Black List Movies on iTunes. For the first time ever, movies made from Black List scripts are now available in one exclusive location: iTunes. Check out nearly 200 films made from Black List scripts, including Best Picture winners ARGO, SPOTLIGHT, SLUMDOG MILLIONAIRE, and many more.
Jul 14, 2017. Apr 20, 2014.
Read Blacklist Scripts
The official Black List for 2011 has been posted. Download this year’s Black List here. Alienware m14x r2 graphics card.
For those of you who haven’t heard (from the Black List website):
THE BLACK LIST is a snapshot of the collective taste of the people who develop, produce, and release theatrical feature films in the Hollywood studio system and the mainstream independent system.
An annual list of Hollywood’s most liked unproduced screenplays published on the second Friday of December each year, THE BLACK LIST began in 2004 as a survey with contributions from 75 film studio and production company executives. In 2009, over 300 executives contributed their opinion.
Since its inception, dozens of screenplays that appeared on the list have been optioned, produced, and released, many to great commercial success. Two of the top three screenplays on the inaugural 2005 list – JUNO by Diablo Cody and LARS AND THE REAL GIRL by Nancy Oliver – went on to be nominated for Best Original Screenplay at the 2008 Academy Awards, with JUNO winning the Oscar.
cheffullpac.netlify.com › ▄ 2011 Black List Scripts Pdf Converter
I've started development of the replacement service. Please read the Development topic here:Here is a form to fill out if you want to be notified when the new service goes live.New blacklist system! (7-July-2017)RouterOS version 6.36 or higher is now required.Okay guys, I'm posting my first RC for the new system. To simplify things, I'm only posting an Installer / Updater script.This will install the new blacklist update script, the config script, and the schedulers. You will end up with the following:. Scripts. blacklistUpdate - the primary script for checking for the list and installing it.
blacklistUpdate.conf - Configuration for the script. The auto-script-update will not touch this. blacklistScriptUpdater - this is the auto-upgrade script. I recommend calling it once a day to make sure you are current. Scheduler. blacklistUpdate - this will run hourly, checking to see if a new list is available. Updating ONLY if the list is new.
blacklistUpdateOnBoot - This is for loading the current list when the router bootsthe list name has changed You will need to update your rules to use 'intrusBL' instead of 'dynamicBlacklist'.Updates are now done in place. Old entries have their expiration lowered to 30 minutes so that they expire soon. This replaces the remove process and lets them expire naturally. Current retirees are updated to 25 hours. New entries are added and set to 25 hours.Checking for updates is done via DNS. A quick lookup to my DNS server (checking 127.0.0.3) returns the current serial number of the list. If the serial matches what is currently installed, no update is done.
If the serial is higher, the new list is downloaded and installed.I look forward to your feedback. This is an archived post. Please refer to the post above.I've gone ahead and started publishing my dynamic filter list for RouterOS 6.x. My server generates the list each night after collecting data on all known botnets, C&C server, and spammers. Currently the list runs about 3k entries, so it may not work well on low end routers. Here is the script to update the list, as well as my personal firewall rules. As always, adjust them to fit your needs.Client Statistics can now be found here:Feedback and suggestions are always welcome.The list is updated every 6 hours.
00:00, 06:00, 12:00, 18:00. PLEASE DO NOT RUN EVERY MINUTE. Running the script every minute is a waste of bandwidth and puts undue strain on the NAND. I recommend updating every 12 to 24 hours.The address-list entries are now Dynamic with a 25 hour timeout.
This will cut the number of writes to NAND down dramatically.The script only needs Read, Write, & Test permissions. Name the script 'updateBlacklist'. Removing the variables sent will prevent the server from sending the updates. I use them for accounting so I can keep track of the number of requests and the amount of bandwidth used.Don't forget the schedule:And, if you are interested, here are my filter rules. Code: /tool fetch url='mode=https;/system script remove updateBlacklist/system scheduler remove updateBlacklist/system scheduler remove updateBlacklistOnBoot/import updateBlacklist.rsc;/file remove updateBlacklist.rsc;Change Log:. Version 2017-07-05a. Changed logging - Now only mutes the 'firewall', no longer mutes all 'info'.
Changed default path to / instead of /disk1/ - current issue with CCR using microSD. More accurate logging of what is happening. minor text formatting changes. Now sets two globals - blSerial and blVersion (for future auto-update script). Ah well.403 forbidden errors in any case.Just FYI - but it will be MUCH better (both on you, routers, management, and resources) to simply distribute lists of IPs using private ASN numbers and multi-hop BGP.People peering with your BGP feed can then just get the updates as you push them, and blackhole the routes.Much, much more efficient than hammering routers with 3K firewall rulesJust a thought.I don't use BGP because most users that will want this don't know how to setup BGP to start with.And yes, server gives a 403 is you try to access it directly, instead of a RouterOS device pulling it. Thanks for this ruleset.Is it useful to use to put the input and forward chain into this same set of rules?What i am also interested, is it possible to say how much performance influance has a rule?I have a home use setup with an rb2011 and so i think i will never reach the limit (2-5 devices running @ same time)It only interests mePS: Cant give karma, dont know whyThe rating are actually disabled.on s.o.h.o. Thats worked.
