User Tools
networking:router:mikrotik_manual_blacklist
This is an old revision of the document!
Manually Add and Remove IP Addresses to a Mikrotik Blacklist
This assumes you have a address list named blacklist that is being blocked.
/ip firewall address-list add comment="Manual Addition" list=blacklist address=xxx.xxx.xxx.xxx
/ip firewall address-list remove [/ip firewall address-list find address=xxx.xxx.xxx.xxx]
Create Blacklist from Apache Logs
Filter the log entries for attackers first.
Example from a recent Joomla experience where an attacking botnet utilized a vulnerable 'contacts' page:
grep contact-me /var/log/virtualmin/exmple.com_error_log >> example.txt
Strip it down to IP addresses:
awk '{ print $1 } ' example.txt | sort | uniq > evildoers.txt
Or, to just determine how many attackers there were:
awk '{ print $1 } ' example.txt | sort | uniq | wc -l
Create a Mikrotik script to add the evildoers to a 'blacklist' address-list:
echo "/ip firewall address-list" > add-to-blacklist.rsc
cat evildoers.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blacklist address=" $1 " comment=Joomla-Contact-Botnet";}' >> add-to-blacklist.rsc
You can make the address-list entries dynamic by specifying a timeout by adding timeout=30d or something like that.
networking/router/mikrotik_manual_blacklist.1541178865.txt.gz · Last modified: 2018/11/02 11:14 by gcooper
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
