User Tools
This is an old revision of the document!
Table of Contents
Manually Add and Remove IP Addresses to a Mikrotik Blacklist
New: https://forum.mikrotik.com/viewtopic.php?t=105444
This assumes you have a address list named blacklist that is being blocked.
/ip firewall address-list add comment="Manual Addition" list=blacklist address=xxx.xxx.xxx.xxx
/ip firewall address-list remove [/ip firewall address-list find address=xxx.xxx.xxx.xxx]
Create Blacklist from Apache Logs
Filter the log entries for attackers first.
Example from a recent Joomla experience where an attacking botnet utilized a vulnerable 'contacts' page:
You will want to change contact-me and the log file name for your needs.
grep contact-me /var/log/virtualmin/exmple.com_error_log >> example.txt
Some Apache logs have the IP address as the first field.
Strip it down to IP addresses:
awk '{ print $1 } ' example.txt | sort | uniq > evildoers.txt
Or, to just determine how many attackers there were:
awk '{ print $1 } ' example.txt | sort | uniq | wc -l
Some newer Apache logs have the IP address deeper in the line.
cat bloody1.txt | awk '{ print $11 } ' | awk -F ':' '{ print $1 } ' | sort | uniq > evildoers.txt
Create a Mikrotik script to add the evildoers to a 'blacklist' address-list:
echo "/ip firewall address-list" > add-to-blacklist.rsc
cat evildoers.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blacklist address=" $1 " comment=Joomla-Contact-Botnet";}' >> add-to-blacklist.rsc
You can make the address-list entries dynamic by specifying a timeout by adding timeout=30d or something like that, just before the comment.
Upload the add-to-blacklist.rsc script to the Mikrotik (drag into Files window), then import it in a Mikrotik terminal window:
/import add-to-blacklist.rsc
Script
Super slow and may not be 100% correct for ROS v7.
You should first run this script at the ROS command line to look for errors.
Make sure UNIX line endings are used in the ipaddress.txt file.
Make sure the ipaddress.txt file is less than 4K in size.
/system script add dont-require-permissions=no name=add-ip-addresses-to-blacklist owner=\
admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
# Generic IP address list input\r\
\n## Based on a script written by Sam Norris, ChangeIP.com 2008\r\
\n## Edited by Andrew Cox, AccessPlus.com.au 2008\r\
\n##\r\
\n:put \"\";\r\
\n:put \"This script requires the address text file to have UNIX line endi\
ngs.\";\r\
\n\
\n:put \"\";\r\
\n:put \"Hard coded source is file ipaddress.txt file.\";\r\
\n\
\n:put \"Hard coded destination is the blacklist address-list.\";\r\
\n\
\n:put \"Comment for imported entries is hard coded in the script.\";\r\
\n\
\n:put \"The ipaddress.txt file must be smaller than 4KB.\";\r\
\n:put \"\";\r\
\n##:put \"Removing all old address-list entries...\";\r\
\n##/ip firewall address-list remove [/ip firewall address-list find list=\
blacklist];\r\
\n:global content [/file get [/file find name=ipaddress.txt] contents] ;\r\
\n:global contentLen [ :len \$content ] ;\r\
\n:global lineEnd 0;\r\
\n:global line \"\";\r\
\n:global lastEnd 0;\r\
\n:do {\r\
\n :set lineEnd [:find \$content \"\\n\" \$lastEnd ] ;\r\
\n :set line [:pick \$content \$lastEnd \$lineEnd] ;\r\
\n :set lastEnd ( \$lineEnd + 1 ) ;\r\
\n #If the line doesn't start with a hash then process and add to the list\r\
\n :if ( [:pick \$line 0 1] != \"#\" ) do={\r\
\n :local entry [:pick \$line 0 \$lineEnd ]\r\
\n :if ( [:len \$entry ] > 0 ) do={\r\
\n :put \"Removing \$entry from blacklist, if it exists\";\r\
\n /ip firewall address-list remove [find list=\"blacklist\" address=\$entry];\r\
\n :put \"Address being added is \$entry\";\r\
\n /ip firewall address-list add list=blacklist address=\$entry comment=\"Spammer\";\r\
\n }\r\
\n }\r\
\n } while (\$lineEnd < \$contentLen)\r\
\n}"