Simply Scripts
Thank you very much. And i schedule it to work every 24h. Can i ask something for about listed ip addresses? Are these include Spamhaus DROP List and OpenBl List?Thanks A lotMy server pulls the lists from Spamhaus, OpenBL, malc0de, and emergingthreats.
In addition to those, I have just over 40 servers and routers that report in and add to the list. Currently the server builds a new list every 24 hours. I'm working on a new system that will be updated continuously.Thank you very much. I start to use it. And i add some firewall rule for this can you check it for me also. MMM MMM KKK TTTTTTTTTTT KKKMMMM MMMM KKK TTTTTTTTTTT KKKMMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKKMMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKKMMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKKMMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKKMikroTik RouterOS 6.36 (c) 1999-2016?
Gives the list of available commandscommand ? Gives help on the command and list of argumentsTab Completes the command/word. If the input is ambiguous,a second Tab gives possible options/ Move up to base level.
Move up one level/command Use command at the base levelmike@Knittel Home CCR :local model /system resource get board-namemike@Knittel Home CCR :local version /system resource get versionmike@Knittel Home CCR :local memory /system resource get total-memorymike@Knittel Home CCR :local uname /system identity get namemike@Knittel Home CCR :local scriptVer 2016.7.4amike@Knittel Home CCR mike@Knittel Home CCR :log warning 'Downloading current Blacklist for this model';mike@Knittel Home CCR /tool fetch mode=https dst-path='/dynamic.rsc'. Url=' -status: failedfailure: closing connection: 172.102.241.58:80 (4)- Q quit D dump C-z pause- Q quit D dump C-z pause- Q quit D dump C-z pause- Q quit D dump C-z pause- Q quit D dump C-z pause- Q quit D dump C-z pause- Q quit D dump C-z pause- Q quit D dump C-z pause- Q quit D dump C-z pause- Q quit D dump C-z pause- Q quit D dump C-z pause- Q quit D dump C-z pause- Q quit D dump C-z pausemike@Knittel Home CCR ynamic.rscbad command name ynamic.rsc (line 1 column 1)mike@Knittel Home CCR mike@Knittel Home CCR :log warning 'Removing temp file.' ;mike@Knittel Home CCR /file remove dynamic.rscno such itemmike@Knittel Home CCR mike@Knittel Home CCR :log warning 'Blacklist Update Complete.' ;mike@Knittel Home CCR /system logging enable 0.
LOL okay went to the very first post you started this thread and copied and pasted it all. Still get an error. EDIT: I also tried this in the script file, no diceMMM MMM KKK TTTTTTTTTTT KKKMMMM MMMM KKK TTTTTTTTTTT KKKMMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKKMMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKKMMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKKMMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKKMikroTik RouterOS 6.36 (c) 1999-2016?
Gives the list of available commandscommand ? Gives help on the command and list of argumentsTab Completes the command/word. If the input is ambiguous,a second Tab gives possible options/ Move up to base level. Code: MMM MMM KKK TTTTTTTTTTT KKKMMMM MMMM KKK TTTTTTTTTTT KKKMMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKKMMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKKMMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKKMMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKKMikroTik RouterOS 6.36 (c) 1999-2016 Gives the list of available commandscommand ? Gives help on the command and list of argumentsTab Completes the command/word. If the input is ambiguous,a second Tab gives possible options/ Move up to base level. Move up one level/command Use command at the base levelmike@Knittel Home CCR /system script run updateBlackliststatus: failedfailure: closing connection: 172.102.241.58:443 (4)mike@Knittel Home CCR.
I haven't looked through the rules / etc on your list, Dave, but I was wondering if you plan to use the Raw table for the rule to drop blacklisted source/destination packets so that they don't create entries in the connection tracking table.I do, but the vast majority of routers pulling the list are still running 6.35 and lower. 6.32.4 makes up about 85% of the total. Once the majority are running a RouterOS that supports the RAW table, then I will move to that.As it is now, you can simple move the drop rule from the firewall to RAW and it works nicely. That's what I do, personally. I haven't looked through the rules / etc on your list, Dave, but I was wondering if you plan to use the Raw table for the rule to drop blacklisted source/destination packets so that they don't create entries in the connection tracking table.I do, but the vast majority of routers pulling the list are still running 6.35 and lower. 6.32.4 makes up about 85% of the total.
Once the majority are running a RouterOS that supports the RAW table, then I will move to that.As it is now, you can simple move the drop rule from the firewall to RAW and it works nicely. That's what I do, personally.once 'bugfix' was moved to 6.36 branch, which eventually happen later - it will, perhaps. You can maybe start to distribute the blacklist via dns records to 6.36. An user can just put one domain name that would load whole list of ip addresses and keep it updating according the ttl. No need for scripts and files further.I can't think of a way to do that. A few issues - Server side, it needs to know what version, CPU and how much memory the router has.
Their are several times a month that the list can ballon up to 810k addresses, so the server needs to server a smaller list to the low memory and low cpu routers. Also, while you can resolve an address, you can't push 35k IP's and subnets through one query. It would work if RouterOS had a DNSBL function.You have other thoughts on how you would do it? There is just no realistic way to automate the rules, as every setup is different.Yeah, very true.If I were to vote for another delivery method of this list, I would choose BGP feed, which could easily be used as a means to blackhole route the offending addresses.You could even get super fancy with it by using communities in your feed if you wanted - communities that specify what activites an IP was banned for, or how threatening an address is considered, etc.
