All apps · 0 apps
crowdsec-mikrotik-bouncer
Docker app from Darklesc's Repository
Overview
Readme
View on GitHub
CrowdSec Mikrotik Bouncer
A CrowdSec Bouncer for MikroTik RouterOS appliance
⚠️ This repository is no longer actively maintained. You can find an alternative project at the following address: https://github.com/nvtkaszpir/cs-mikrotik-bouncer-alt
Description
This repository aim to implement a CrowdSec bouncer for the router Mikrotik to block malicious IP to access your services. For this it leverages Mikrotik API to populate a dynamic Firewall Address List.
Usage
For now, this web service is mainly fought to be used as a container.
If you need to build from source, you can get some inspiration from the Dockerfile.
Prerequisites
You should have a Mikrotik appliance and a CrowdSec instance running.
The container is available as docker image ghcr.io/funkolab/cs-mikrotik-bouncer. It must have access to CrowdSec and to Mikrotik.
Generate a bouncer API key following CrowdSec documentation
Procedure
- Get a bouncer API key from your CrowdSec with command
cscli bouncers add mikrotik-bouncer - Copy the API key printed. You WON'T be able the get it again.
- Paste this API key as the value for bouncer environment variable
CROWDSEC_BOUNCER_API_KEY, instead of "MyApiKey" - Start bouncer with
docker-compose up bouncerin theexampledirectory - Create
IP drop Filter RulesininputandforwardChain with thecrowdsec Source Address List - Create
IPv6 drop Filter RulesininputandforwardChain with thecrowdsec Source Address List(if IPv6 used)
/ip/firewall/filter/
add action=drop src-address-list=crowdsec chain=input in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"
/ipv6/firewall/filter/
add action=drop src-address-list=crowdsec chain=input in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"
Configuration
The bouncer configuration is made via environment variables:
| Name | Description | Default | Required |
|---|---|---|---|
CROWDSEC_BOUNCER_API_KEY |
CrowdSec bouncer API key required to be authorized to request local API | none |
✅ |
CROWDSEC_URL |
Host and port of CrowdSec agent | http://crowdsec:8080/ |
✅ |
CROWDSEC_ORIGINS |
Space separated list of CrowdSec origins to filter from LAPI (EG: "crowdsec cscli") | none |
❌ |
LOG_LEVEL |
Minimum log level for bouncer in zerolog levels | 1 |
❌ |
MIKROTIK_HOST |
Mikrotik appliance address | none |
✅ |
MIKROTIK_USER |
Mikrotik appliance username | none |
✅ |
MIKROTIK_PASS |
Mikrotik appliance password | none |
✅ |
MIKROTIK_TLS |
User TLS to connect to Mikrotik API | true |
❌ |
MIKROTIK_IPV6 |
Enable / Disable IPv6 support | true |
❌ |
Contribution
Any constructive feedback is welcome, fill free to add an issue or a pull request. I will review it and integrate it to the code.
Install crowdsec-mikrotik-bouncer on Unraid in a few clicks.
Find crowdsec-mikrotik-bouncer in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.
Requirements
Generate a bouncer API key following CrowdSec documentation https://doc.crowdsec.net/docs/cscli/cscli_bouncers_add/
cscli bouncers add Mikrotik-0
Activate API in mikrotik
IP -> Service -> Enable api and apply security
Procedure:
1 Get a bouncer API key from your CrowdSec with command cscli bouncers add mikrotik-bouncer
2 Copy the API key printed. You WON'T be able the get it again.
3 Paste this API key as the value for bouncer environment variable CROWDSEC_BOUNCER_API_KEY, instead of "MyApiKey"
4 Start bouncer with docker-compose up bouncer in the example directory
5 Create IP drop Filter Rules in input and forward Chain with the crowdsec Source Address List
6 Create IPv6 drop Filter Rules in input and forward Chain with the crowdsec Source Address List (if IPv6 used)
/ip/firewall/filter/
add action=drop src-address-list=crowdsec chain=input in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"
/ipv6/firewall/filter/
add action=drop src-address-list=crowdsec chain=input in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"
Categories
Download Statistics
Related apps
Explore more like this
Explore allDetails
ghcr.io/funkolab/cs-mikrotik-bouncer:latestRuntime arguments
- Network
bridge- Shell
sh- Privileged
- false
Template configuration
- Target
- CROWDSEC_BOUNCER_API_KEY
- Default
- your-api-key
- Value
- your-api-key
- Target
- CROWDSEC_URL
- Default
- http://crowdsec:8080/
- Value
- http://crowdsec:8080/
- Target
- MIKROTIK_HOST
- Default
- your-ip-mikrotik:8728
- Value
- your-ip-mikrotik:8728
- Target
- MIKROTIK_USER
- Default
- your-mirkotik-user
- Value
- your-mirkotik-user
- Target
- MIKROTIK_PASS
- Default
- your-mikrotik-pass
- Value
- your-mikrotik-pass
- Target
- MIKROTIK_IPV6
- Default
- true
- Value
- true
- Target
- MIKROTIK_TLS
- Default
- true
- Value
- true
- Target
- CROWDSEC_ORIGINS
- Default
- none
- Value
- none
- Target
- LOG_LEVEL
- Default
- 1
- Value
- 1