="button" name="adduser" type="submit" id="adduser" value="{NUSRREGNM17}">

<SCRIPT>
$(document).ready(function(){
    $('#adduser').attr('disabled',false);
    
    $('#message').keyup(function(){
        if($(this).val().length !=0){
            $('#adduser').attr('disabled', true);
        }
        else
        {
            $('#adduser').attr('disabled', false);        
        }
    })
});
</script>

Mikrotik squid tproxy forward rules

/ip route
add disabled=yes distance=1 gateway=115.117.79.130 routing-mark=tproxied

/ip firewall mangle
add chain=prerouting disabled=yes port=80 protocol=tcp src-mac-address=00:22:4D:A7:BC:60
add action=mark-routing chain=prerouting disabled=yes dst-address-list=cache-addr dst-port=80 new-routing-mark=tproxied protocol=tcp src-address=!115.117.81.2 src-address-list=redirect-addr
add action=mark-routing chain=prerouting disabled=yes dst-address=!115.117.81.2 dst-address-list=redirect-addr new-routing-mark=tproxied protocol=tcp src-address-list=cache-addr src-port=80
add action=mark-routing chain=prerouting disabled=yes dst-address-list=cache-addr dst-port=80 new-routing-mark=tproxied protocol=tcp src-address=172.16.0.0/23
add action=mark-routing chain=prerouting disabled=yes dst-address-list=!non-cache new-routing-mark=tproxied protocol=tcp src-address-list=cache-addr src-mac-address=!00:22:4D:A7:BC:60 src-port=80

How to mount an external HDD on linux

sudo fdisk -l
sudo mkdir /media/Skliros_Diskos
sudo mount -t ntfs-3g /dev/sdb1 /media/Skliros_Diskos

Mikrotik VPN Script PPTP & L2TP

# The following creates a PPTP and L2TP VPN server on the MikroTik:
# !!! YOU MUST UPDATE DNS IN /PPP PROFILE TO THE CUSTOMERS ISP DNS IP ADDRESS !!!
 
/ip pool
add name=VPN_Pool_192 ranges=192.168.131.50-192.168.131.150
 
/ppp profile
add change-tcp-mss=yes dns-server=68.94.156.1,68.94.157.1 local-address=\
    192.168.131.254 name=VPN-Encrypt remote-address=VPN_Pool_192 \
    use-encryption=yes
 
/ppp profile
add change-tcp-mss=yes dns-server=192.168.131.253,10.0.0.12 local-address=\
    192.168.131.254 name=Guido-Encrypt remote-address=VPN_Pool_192 \
    use-encryption=yes
 
/interface l2tp-server server
set default-profile=VPN-Encrypt enabled=yes
 
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=VPN-Encrypt \
    enabled=yes
 
 
# The following creates a user on the VPN Server MikroTik:
 
/ppp secret
add name=aravpnadmin password=YsD9fKN3fVZP profile=VPN-Encrypt

Block torrents with mikrotik

Block torrents with mikrotik

/ip firewall layer7-protocol
add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bitt\
    orrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?inf\
    o_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[\
    RP]"
 
/ip firewall filter
add action=add-src-to-address-list address-list=Torrent-Conn \
    address-list-timeout=2m chain=forward layer7-protocol=\
    layer7-bittorrent-exp src-address=192.168.10.0/24 src-address-list=\
    !allow-bit
add action=add-src-to-address-list address-list=Torrent-Conn \
    address-list-timeout=2m chain=forward p2p=all-p2p src-address=\
    192.168.10.0/24 src-address-list=!allow-bit
 
/ip firewall filter
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \
    src-address-list=Torrent-Conn
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \
    src-address-list=Torrent-Conn

Linux / UNIX: Delete a file

To remove a file or directory in Linux, FreeBSD, Solaris or Unix-like operating systems use the rm command.