If Mikrotik adds a routing filter action of 'add to address list' then BGP would be quite an awesome means to keep the list updated in real-time w/o the need for fetching/parsing lists over http. If I were to vote for another delivery method of this list, I would choose BGP feed, which could easily be used as a means to blackhole route the offending addresses.You could even get super fancy with it by using communities in your feed if you wanted - communities that specify what activites an IP was banned for, or how threatening an address is considered, etc. If Mikrotik adds a routing filter action of 'add to address list' then BGP would be quite an awesome means to keep the list updated in real-time w/o the need for fetching/parsing lists over http.To be honest, BGP is my big weakness. I haven't needed, so I never learned about it. I'm not even sure where I should start. BGP feeds for address lists are a bit different than routing with BGP because they're just using BGP as a vector to transmit the list, since its behavior is very well suited to the task - send the current list in full whenever a connection forms, and then send only deltas thereafter. It's quite efficient for this.The way you could use this as a filter list right now would be to set all routes in the list as type=blackhole (via an in-filter on the client router) and enabling strict RPF on the client as well.This will block traffic from going TO a blacklisted destination because it null-routes the destination.The RPF causes the blacklisted addresses to get blocked because real packets won't arrive via the black hole interface.
Since the reverse path doesn't match the routing table, RPF will discard packets from the blacklisted sources.just brainstorming here.One way to do it is by usingWhen you create the rules for the address-list with your (I presume) daily script, you can also push the prefixes to ExaBGP with simple scripting (Python, PHP, bash, etc).The only difference is that you will probably need to keep track of what you have sent to ExaBGP so in the next update of the list, you only send the differences (new advertisements, and withdrawals). My lists is regenerated every 4 hours. When /16's are added, It's almost always because the ISP has been notified of a BOTNET being run on their network, AND they have refused to look into it. They are also added the honeypots see attacks / spam from more than 50% of the IP's in that range. The networks are removed form the list as soon as the ISP responds to the issue, or the honeypots see that the issue has been resolved.Thanks for the BGP info.
I will look into it. I certainly don't want to setup BGP peers for every site that wants to use my list. As it is now, I have about 2700 routers that pull the list every 24 hours. (and 5 that insist on pulling it every 60 seconds).
BGP peering would at least let people get real-time updates w/o having to download the list every 60 seconds.I think that using the API for a web-based sign-up might be the best idea if you want to use ROS as the BGP source.I would recommend that the master set of addresses be kept separate from the hosts that subscribers actually peer with.Furthermore, I'm not sure how this translates into RouterOS, but in Cisco, grouping peers into peer-groups has a marked improvement on the performance because the BGP process makes announce/withdraw decisions once for the group and then sends them out. Each un-grouped peer must be computed separately - causing much more CPU load for hosts w/ large number of peers.(I am not certain if ROS even has a similar construct to peer groups - never deployed BGP on a production Mikrotik router)If I were setting this up for BGP distribution, I would probably do the following:Private ASN on my sideBogus next-hop IP (e.g.
127.0.0.2 or 169.254.0.1 or something like that), so that if the subscriber forgets to blackhole the route properly, it won't try to actually route the address to a real next-hop.EBGP + multihop = 256in-filter=drop-all filterout-filter = this is where interesting things could happen. If you wanted to allow your subscribers have the ability to specify certain filter types (akin to the list size limits you do for smaller client routers) then you could make similar filters and let the customer choose which one to apply to their session. ZeroByte's approach seems a lot more straightforward than mine!Upon a little research, so far I see only the big vendors (cisco, juniper, etc) have implemented 'Dynamic Neighbors' support into BGP.Quagga, BIRD, ExaBGP - as far as I can tell - they don't support it yet.
So I guess the creation of BGP peers (via API, or some other way) seems the (only) way to go.But that brings problems of its own. You may end up with tons of 'dead' peers over time of users that stopped using the service, so there should be a periodic check for long-dead peers to delete them.I tried to test ZeroByte's approach but I noticed two issues.First, the BGP instance must be configured for the 'blacklist' routing table otherwise it only redistributes static routes that are on the main routing table. Code: admin@MikroTik /routing bgp advertisements printPEER PREFIX NEXTHOP AS-PATH ORIGIN LOCAL-PREFOf course the BGP instance could run on a dedicated mikrotik installation (CHR?) on the main routing table without interfering with any real/backbone traffic.Second, RouterOS' BGP does not seem to accept any prefixes with a non reachable/bogus next-hop (or smth similar, I am not sure yet).
