New: https://forum.mikrotik.com/viewtopic.php?t=105444

This assumes you have a address list named blacklist that is being blocked.

/ip firewall address-list add comment="Manual Addition" list=blacklist address=xxx.xxx.xxx.xxx

/ip firewall address-list remove [/ip firewall address-list find address=xxx.xxx.xxx.xxx]

Filter the log entries for attackers first.

Example from a recent Joomla experience where an attacking botnet utilized a vulnerable 'contacts' page:

You will want to change contact-me and the log file name for your needs.

grep contact-me /var/log/virtualmin/exmple.com_error_log >> example.txt

Some Apache logs have the IP address as the first field.

Strip it down to IP addresses:

awk '{ print $1 } ' example.txt | sort | uniq > evildoers.txt

Or, to just determine how many attackers there were:

awk '{ print $1 } ' example.txt | sort | uniq | wc -l

Some newer Apache logs have the IP address deeper in the line.

cat bloody1.txt | awk '{ print $11 } ' | awk -F ':' '{ print $1 } ' | sort | uniq > evildoers.txt

Create a Mikrotik script to add the evildoers to a 'blacklist' address-list:

echo "/ip firewall address-list" > add-to-blacklist.rsc
cat evildoers.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blacklist address=" $1 " comment=Joomla-Contact-Botnet";}' >> add-to-blacklist.rsc

You can make the address-list entries dynamic by specifying a timeout by adding timeout=30d or something like that, just before the comment.

Upload the add-to-blacklist.rsc script to the Mikrotik (drag into Files window), then import it in a Mikrotik terminal window:

/import add-to-blacklist.rsc