crowdsec-mikrotik-bouncer

crowdsec-mikrotik-bouncer

Docker app from Darklesc's Repository

Overview

This repository aim to implement a CrowdSec bouncer for the router Mikrotik to block malicious IP to access your services. For this it leverages Mikrotik API to populate a dynamic Firewall Address List.

CrowdSec

CrowdSec Mikrotik Bouncer

A CrowdSec Bouncer for MikroTik RouterOS appliance

⚠️ This repository is no longer actively maintained. You can find an alternative project at the following address: https://github.com/nvtkaszpir/cs-mikrotik-bouncer-alt

GitHub GitHub go.mod Go version Go Report Card Maintainability ci GitHub tag (latest SemVer) Docker Image Size (latest semver)

Description

This repository aim to implement a CrowdSec bouncer for the router Mikrotik to block malicious IP to access your services. For this it leverages Mikrotik API to populate a dynamic Firewall Address List.

Usage

For now, this web service is mainly fought to be used as a container.
If you need to build from source, you can get some inspiration from the Dockerfile.

Prerequisites

You should have a Mikrotik appliance and a CrowdSec instance running.
The container is available as docker image ghcr.io/funkolab/cs-mikrotik-bouncer. It must have access to CrowdSec and to Mikrotik.

Generate a bouncer API key following CrowdSec documentation

Procedure

  1. Get a bouncer API key from your CrowdSec with command cscli bouncers add mikrotik-bouncer
  2. Copy the API key printed. You WON'T be able the get it again.
  3. Paste this API key as the value for bouncer environment variable CROWDSEC_BOUNCER_API_KEY, instead of "MyApiKey"
  4. Start bouncer with docker-compose up bouncer in the example directory
  5. Create IP drop Filter Rules in input and forward Chain with the crowdsec Source Address List
  6. Create IPv6 drop Filter Rules in input and forward Chain with the crowdsec Source Address List (if IPv6 used)
/ip/firewall/filter/
add action=drop src-address-list=crowdsec chain=input  in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"

/ipv6/firewall/filter/
add action=drop src-address-list=crowdsec chain=input  in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"

Configuration

The bouncer configuration is made via environment variables:

Name Description Default Required
CROWDSEC_BOUNCER_API_KEY CrowdSec bouncer API key required to be authorized to request local API none
CROWDSEC_URL Host and port of CrowdSec agent http://crowdsec:8080/
CROWDSEC_ORIGINS Space separated list of CrowdSec origins to filter from LAPI (EG: "crowdsec cscli") none
LOG_LEVEL Minimum log level for bouncer in zerolog levels 1
MIKROTIK_HOST Mikrotik appliance address none
MIKROTIK_USER Mikrotik appliance username none
MIKROTIK_PASS Mikrotik appliance password none
MIKROTIK_TLS User TLS to connect to Mikrotik API true
MIKROTIK_IPV6 Enable / Disable IPv6 support true

Contribution

Any constructive feedback is welcome, fill free to add an issue or a pull request. I will review it and integrate it to the code.

Install crowdsec-mikrotik-bouncer on Unraid in a few clicks.

Find crowdsec-mikrotik-bouncer in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.

Open the Apps tab on your Unraid server Search Community Apps for crowdsec-mikrotik-bouncer Review the template variables and paths Click Install

Requirements

Prerequisites:
Generate a bouncer API key following CrowdSec documentation https://doc.crowdsec.net/docs/cscli/cscli_bouncers_add/
cscli bouncers add Mikrotik-0
Activate API in mikrotik
IP -> Service -> Enable api and apply security

Procedure:
1    Get a bouncer API key from your CrowdSec with command cscli bouncers add mikrotik-bouncer
2    Copy the API key printed. You WON'T be able the get it again.
3    Paste this API key as the value for bouncer environment variable CROWDSEC_BOUNCER_API_KEY, instead of "MyApiKey"
4    Start bouncer with docker-compose up bouncer in the example directory
5    Create IP drop Filter Rules in input and forward Chain with the crowdsec Source Address List
6    Create IPv6 drop Filter Rules in input and forward Chain with the crowdsec Source Address List (if IPv6 used)

/ip/firewall/filter/
add action=drop src-address-list=crowdsec chain=input in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"

/ipv6/firewall/filter/
add action=drop src-address-list=crowdsec chain=input in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"

Categories

Download Statistics

557
Total Downloads

Related apps

Explore more like this

Explore all

Details

Repository
ghcr.io/funkolab/cs-mikrotik-bouncer:latest
Last Updated2022-05-22
First Seen2024-12-09

Runtime arguments

Network
bridge
Shell
sh
Privileged
false

Template configuration

CROWDSEC BOUNCER API KEYVariable
Target
CROWDSEC_BOUNCER_API_KEY
Default
your-api-key
Value
your-api-key
CROWDSEC URLVariable
Target
CROWDSEC_URL
Default
http://crowdsec:8080/
Value
http://crowdsec:8080/
MIKROTIK HOSTVariable
Target
MIKROTIK_HOST
Default
your-ip-mikrotik:8728
Value
your-ip-mikrotik:8728
MIKROTIK USERVariable
Target
MIKROTIK_USER
Default
your-mirkotik-user
Value
your-mirkotik-user
MIKROTIK PASSVariable
Target
MIKROTIK_PASS
Default
your-mikrotik-pass
Value
your-mikrotik-pass
MIKROTIK IPV6Variable
Target
MIKROTIK_IPV6
Default
true
Value
true
MIKROTIK TLSVariable
Target
MIKROTIK_TLS
Default
true
Value
true
CROWDSEC ORIGINSVariable
Target
CROWDSEC_ORIGINS
Default
none
Value
none
LOG LEVELVariable
Target
LOG_LEVEL
Default
1
Value
1