Or at least I couldn't find a way to do it.If I don't set the out next-hop at all, then the prefix is added to the routing table as inactive with gateway the (multihop) IP of the bgp peer. All in all, I find ZeroByte's solution much easier to implement (taking into account that you haven't worked with BGP before).I avoid doing any kind of redistributions on BGP so naturally the first idea that came into mind was not the simplicity of static routes redistributionAlso routeros does not advertise more than 200 networks (/routing bgp network) per instance. But it should work perfectly fine with thousands of redistributed prefixes.Glad you liked the idea - and in general, you'll see that I'm quite the opponent of redistributing routes, ESPECIALLY into BGP, but this is a special case where all of that best practice stuff for network engineering goes right out the window. The easiest thing to do is just redistribute routes into BGP on a box that is not otherwise doing any routing.Setting BGP into its own routing table at the process level makes things even simpler - I didn't actually try to lab this up, but had I done so, I certainly would've caught that requirement. Sounding more and more like the script is a much simpler way to goFunny thing is - to me, a script is always less desirable than leveraging the built-in behaviors of a system.
People a lot smarter than me had a conference to make these standard protocols as robust as possible, so using them is like using a wheel as opposed to inventing my own wheel. But BGP distribution is not without its drawbacks - the biggest one right now is that null routing + RPF enforcement is the only thing you can do with it, and while it's effective as a blacklist, it is nowhere near as flexible as an IP address list.
(which is why I'm hoping they do implement 'add target to address list' as an action for routing filters).I will say that the BGP method would be simpler to manage over a large distribution, and the implementation on the client side is brain-dead simple:enable BGP (if not already using BGP) with any private ASN other than 64567. (or just use their real ASN if they're already running BGP).in-filter=accept all - action=set route type=blackholeout-filter=discard allenable strict RPF in IP options.The nice thing about BGP is that the subscriber can put whatever kind of filters they like against the feed - they can specify no prefixes shorter than /22 for instance, if they hate the idea of blacklisting entire /16 or /8 prefixes. They can specify IP blocks to ignore. If running real BGP, they can set localpref to 1 (very very bad) on the blacklist peer, so that no publicly-routed prefix can be blacklisted in its entirety. It gives the paranoid administrator much more control than simply importing a list carte blanche and black-holing everything in it. I haven't implemented a way to keep updating the static routes upon changes of the list.I extended the conversion script to check all the current static routes on the router and remove or add any changes that occur from IntrusDave's blacklist.I've set it up to run every 24 hours at 00:00 GMT+3 DST.So it's pretty much all automatic now. It will keep all the static routes (blackholes) up to date with minimum effort and maximum efficiency (only changes are propagated to all the bgp peers instead of the whole list every day).Another advantage of using BGP is that you can push changes almost in real time instead of periodically checking for an updated list.Once you update the list the BGP can push the changes right away to everyone.
Coming back to the efficiency argument, I just peered a couple of mAP-Lite with the blacklist and they loaded 2900 prefixes into the routing table without breaking a sweat. I haven't looked through the rules / etc on your list, Dave, but I was wondering if you plan to use the Raw table for the rule to drop blacklisted source/destination packets so that they don't create entries in the connection tracking table.I do, but the vast majority of routers pulling the list are still running 6.35 and lower. 6.32.4 makes up about 85% of the total. Once the majority are running a RouterOS that supports the RAW table, then I will move to that.As it is now, you can simple move the drop rule from the firewall to RAW and it works nicely. That's what I do, personally.hi,can you share your raw rules? Im using 6.36.
Code: curl -A 'Mikrotik/6.x Fetch' '(stable)&memory=1011.3 MiB&id=MikroTik&ver=2016.7.4a'I would prefer that people don't do this. I already have one site that is mirroring my list and claiming it as his own.
Very annoying.As for BGP - I simply don't care to put the time in to building a system to setup the peers. Yes, I know it may ultimately be a better way to do this, but the current way is VERY easy for me, and I don't need to do any extra work for the number of little RB951's (hAP's) that I deploy. I really don't care to setup BGP on them, and given the limited memory, having the server only serve them the '3 day' list keeps things small and simple.Maybe someday I'll BGP.
Just not now. You are welcome to change the script and rules as much as you like.Script is written as it is because it works without fail on all 6.x versions. I don't normally change things if they are working.The rules in the first post do have the blacklist drops at the top.However, most by this point should be using raw drops instead of filter drops.Thanks.
Just wanted to know the reasoning while wading through this thread just in case I missed something.With `raw` drops, you mean rules like in right?-jeroen. No, I'm sorry. As I said, the processes is automated. It receives and processes nearly 100,000 IP's each day. If an IP makes it on the list, then it has been directly or indirectly responsible for malware.
The whole thing was designed to keep my personal clients safe. If it's not working for you, then you have a few options.1) ask for a refund and don't use the list.2) use the list as an incoming only filter3) use the list as a raw in and out list, and whitelist the addresses you feel are wrongly blocked.Personally, I use option 3 for businesses, and I use option 2 for home users. CUT.3) use the list as a raw in and out list, and whitelist the addresses you feel are wrongly blocked.Personally, I use option 3 for businesses. CUT.Testing (mode 3) now on a new hEX and works like a charm. (rep+)I'm wondering if I can consider 'reliable' your service (not in terms of false positive or alike.
