Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_manual_blacklist
Trace:
networking:router:mikrotik_manual_blacklist

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_manual_blacklist [2014/12/19 09:51]
gcooper 		networking:router:mikrotik_manual_blacklist [2025/02/25 16:10] (current)
gcooper
Line 1: Line 1:
-====== Manually Add and Remove IP Addresses to a Blacklist ======+====== Manually Add and Remove IP Addresses to a Mikrotik Blacklist ====== 
 + 
 +FIXME **New**: https://forum.mikrotik.com/viewtopic.php?t=105444
  
 :!: This assumes you have a address list named ''blacklist'' that is being blocked. :!: This assumes you have a address list named ''blacklist'' that is being blocked.
Line 7: Line 9:
 </file> </file>
  
-/<file> +<file> 
-ip firewall address-list remove [/ip firewall address-list find address=xxx.xxx.xxx.xxx]+/ip firewall address-list remove [/ip firewall address-list find address=xxx.xxx.xxx.xxx] 
 +</file> 
 + 
 +===== Create Blacklist from Apache Logs ===== 
 + 
 +Filter the log entries for attackers first. 
 + 
 +Example from a recent Joomla experience where an attacking botnet utilized a vulnerable 'contacts' page: 
 + 
 +:!: You will want to change ''contact-me'' and the log file name for your needs. 
 + 
 +<file> 
 +grep contact-me /var/log/virtualmin/exmple.com_error_log >> example.txt 
 +</file> 
 + 
 +:!: Some Apache logs have the IP address as the first field. 
 + 
 +Strip it down to IP addresses: 
 + 
 +<file> 
 +awk '{ print $1 } ' example.txt | sort | uniq > evildoers.txt 
 +</file> 
 + 
 +Or, to just determine how many attackers there were: 
 + 
 +<file> 
 +awk '{ print $1 } ' example.txt | sort | uniq | wc -l 
 +</file> 
 + 
 +:!: Some newer Apache logs have the IP address deeper in the line. 
 + 
 +<file> 
 +cat bloody1.txt | awk '{ print $11 } ' | awk -F ':' '{ print $1 } ' | sort | uniq > evildoers.txt 
 +</file> 
 + 
 +Create a Mikrotik script to add the evildoers to a 'blacklist' address-list: 
 + 
 +<file> 
 +echo "/ip firewall address-list" > add-to-blacklist.rsc 
 +cat evildoers.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blacklist address=" $1 " comment=Joomla-Contact-Botnet";}' >> add-to-blacklist.rsc 
 +</file> 
 + 
 +You can make the address-list entries dynamic by specifying a timeout by adding ''timeout=30d'' or something like that, just before the comment. 
 + 
 +Upload the ''add-to-blacklist.rsc'' script to the Mikrotik (drag into Files window), then import it in a Mikrotik terminal window: 
 + 
 +<file> 
 +/import add-to-blacklist.rsc 
 +</file> 
 + 
 +====== Script ====== 
 + 
 +FIXME Super slow and may not be 100% correct for ROS v7. 
 + 
 +:!: You should first run this script at the ROS command line to look for errors. 
 + 
 +:!: Make sure UNIX line endings are used in the ''ipaddress.txt'' file. 
 + 
 +:!: Make sure the ''ipaddress.txt'' file is less than 4K in size. 
 + 
 +<file> 
 +/system script add dont-require-permissions=no name=add-ip-addresses-to-blacklist owner=\ 
 +    admin policy=\ 
 +    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#
 +    # Generic IP address list input\r\ 
 +    \n## Based on a script written by Sam Norris, ChangeIP.com 2008\r\ 
 +    \n## Edited by Andrew Cox, AccessPlus.com.au 2008\r\ 
 +    \n##\r\ 
 +    \n:put \"\";\r\ 
 +    \n:put \"This script requires the address text file to have UNIX line endings.\";\r\ 
 +    \n\ 
 +    \n:put \"\";\r\ 
 +    \n:put \"Hard coded source is file ipaddress.txt file.\";\r\ 
 +    \n\ 
 +    \n:put \"Hard coded destination is the blacklist address-list.\";\r\ 
 +    \n\ 
 +    \n:put \"Comment for imported entries is hard coded in the script.\";\r\ 
 +    \n\ 
 +    \n:put \"The ipaddress.txt file must be smaller than 4KB.\";\r\ 
 +    \n:put \"\";\r\ 
 +    \n##:put \"Removing all old address-list entries...\";\r\ 
 +    \n##/ip firewall address-list remove [/ip firewall address-list find list=blacklist];\r\ 
 +    \n:global content [/file get [/file find name=ipaddress.txt] contents] ;\r\ 
 +    \n:global contentLen [ :len \$content ] ;\r\ 
 +    \n:global lineEnd 0;\r\ 
 +    \n:global line \"\";\r\ 
 +    \n:global lastEnd 0;\r\ 
 +    \n:do {\r\ 
 +    \n      :set lineEnd [:find \$content \"\\n\" \$lastEnd ] ;\r\ 
 +    \n      :set line [:pick \$content \$lastEnd \$lineEnd] ;\r\ 
 +    \n      :set lastEnd ( \$lineEnd + 1 ) ;\r\ 
 +    \n      #If the line doesn't start with a hash then process and add to the list\r\ 
 +    \n      :if ( [:pick \$line 0 1] != \"#\" ) do={\r\ 
 +    \n      :local entry [:pick \$line 0 \$lineEnd ]\r\ 
 +    \n      :if ( [:len \$entry ] > 0 ) do={\r\ 
 +    \n         :put \"Removing \$entry from blacklist, if it exists\";\r\ 
 +    \n         /ip firewall address-list remove [find list=\"blacklist\" address=\$entry];\r\ 
 +    \n         :put \"Address being added is \$entry\";\r\ 
 +    \n         /ip firewall address-list add list=blacklist address=\$entry comment=\"Spammer\";\r\ 
 +    \n         }\r\ 
 +    \n      }\r\ 
 +    \n    } while (\$lineEnd < \$contentLen)\r\ 
 +    \n}" 
 </file> </file>
networking/router/mikrotik_manual_blacklist.1419007889.txt.gz · Last modified: 2014/12/19 09:51 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki