New: https://forum.mikrotik.com/viewtopic.php?t=105444

This assumes you have a address list named blacklist that is being blocked.

/ip firewall address-list add comment="Manual Addition" list=blacklist address=xxx.xxx.xxx.xxx

/ip firewall address-list remove [/ip firewall address-list find address=xxx.xxx.xxx.xxx]

Filter the log entries for attackers first.

Example from a recent Joomla experience where an attacking botnet utilized a vulnerable 'contacts' page:

You will want to change contact-me and the log file name for your needs.

grep contact-me /var/log/virtualmin/exmple.com_error_log >> example.txt

Some Apache logs have the IP address as the first field.

Strip it down to IP addresses:

awk '{ print $1 } ' example.txt | sort | uniq > evildoers.txt

Or, to just determine how many attackers there were:

awk '{ print $1 } ' example.txt | sort | uniq | wc -l

Some newer Apache logs have the IP address deeper in the line.

cat bloody1.txt | awk '{ print $11 } ' | awk -F ':' '{ print $1 } ' | sort | uniq > evildoers.txt

Create a Mikrotik script to add the evildoers to a 'blacklist' address-list:

echo "/ip firewall address-list" > add-to-blacklist.rsc
cat evildoers.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blacklist address=" $1 " comment=Joomla-Contact-Botnet";}' >> add-to-blacklist.rsc

You can make the address-list entries dynamic by specifying a timeout by adding timeout=30d or something like that, just before the comment.

Upload the add-to-blacklist.rsc script to the Mikrotik (drag into Files window), then import it in a Mikrotik terminal window:

/import add-to-blacklist.rsc

/system script add dont-require-permissions=no name=add-ip-addresses-to-blacklist owner=\
    admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    # Generic IP address list input\r\
    \n## Based on a script written by Sam Norris, ChangeIP.com 2008\r\
    \n## Edited by Andrew Cox, AccessPlus.com.au 2008\r\
    \n##\r\
    \n:put \"\";\r\
    \n:put \"This script requires the address text file to have UNIX line endi\
    ngs.\";\r\
    \n\
    \n:put \"\";\r\
    \n:put \"Hard coded source is file ipaddress.txt file.\";\r\
    \n\
    \n:put \"Hard coded destination is the blacklist address-list.\";\r\
    \n\
    \n:put \"Comment for imported entries is hard coded in the script.\";\r\
    \n\
    \n:put \"The ipaddress.txt file must be smaller than 4KB.\";\r\
    \n:put \"\";\r\
    \n##:put \"Removing all old address-list entries...\";\r\
    \n##/ip firewall address-list remove [/ip firewall address-list find list=\
    blacklist];\r\
    \n:global content [/file get [/file find name=ipaddress.txt] contents] ;\r\
    \n:global contentLen [ :len \$content ] ;\r\
    \n:global lineEnd 0;\r\
    \n:global line \"\";\r\
    \n:global lastEnd 0;\r\
    \n:do {\r\
    \n      :set lineEnd [:find \$content \"\\n\" \$lastEnd ] ;\r\
    \n      :set line [:pick \$content \$lastEnd \$lineEnd] ;\r\
    \n      :set lastEnd ( \$lineEnd + 1 ) ;\r\
    \n      #If the line doesn't start with a hash then process and add to the\
    \_list\r\
    \n      :if ( [:pick \$line 0 1] != \"#\" ) do={\r\
    \n      :local entry [:pick \$line 0 \$lineEnd ]\r\
    \n      :if ( [:len \$entry ] > 0 ) do={\r\
    \n         :put \"Removing \$entry from blacklist, if it exists\";\r\
    \n         /ip firewall address-list remove [find list=\"blacklist\" addre\
    ss=\$entry];\r\
    \n         :put \"Address being added is \$entry\";\r\
    \n         /ip firewall address-list add list=blacklist address=\$entry co\
    mment=\"Spammer\";\r\
    \n         }\r\
    \n      }\r\
    \n    } while (\$lineEnd < \$contentLen)\r\
    \n}"