But) in terms of availability of updates; I'm considering to put this in production but I'm evaluating if create blacklists by myself or (pay and) pretend to have reliable external service. I think you can understand. My only wish would be that all of these routers were able to send back addresses that they are attacked. Unfortunately, there is no good way without putting their privacy at risk.Let's discuss (in a new thread if needed) on how to make this possible.I'm keeping dynamic login failure and unknown-port usage blacklists currently having 10k+ entries (a huge increase after the TR-069 issues at German Telekom) with expiration of 14 days.It would be cool if I could get them at your place somehow.-jeroen. I am using the list and service by IntrusDave since a few day and it works very well and I had many hits on the rule. I use it more selective by filtering obvious illegal request out in advance. I run three services and that is mail, web en secure web.Now those botnets have that many bots and that will result in very long lists of IP and results decreases the efficiency in using those lists if you look at filtering time.
Last weekend it was very busy and many many bots tried to get in so I looked at what they were doing. There were not hat many that were caught by the list and 99% were filtered by the following rule that just leaves a window for the services I serve, and filter out any thing else on TCP that is obvious illegal. It is not uncommon.
The blacklist is an automated system that flags any IP that has served malware in the last 7 days. Just because a CDN is used/owned by Microsoft doesn't mean that it is impervious to malware.Again, as I have stated before, This system was designed by me to keep my paid clients as safe as possible. I use this for all 24 of my hospitals and clinics. It works well to help stop the attacks of botnets and helps to prevent infection.
That said, I will not whitelist any IPs just because they are used by a large company. Any website or CDN can be infected, no one is exempt from being filtered for it. These companies use CDNs. So what you see as blocked, I may not see blocked. When something is added to the block list, it is because that IP was found to have some form of malware.The filters can be used in many ways.The list can be used in the RAW or the standard filters. Both incoming and outgoing.If you are not able to access a website because of the list, that means that you are using it either in RAW, or on an outbound rule.You should be using it in the INPUT chain, with the New Connection flag. You do not need to be filtering established connections.You also don't need to filter destination IPs, unless you want more malware protection.
Just wanted to say THANK YOU for all your hard work on this list! Its really excellent! And your decision to use dynamic address list entries is really sharp.(dynamic address entries simply means that on the address-list rules, he sets a timeout value, so that the mikrotik stores the address list in RAM memory until it times out, versus it being a normal address list entry with no time out, and thus the mikrotik stores the entry on its 'disk' or nand drive, so that it will persist through reboots). If external USB or SD disk available, NAND wearing can be avoided by write temporary files to them.PS. Downloading and executing rsc from not own server and/or by insecure channel look dangerous.May I please be so bold, whats the commands to change the temporary file storage location?I use a RB750Gr3 and has a microSD card installed.
Currently its only really been used for backup configs and some logs as I haven't found away to switch more to use it.In the script, edit it use disk1. So, the relevant parts would be. If external USB or SD disk available, NAND wearing can be avoided by write temporary files to them.PS. Downloading and executing rsc from not own server and/or by insecure channel look dangerous.May I please be so bold, whats the commands to change the temporary file storage location?I use a RB750Gr3 and has a microSD card installed.
Currently its only really been used for backup configs and some logs as I haven't found away to switch more to use it.In the script, edit it use disk1. So, the relevant parts would be. Code: /system scheduleradd interval=1d name=UpdateBlackListDaily on-event='/system script run updateBlacklist' policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=05:00:00add name=UpdateBlackListOnReboot on-event='/system script run updateBlacklist' policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startupAre you sure because I see twice the same script run command.I will check if the script can't be started in sequence. I remember that this was not a problem but you never know.Update: I have now checked it and the list was updated automatically this afternoon. I have different names for the script and I think you also wanted you communicatited.It works really great now and maybe a default 'startup' can be added to the installation script.I have good results and in the log I see hits on the blacklist every day.
I wanted to give a status update on my blacklist.As of this morning, the Blacklist has 3,500 routers downloading the list everyday. They are pulling 1.7GB of data every 24 hours. Just about 52GB per month.
I have moved the handling of the blacklist to a dedicated server. I currently use 4 high-profile blacklist services, in addition to the 215 honeypots that I collect data from all over the USA.I have watching the FCC rulings very closely, and I will not hesitate to move the servers outside of the USA if I feel the list is at risk.
I am currently looking into ways of having RouterOS check a SHA256sum to verify the validity of the list.Again, this list was started for my own use on the MikroTik routers that I manage. I do not charge for this list, and I have never asked for donations. That said, I have always been open to suggestions to make it better, but please remember that my primary concern is the safety of the medical groups and hospitals that I manage. Name: microsoft.comAddresses: 23.100.122.17523.1.239.213.197104.40.211.35104.43.195.251So if you can convert the list and put it in a DNS, then one record/domain name will supply all IP addresses in one go.You could to make weekday's list like monday.blacklist.xxx / tuesday.blacklist.xxx.sunday.blacklist.xxxGive the DNS-record a lifetime of 24+1 hour and remove the that day when it is the next day is generated and is uploaded. In this way the your are sure that the cache DNS servers up the stream are cleaned to read in that weekday.blacklist.xxx when there is an request for it in the Internet.When a weekday.7.backlist.xxx is in the cache of the DNS in the Mikrotik, you only need one line in the address list to be able to filter. I think that a script is useful to make a hard delete of the outdated weekday to make room for the new weekday list.The DNS of the provider/supplier which the Mikrotik owner is using is handling the traffic now. You have each day a one time upload and the the DNS structure is distributing your list for you.