To remove all files & subdirectories from a directory (MS-DOS deltree like command), enter:

rm -rf mydir

Prioritize SpeedTest.Net Results via Mikrotik Queue

# Mark speedtest in Layer7 firewall
/ip firewall layer7-protocol
add name=speedtest regexp="^.+(speedtest).*\\\$"
 
# Marking SPEEDTEST.NET in mangle section using L7
/ip firewall mangle
add action=mark-connection chain=forward comment=SPEEDTEST layer7-protocol=speedtest new-connection-mark=speedtest_conn
add action=mark-connection chain=prerouting new-connection-mark=speedtest_conn protocol=tcp src-port=8080
add action=mark-packet chain=prerouting connection-mark=speedtest_conn new-packet-mark=speedtest_pkt passthrough=no
add action=mark-connection chain=postrouting dst-port=8080 new-connection-mark=speedtest_conn protocol=tcp
add action=mark-packet chain=postrouting connection-mark=speedtest_conn new-packet-mark=speedtest_pkt passthrough=no
 
# ADD PCQ so that i can be applied on per ip bases later in simple queue / zaib
/queue type
add kind=pcq name=download-2mb pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=2048k \
    pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000
add kind=pcq name=upload-2mb pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=2048k \
    pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000
 
# Add simple QUEUE to limit speedtest.net 2mb PER USER
/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Limit every Users at 2mb using PCQ. for speedtest only marked by mangle / zaib" direction=both disabled=no interface=all limit-at=0/0 max-limit=0/0 name=\
    "SpeedTest.Net 2Mb per use via g PCQ / zaib" packet-marks=speedtest_pkt parent=none priority=8 queue=upload-2mb/download-2mb target-addresses=192.168.5.0/24 total-queue=default-small
 
# Add simple QUEUE to limit user PC individually for rest of traffic, static or dynamic up to your network.
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no interface=all limit-at=512k/512k max-limit=512k/512k name="Zaib Desktop 512k A llowed - 192.168.5.2" packet-marks="" \
    parent=none priority=8 queue=default-small/default-small target-addresses=192.168.5.2/32 total-queue=default-small

Manual squid-3 tproxy Installation with mikrotik

#manual for debian7 ubuntu12/14
 
after finish your installing of ubuntu / debian
# change or replace /etc/apt/sources.list with  a local repository  
debian 7 indonesia=
deb http://kambing.ui.ac.id/debian/ wheezy main contrib non-free
deb http://kambing.ui.ac.id/debian/ wheezy-updates main contrib non-free
deb http://kambing.ui.ac.id/debian-security/ wheezy/updates main contrib non-free
 
for debian error key=
aptitude install debian-keyring debian-archive-keyring
apt-key update
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
 
apt-get update && apt-get upgrade -y
key input (q)
 
#edit tuning limits.conf at /security/limits.conf
add /etc/security/limits.conf
=============================================================
*         soft        nofile          65536
*         hard        nofile          65536
root      soft        nofile          65536
root      hard        nofile          65536
proxy     soft        nofile          65536
proxy     hard        nofile          65536
================================================================
#edit kernel @ .. /etc/sysctl.conf
=================================================================
#remove all contents and replace with config below
################################################################
<< .....................................................................................
kernel.panic = 30
kernel.panic_on_oops = 30
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
fs.file-max = 65536
vm.swappiness = 5
vm.vfs_cache_pressure=50
vm.mmap_min_addr = 4096
vm.overcommit_ratio = 0
vm.overcommit_memory = 0
kernel.shmmax = 268435456
kernel.shmall = 268435456
vm.min_free_kbytes = 65536
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_congestion_control = cubic
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 87380
net.core.rmem_max = 16777216
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 65536
net.core.wmem_max = 16777216
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 4096
net.core.dev_weight = 64
net.core.optmem_max = 65536
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.unix.max_dgram_qlen = 50
net.ipv4.neigh.default.gc_thresh3 = 2048
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh1 = 32
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
<<<...........................................................................................................
==============================================================================================================
# install web server
apt-get install apache2 php5 php5-mysql mysql-server phpmyadmin -y
edit apache2.conf @/etc/apache2/apache2.conf
# Include the virtual host configurations:
Include sites-enabled/
ServerName localhost <<<< adding
 
# install dns server can bind or unbound
I used to wear when unbound, user friendly installation
apt-get install unbound
/etc/init.d/unbound stop
cd /etc/unbound
wget ftp://ftp.internic.net/domain/named.cache -O /etc/unbound/named.cache
edit unbound.conf= <<<my unbound.conf.... http://pastebin.com/2gTnMNAV
edit dns-nameservers in /etc/netwwork/interfaces replace with localhost ip
# for mikrotik router
<<<.. adding my mikrotik nat dns-server unbound resolver= http://pastebin.com/190MZmtz
unbound-control-setup
chown unbound:root unbound_* && chmod 440 unbound_*
/etc/init.d/unbound restart
flush cache unbound= /etc/init.d/unbound reload or unbound control-reload
 
