====== Manually Add and Remove IP Addresses to a Mikrotik Blacklist ======
FIXME **New**: https://forum.mikrotik.com/viewtopic.php?t=105444
:!: This assumes you have a address list named ''blacklist'' that is being blocked.
/ip firewall address-list add comment="Manual Addition" list=blacklist address=xxx.xxx.xxx.xxx
/ip firewall address-list remove [/ip firewall address-list find address=xxx.xxx.xxx.xxx]
===== Create Blacklist from Apache Logs =====
Filter the log entries for attackers first.
Example from a recent Joomla experience where an attacking botnet utilized a vulnerable 'contacts' page:
:!: You will want to change ''contact-me'' and the log file name for your needs.
grep contact-me /var/log/virtualmin/exmple.com_error_log >> example.txt
:!: Some Apache logs have the IP address as the first field.
Strip it down to IP addresses:
awk '{ print $1 } ' example.txt | sort | uniq > evildoers.txt
Or, to just determine how many attackers there were:
awk '{ print $1 } ' example.txt | sort | uniq | wc -l
:!: Some newer Apache logs have the IP address deeper in the line.
cat bloody1.txt | awk '{ print $11 } ' | awk -F ':' '{ print $1 } ' | sort | uniq > evildoers.txt
Create a Mikrotik script to add the evildoers to a 'blacklist' address-list:
echo "/ip firewall address-list" > add-to-blacklist.rsc
cat evildoers.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blacklist address=" $1 " comment=Joomla-Contact-Botnet";}' >> add-to-blacklist.rsc
You can make the address-list entries dynamic by specifying a timeout by adding ''timeout=30d'' or something like that, just before the comment.
Upload the ''add-to-blacklist.rsc'' script to the Mikrotik (drag into Files window), then import it in a Mikrotik terminal window:
/import add-to-blacklist.rsc
====== Script ======
FIXME Super slow and may not be 100% correct for ROS v7.
:!: You should first run this script at the ROS command line to look for errors.
:!: Make sure UNIX line endings are used in the ''ipaddress.txt'' file.
:!: Make sure the ''ipaddress.txt'' file is less than 4K in size.
/system script add dont-require-permissions=no name=add-ip-addresses-to-blacklist owner=\
admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
# Generic IP address list input\r\
\n## Based on a script written by Sam Norris, ChangeIP.com 2008\r\
\n## Edited by Andrew Cox, AccessPlus.com.au 2008\r\
\n##\r\
\n:put \"\";\r\
\n:put \"This script requires the address text file to have UNIX line endings.\";\r\
\n\
\n:put \"\";\r\
\n:put \"Hard coded source is file ipaddress.txt file.\";\r\
\n\
\n:put \"Hard coded destination is the blacklist address-list.\";\r\
\n\
\n:put \"Comment for imported entries is hard coded in the script.\";\r\
\n\
\n:put \"The ipaddress.txt file must be smaller than 4KB.\";\r\
\n:put \"\";\r\
\n##:put \"Removing all old address-list entries...\";\r\
\n##/ip firewall address-list remove [/ip firewall address-list find list=blacklist];\r\
\n:global content [/file get [/file find name=ipaddress.txt] contents] ;\r\
\n:global contentLen [ :len \$content ] ;\r\
\n:global lineEnd 0;\r\
\n:global line \"\";\r\
\n:global lastEnd 0;\r\
\n:do {\r\
\n :set lineEnd [:find \$content \"\\n\" \$lastEnd ] ;\r\
\n :set line [:pick \$content \$lastEnd \$lineEnd] ;\r\
\n :set lastEnd ( \$lineEnd + 1 ) ;\r\
\n #If the line doesn't start with a hash then process and add to the list\r\
\n :if ( [:pick \$line 0 1] != \"#\" ) do={\r\
\n :local entry [:pick \$line 0 \$lineEnd ]\r\
\n :if ( [:len \$entry ] > 0 ) do={\r\
\n :put \"Removing \$entry from blacklist, if it exists\";\r\
\n /ip firewall address-list remove [find list=\"blacklist\" address=\$entry];\r\
\n :put \"Address being added is \$entry\";\r\
\n /ip firewall address-list add list=blacklist address=\$entry comment=\"Spammer\";\r\
\n }\r\
\n }\r\
\n } while (\$lineEnd < \$contentLen)\r\
\n}"