Delays are common and because the used weekday was not present for the last 5 days so there should be direct request to the DNS.This way of working I already use myself and I put the extra IP addresses in the host file on the machine where my DMSmasq is running. DNSmasq reads the host file and returns the list of IP addresses when the domainname is requested. In doing so I have only need one line to be able to filter more addresses in one go.I don't know if this is possible or even legal to use the DNS in that way.updated: 12 February 2017. Just hit 4000 active routers using the BlackList.Notable users are T-Mobile, using it on there Fixed LTE deployments. And even more so, several US Government sites have begun pulling the list.Good to see the grow from 2700 to 4000 clients in the last seven months.I made a suggestion to use DNS to distribute the list and now I read again the start page of this posting and BGP also seems a solution.The blacklist get many hits on my connection and I am pleased that those connections tries are terminated! Name: microsoft.comAddresses: 23.100.122.17523.1.239.213.197104.40.211.35104.43.195.251So if you can convert the list and put it in a DNS, then one record/domain name will supply all IP addresses in one go.You could to make weekday's list like monday.blacklist.xxx / tuesday.blacklist.xxx.sunday.blacklist.xxxGive the DNS-record a lifetime of 24+1 hour and remove the that day when it is the next day is generated and is uploaded. In this way the your are sure that the cache DNS servers up the stream are cleaned to read in that weekday.blacklist.xxx when there is an request for it in the Internet.When a weekday.7.backlist.xxx is in the cache of the DNS in the Mikrotik, you only need one line in the address list to be able to filter.
I think that a script is useful to make a hard delete of the outdated weekday to make room for the new weekday list.The DNS of the provider/supplier which the Mikrotik owner is using is handling the traffic now. You have each day a one time upload and the the DNS structure is distributing your list for you. Delays are common and because the used weekday was not present for the last 5 days so there should be direct request to the DNS.This way of working I already use myself and I put the extra IP addresses in the host file on the machine where my DMSmasq is running. DNSmasq reads the host file and returns the list of IP addresses when the domainname is requested. In doing so I have only need one line to be able to filter more addresses in one go.I don't know if this is possible or even legal to use the DNS in that way.updated: 12 February 2017If you insist in doing it via DNS then look into rbldnsd which is designed for exactly this purpose. You can feed it a list of IP's/hostnames and it can respond with whatever you want. RBL's used for mail etc commonly uses this method for their black/white or rep lists.You can do more then just this, for example this guy here uses it to make a countries lookup via dns which can then be used for things like mail/web etc black/white lists etc.Anyway, personally, the way the list is right now is best as it can easily be adapted to whatever method/way you like.Just my two cents.
Using RBL's crossed my mind but then the amount of traffiic would be the same like it is with BGP.When using DNS you will also have some traffic but the main part is distributed by external DNS severs as I see it.Distributed & cached which the cache will lower the amount of traffic needed.However whether DNS is less then BGP traffic wise taking into effect of caching etc, i'm not sure. I think if there was enough devices pulling the data, BGP probably total up to more but thats an educated guess more then fact. The address-list entries are now Dynamic with a 48 hour timeout. This will cut the number of writes to NAND down dramatically.If nothing else the opening post just needs to be updated.There is a small chance that the dynamic address-list manages to timeout before the new dynamic address-list is downloaded and applied.
This could leave the system vulnerable for at least a couple of seconds each day when the update script is running. It could easily be fixed by extending the timeout by an hour or less. But maybe I am just overreacting at that. Code: /system script run UpdateBlacklist It's not meant to be run line by line.I use the identity to group the routers for stats and troubleshooting. Example; all of my routers ID's start with 'Intrus:: ' this allows me to sort them and quickly track down problems. Old zee marathi serials list. While it's not currently required, it really is the only method that I have to keep track of how many routers are active daily.
I do not use the serial number because I feel that is too invasive to request. I can not go by IP, because many are behind the same proxies.
I could use the WAN MAC address, but I was betting that some would object to that too. I use the identity to group the routers for stats and troubleshooting. Example; all of my routers ID's start with 'Intrus:: ' this allows me to sort them and quickly track down problems. While it's not currently required, it really is the only method that I have to keep track of how many routers are active daily.
![Pdf Pdf](https://i5.walmartimages.com/asr/44cf3057-72d1-4e9f-8087-ddc7bdb0e510_1.949400739112a9163c472e61ea585567.jpeg?odnHeight=450&odnWidth=450&odnBg=FFFFFF)
I do not use the serial number because I feel that is too invasive to request. I can not go by IP, because many are behind the same proxies. I could use the WAN MAC address, but I was betting that some would object to that too.I was mostly asking because we have customer numbers and names as router identity, so I may be forced to not send you those if we start using your service.On another note. The second scheduler in the opening post, isn't it meant to be on startup?I use my startup scheduler scripts like this. Updated the first post and the timeout to 25 hours.The identity is never seen by anyone but me. I do have DOD clearance, so nothing to worry about.