#mulai konfigurasi squid proxy
# install packet
apt-get install devscripts build-essential openssl libssl-dev fakeroot libcppunit-dev libsasl2-dev cdbs ebtables bridge-utils libcap2 libcap-dev libcap2-dev sysv-rc-conf iproute kernel-package libncurses5-dev fakeroot wget bzip2 debhelper linuxdoc-tools libselinux1-dev htop iftop dnstop perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python ccze pastebinit checkinstall libssl-dev htop iftop iptraf mtr-tiny bwm-ng ccze sysv-rc-conf -y
 
#libecap
download libecap= http://www.4shared.com/archive/uMVmB3ADce/libecap-100tar.html
download DSI_ecap_youtube.so=  http://www.4shared.com/file/rYJcJqyVce/DSI_ecap_youtube.html
tar -xzf libecap-1.0.0.tar.gz
cd libecap-1.0.0/
./configure && make && make install
echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig
 
#ecap_adapter
apt-get install pkg-config
wget http://www.measurement-factory.com/tmp/ecap/ecap_adapter_sample-1.0.0.tar.gz
tar -xzf ecap_adapter_sample-1.0.0.tar.gz
cd ecap_adapter_sample-1.0.0
# download patch ecap_adapter in mikrotik squid indonesia group / thanks to Mikrotike N SquidLovers
https://www.facebook.com/download/989568241123182/patch_ecap_adapter_sample.patch
<<< move patch_ecap_adapter_sample.patch > #to directory= /ecap_adapter_sample-1.0.0
<<< and then input the scripts below >>>
eksekusi >> patch -p1 < patch_ecap_adapter_sample.patch
./configure && make && make install
 
 
#squid installation
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.12.tar.gz
tar -xzvf squid-3.5.12.tar.gz
cd squid-3*
 
./configure \
CHOST="x86_64-pc-linux-gnu" \
CFLAGS="-march=core2 -O2 -pipe" \
CXXFLAGS="${CFLAGS}" \
--build=x86_64-linux-gnu \
--prefix=/usr \
--exec-prefix=/usr \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--libdir=/usr/lib \
--sharedstatedir=/usr/com \
--includedir=/usr/include \
--localstatedir=/var \
--libexecdir=/usr/lib/squid \
--srcdir=. \
--datadir=/usr/share/squid \
--sysconfdir=/etc/squid \
--infodir=/usr/share/info \
--mandir=/usr/share/man \
--x-includes=/usr/include \
--x-libraries=/usr/lib \
--with-default-user=proxy \
--with-logdir=/var/log/squid \
--with-swapdir=/cache/cache \
--with-pidfile=/var/run/squid.pid \
--enable-err-languages=English \
--enable-default-err-language=English \
--enable-storeio=ufs,aufs,diskd \
--enable-linux-netfilter \
--enable-removal-policies=lru,heap \
--enable-gnuregex \
--enable-follow-x-forwarded-for \
--enable-x-accelerator-vary \
--enable-zph-qos \
--enable-delay-pools \
--enable-snmp \
--enable-underscores \
--with-openssl \
--enable-ssl-crtd \
--enable-http-violations \
--enable-async-io=24 \
--enable-storeid-rewrite-helpers \
--with-large-files \
--with-libcap \
--with-libnetfilter-conntrack \
--with-included-ltdl \
--with-maxfd=65536 \
--with-filedescriptors=65536 \
--with-pthreads \
--without-gnutls \
--without-mit-krb5 \
--without-heimdal-krb5 \
--without-gnugss \
--disable-icap-client \
--disable-wccp \
--disable-wccpv2 \
--disable-dependency-tracking \
--disable-auth --disable-epoll \
--disable-ident-lookups \
--disable-icmp \
--enable-ecap \
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
 
make && make install
 
chown -R proxy:proxy /cache/cache/
chmod -R 777 /cache/cache/
 
cd /etc/squid
mkdir ssl_certs
 
cd ssl_certs
openssl genrsa -out squid.key 2048
openssl req -new -key squid.key -out squid.csr -nodes
#input  data for certificate squid#
openssl x509 -req -days 3652 -in squid.csr -signkey squid.key -out squid.crt
 
/usr/lib/squid/ssl_crtd -c -s /etc/squid/ssl_db
 
#edit squid.conf
my squid.conf for tproxy= http://pastebin.com/18Rb3nD0
my squid.conf non tproxy only virtualbox= http://pastebin.com/uvtLinw8
my store-id.pl= http://pastebin.com/pLK4Jk81
chown -R nobody /etc/squid/
chown -R proxy:proxy /etc/squid/
chmod -R 777 /etc/squid/
 
/usr/lib/squid/ssl_crtd -c -s /etc/squid/ssl_db
 
cd /var/log/squid/
touch access.log
touch cache.log
cd ...
chown -R proxy:proxy /var/log/squid/access.log
chown -R proxy:proxy /var/log/squid/cache.log
chmod -R 777 /var/log/squid/access.log
chmod -R 777 /var/log/squid/cache.log
 
cd /etc/init.d/
touch squid >> add scripts
/etc/init.d/squid= http://pastebin.com/W8xQAD0d
edit line 64 squid file @/etc/init.d/squid >>line 64= #cache_dir=`find_cache_dir cache_dir /cache/cache`
chmod +x /etc/init.d/squid
update-rc.d squid defaults
/etc/init.d/squid stop
<<< chown -R nobody /etc/squid/ssl_db/
<<< chown -R proxy:proxy /etc/squid/ssl_db/
<<< chmod -R 777 /etc/squid/ssl_db/
 
# edit /etc/rc.local
config rc.local>>>.... http://pastebin.com/3z3s1Hpy
 
squid -z
reboot
###################################################################################
# your mikrotik
add your ip proxy @ ip firewall address list
<<and this is mikrotik simple config for tproxy access
>>> http://pastebin.com/9uyMpMac
#####################################################################################
 
#back to proxy and login
input=
/etc/init.d/squid restart
 
#ssl_cert import
download ssl_cert your squid directory
using winscp >> download ssl_certs on directory /etc/squid/ >> to your computer windows/....
 
#setting non tproxy manual browser input
#add setting your browser mozilla / chrome or etc....
# google chrome= setting >>> add https/ssl >> manage certificates >> click trusted root certification
click buttin import >>> and import your squid.crt -on directory /ssl_cets
# mozilla/firefox
click tools >> advanced >> certificates >> clieck button view certifictes >> import your squid.crt -on directory /ssl_cets
 
 
=======================================================================================================
# if you install dns-crypt and unbound>>  
script auto start dns-crypt=
<<<... /usr/local/sbin/dnscrypt-proxy -a 127.0.0.1:40 -d -R d0wn-sg-ns1 -e 4096 -p /run/dnscrypt-proxy.pid
========================================================================================================

Mikrotik dual wan failover script

Mikrotik Multi wan failover script

# Script Starts here...
# Internet Host to be checked You can modify them as per required, JZ
:local host1   "8.8.8.8"
:local host2   "208.67.222.123"
 
# Do not modify data below without proper understanding.
:local i 0;
:local F 0;
:local date;
:local time;
:global InternetStatus;
:global InternetLastChange;
 
# PING each host 5 times
:for i from=1 to=5 do={
if ([/ping $host1 count=1]=0) do={:set F ($F + 1)}
if ([/ping $host2 count=1]=0) do={:set F ($F + 1)}
:delay 1;
};
 
# If both links are down and all replies are timedout, then link is considered down
:if (($F=10)) do={
:if (($InternetStatus="UP")) do={
:log error "WARNING : The INTERNET link seems to be DOWN. Please Check";
:set InternetStatus "DOWN";
 
##      ADD YOUR RULES HERE, LIKE ROUTE CHANGE OR WHAT EVER IS REQUIRED, Example is below ...
##     /ip route set [find comment="Default Route"] distance=3
##     /ip firewall nat disable [find comment="Your Rules, Example"]
 
:set date [/system clock get date];
:set time [/system clock get time];
:set InternetLastChange ($time . " " . $date);
} else={:set InternetStatus "DOWN";}
} else={
 
##      If reply is received , then consider the Link is UP
:if (($InternetStatus="DOWN")) do={
:log warning "WARNING :The INTERNET link have been restored";
:set InternetStatus "UP";
 
##      ADD YOUR RULES HERE, LIKE ROUTE CHANGE OR WHAT EVER IS REQUIRED, Example is below ...
##     /ip route set [find comment="Default Route"] distance=1
##     /ip firewall nat enable  [find comment="Your Rules, Example"]
 
:set date [/system clock get date];
:set time [/system clock get time];
:set InternetLastChange ($time . " " . $date);
} else={:set InternetStatus "UP";}
}
 
# Script Ends Here.
# Thank you