Skip to content
This repository has been archived by the owner on Apr 18, 2022. It is now read-only.
/ cs-mikrotik-bouncer Public archive

A CrowdSec bouncer for MikroTik RouterOS appliance

License

Notifications You must be signed in to change notification settings

tuxtof/cs-mikrotik-bouncer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CrowdSec


This repo as moved to funkolab/cs-mikrotik-bouncer


CrowdSec Mikrotik Bouncer

A CrowdSec Bouncer for MikroTik RouterOS appliance

GitHub GitHub go.mod Go version Go Report Card Maintainability ci GitHub tag (latest SemVer) Docker Image Size (latest semver)

Description

This repository aim to implement a CrowdSec bouncer for the router Mikrotik to block malicious IP to access your services. For this it leverages Mikrotik API to populate a dynamic Firewall Address List.

Usage

For now, this web service is mainly fought to be used as a container.
If you need to build from source, you can get some inspiration from the Dockerfile.

Prerequisites

You should have a Mikrotik appliance and a CrowdSec instance running.
The container is available as docker image ghcr.io/tuxtof/cs-mikrotik-bouncer and tuxtof/cs-mikrotik-bouncer. It must have access to CrowdSec and to Mikrotik.

Generate a bouncer API key following CrowdSec documentation

Procedure

  1. Get a bouncer API key from your CrowdSec with command cscli bouncers add mikrotik-bouncer
  2. Copy the API key printed. You WON'T be able the get it again.
  3. Paste this API key as the value for bouncer environment variable CROWDSEC_BOUNCER_API_KEY, instead of "MyApiKey"
  4. Start bouncer with docker-compose up bouncer in the example directory
  5. Create IP drop Filter Rules in input and forward Chain with the crowdsec Source Address List
  6. Create IPv6 drop Filter Rules in input and forward Chain with the crowdsec Source Address List (if IPv6 used)
/ip/firewall/filter/
add action=drop src-address-list=crowdsec chain=input  in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"

/ipv6/firewall/filter/
add action=drop src-address-list=crowdsec chain=input  in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"

Configuration

The bouncer configuration is made via environment variables:

Name Description Default Required
CROWDSEC_BOUNCER_API_KEY CrowdSec bouncer API key required to be authorized to request local API none
CROWDSEC_URL Host and port of CrowdSec agent http://crowdsec:8080/
LOG_LEVEL Minimum log level for bouncer in zerolog levels 1
MIKROTIK_HOST Mikrotik appliance address none
MIKROTIK_USER Mikrotik appliance username none
MIKROTIK_PASS Mikrotik appliance password none
MIKROTIK_TLS User TLS to connect to Mikrotik API true

Contribution

Any constructive feedback is welcome, fill free to add an issue or a pull request. I will review it and integrate it to the code.