Well, I guess that doesn't mean much now days. You are welcome to set a static name for each router in the script. The database is stored on a separate server, with no direct internet connection. As for the schedule, you will have to play with it. It was originally setup back when the routers didn't store the date and time over a reboot, so on first boot the date and time was '1970-01-01 00:00:00'.
RouterOS seems to have some issues with startup scripts, and I haven't had time to work out what needs to be changed. As for the schedule, you will have to play with it.
It was originally setup back when the routers didn't store the date and time over a reboot, so on first boot the date and time was '1970-01-01 00:00:00'. RouterOS seems to have some issues with startup scripts, and I haven't had time to work out what needs to be changed.Not 100% sure rather or not to add the 'start-date=jan/01/1970' to the scheduler, since I haven't messed with them for a while. But the scheduler I posted does work, and I use a two minute delay before calling my scripts because I need to be sure that VPN tunnels are up. Hello, Dave:I have noticed that the rule file is now less than 100kb(5000 filter file in March with same device and same Internet connection)I've checked the.rsc file downloaded, and not seen any “broken/ending in the middle of line”so, is there anything I can do to further investigate where the problem is?
As great as this resource has been, in the last week it has started to block huge /16 blocks including most of Vietnam, Shopify, and many other networks that shouldn't be just added in huge /16, /19, and /24 blankets. Obviously this resource allows us to control what we want to do about these ip ranges, ie just block for specific ports or block entirely. Since we were blocking entirely the phone has been ringing off the huge by very upset customers not able to route to many areas of the world. Maybe its time to split this filter into different lists based on aggressive huge /16,/24 ranges being blocked or conservative where only specific ips or smaller /24 ranges are blocked based on their danger.
The filters are intended to be used as incoming filters, not outgoing. If you change your rules to only block new connections coming in on the WAN interface, all should be good. I don't recommend using the list with the RAW filters.By blocking incoming on the WAN and new connections, you prevent the attacks, but you do not block new outbound connections.I am confused by this about using RAW.
Using the filters for incoming traffic in the RAW part not as efficient?For outgoing I use a DNS filter and out of band port filtering for new connections in Mangle.It is really bad out there and have lots of connections wanting to deliver mail which I don't want. It in waves since a few months and sometimes there is it quiet for days and then it starts again. Code: add action=drop chain=forward comment='Drop everything else on WAN1' in-interface=wan1 connection-nat-state=!dstnatadd action=drop chain=forward comment='Drop everything else on WAN2' in-interface=wan2 connection-nat-state=!dstnatThanks to your observation, I was able to make my security cameras visible from outside my house; However for the 'raw' rule in prerouting the 'connection-nat-state =!
Dstnat' is not possible, and I have it disabled.You know how I could make this rule work without blocking the cameras, Thanks!Resolved!!!!I had to put the rules of accepting the list of white IPs from first into 'RAW', and everything was fine now. It's very possible to do that, but I would need to see what the impact on the routers would be.
I'm not a big fan of the built-in DNS as it is and I'm not sure how well it would hold up with several thousand hostnames added to it.Actually, Im glad to inform you today that the current release has added a new patch for greatly improved import speed for the importing of static dns entries, one thing you will notice is that, the cpu usage is no longer at 100% during import and the import process is much faster. I will be doing some benchmarks of RouterOS before and after the patch to demonstrate the difference, and it is a remarkable improvement indeed. Code: /system scheduleradd interval=1d name=UpdateBlackList on-event='/system script run updateBlacklist' policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=05:00:0/system scheduleradd interval=00:00:00 name=UpdateBlackList on-event='/system script run blacklistUpdate' policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=00:00:02. What kind of chain is this 'Attacks'? It should be input or forward chain, am I right? Code: /system scheduleradd interval=1d name=UpdateBlackList on-event='/system script run updateBlacklist' policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=05:00:0/system scheduleradd interval=00:00:00 name=UpdateBlackList on-event='/system script run blacklistUpdate' policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=00:00:0Two schedulers can have the same name, it is weird to have though.Also not sure the second scheduler is totally correct.
At least it can be written better.See. Many thanks for all your work and I was following this thread with great interest and checked this morning if I needed to update my script. That was the case and since three days I had a error on line one.So I downloaded the latest script and imported it after removing the running script. The are some things I had to change: user djoyce - admin to get the line back in my log where the dynamic.rsc has been downloaded memory info fetch: file 'dynamic.rsc' downloaded.
I set the start delay time to 30 seconds because I have a PPPoE connection that takes a bit longer to come up after reboot.Default the location of the dynamic.rsc is now disk1 and that is ok by me because I have an SD card in my RB750Gr3 but I can change that to flash (mirrored in RAM) again if I like.I also noticed that on importing updateBlacklist.rsc to the script that I got: /import updateBlacklist.rsc; failure: item with this name already exists despite it did not exist until after the import. I noticed today when I started Firefox that I were getting hits on the blacklist. I followed the IP and found that it lead to hackademix.net and secure.informaction.com and looking on the site it was probably an plug-in was generating the hits and that was No-script. I use this plug-in for years and I allow or disallow the default running of scripts filtered on the domain the are served by.Plugin homepage:Name: secure.informaction.comAddresses: 69.195.158.19469.195.158.19869.195.158.19769.195.158.19569.195.158.196I understand how the blacklist is build and that it based on bad traffic and if there is a problem of a domain being misused then I can contact them to ask to look if they are hacked in any way?Found it and I don't know why I did not see it before: the block is: 69.195.158.0/24 in the dynamicblacklist. I noticed today when I started Firefox that I were getting hits on the blacklist. I followed the IP and found that it lead to hackademix.net and secure.informaction.com and looking on the site it was probably an plug-in was generating the hits and that was No-script.
I use this plug-in for years and I allow or disallow the default running of scripts filtered on the domain the are served by.Plugin homepage:Name: secure.informaction.comAddresses: 69.195.158.19469.195.158.19869.195.158.19769.195.158.19569.195.158.196I understand how the blacklist is build and that it based on bad traffic and if there is a problem of a domain being misused then I can contact them to ask to look if they are hacked in any way?Found it and I don't know why I did not see it before: the block is: 69.195.158.0/24 in the dynamicblacklistI'm not sure what you are asking here. You are always welcome to contact a site and ask them to fix any issues.
The subnet will be removed from the list automatically once whatever issue they were having is fixed. Many times it's that they are hosting a botnet that they do not even know about. Other times it may be that they are serving viruses in ads. AWS and Google Compute have both been blocked several times because they refuse to take down a virtual host that is being used to attack other networks. Whitelisting is accomplished by creating a new address-list and a new filter rule.1) Create an address list - say. 'Whitelist' and add the IP addresses that you need never be blocked.2) create a new filter 'Accept' rule, using the src-address-list you created.3) place the new Whitelist Accept rule ABOVE the blacklist Drop rule.There is no need to modify the script, and this can not be done on the server side.Please keep in mind that it's always better to understand why the IP/Subnet ended up on the blacklist and attempt to get that corrected first.
I have seen several networks penetrated because an admin whitelisted an address that was serving malware, instead of contacting that site/service and getting the issue resolved. Hi Dave,thanks for your response. It was a bit complex but I did manage to add the subnet in a whitelist and that works for now.I am aware of the problems that might cause such a whitelist. In this case the subnet is from a local provider with many customers fighting spam.sometimes one of them gets blacklisted for that reason and sometimes the entire subnet is.To do make sure that 2 of the servers within my responsibility are not causing troubles I need to have access to them.For now I whitelisted those 2 and that does the job.regards,Eddie. And if the devil was at work with my Mikrotik and made it crashed and luckily I managed to switch off the startupscript. I had already had three strikes so I also should disable the normal update, for the time being.Maybe it is possible to keep the file on the disk (when not using flash) and delete it on the next regular reload of 24 hours. After the first import it would have to be renamed with the time, of the first import in the name.The script looks on a restart or regular reload if the file is older dan 23 hours and then it would get a new one.
If the file is younger than 23hours the script will reload the file form the disk.You can then still throttle addresses that reload more than three times with a blank router. If they have to setup routers then they also should copy the current file to the disk on each router. AAAARGH lost some sleep by trying to find out the way how to convert date+time so that I could subtract those and have the difference in time. No I did not manage but manage to go to sleep after staying up much to long.In the morning my mind started to seek for a solution and I had different ideas but none of the would solve this. Then I got a great idea to just make a different script just for only the start-up.
All pieces fell in place and no calculation and string delidding needed and just let nature do its work and follow the natural flow.The main script updateBlacklist is changed so that dynamic.rsc file is not deleted after importing. The new startup startupBlacklist is the current updateBlacklist stripped of all download and statistical parts.In updateBlacklist I commented out the removal of the dynamic.rsc file after importing and it will overwritten by the new dynamic.rsc file when the daily update is run. This is the changed code part form updateBlacklistHope that you like this adaptation and so also give your server bit of rest because restarted Mikrotik devices will not bother it when just restarting and only knock on the door for the real daily update.So I am going now to eat my breakfast and enjoy my Sunday which is also today a sunny day.
Hello Dave,The script has the?, when pasted in terminal it disappears.The log only has an entry of-script error: expected command name (line 1 column 1)The downloaded dynamic.rsc only has one line-All fields are required. Please update your script.That would mean that you need the current script.
It's available in the first post.Dave you could just escape the '?' That would allow it to be run in the terminal without issue, and it will make no difference for non-terminal running.I mentioned it before, here. A bit of saving on traffic you could save about 20% of traffic by not adding the 'comment' part on every dynamicblacklist line.I don't know if RouterOS can handle deflated traffic when downloading. However there is xz/LZMA used when a firmware update is applied. So if on saving a file with the.gz extension then it could be automatically be extracted and then your dynamic.rsc.gz would 20 times smaller and just 50KB instead of 970KB.Update: all the.NPK files are zipped and extracted in some way when installed.
Blacklist Scripts Website
Looking into the system.npk I find the program 'unexpak' but I can't see what it is doing. When I look in lib I see the library libz.so and if I am not wrong that is a compress/decompress code.The only thing I found Mikrotik talking about compression stated that due to limitations of the size of the flash not allowing a compression tool to the users.So maybe Mikrotik could give us the option to export compressed and then to normal extension like.RSC and.BACKUP add.GZ and automatically decompress files with.GZ when read.
Blacklist Screenplay
Comments are closed.