My routers have been under attack lately. I have MOAB service installed and running on both of them; however, in the past week my server logs have recorded more than 2000 attempts on my admin account which got past MOAB. I have the list filtered down to bare IPv4 addresses (IPv6 is currently disabled); what is the most efficient way to create my own supplemental blacklist (obviously, I haven’t time to enter 2000 individual firewall entries!)?
Add any src-adr that try to reach your admin account to address-list. Make second address-list with your valid source addresses.
Then filter out in RAW any incoming for admin account who is on the list except for those that are on your valid list.
If that is working then you could decide to only use the valid list and block any other.
Ok, for reply correctly to OP question: “import 2000 IP address list inside MikroTik firewall”
- Paste the list in one address aggregator: https://tehnoblog.org/ip-tools/ip-address-aggregator/
- put the result on some decent text editor than permit the replace the “enter” (new line / carriage retourn / anynameyouwantforthat etc.) key with
list=blacklist
add address=
do not forget space before list
3) add to the top of the file
/ip firewall address-list
- check if the file appear like:
/ip firewall address-list
add address=31.13.64.0/18 list=lista_ip_facebook
add address=31.13.64.0/19 list=lista_ip_facebook
add address=31.13.64.0/24 list=lista_ip_facebook
add address=31.13.65.0/24 list=lista_ip_facebook
add address=31.13.66.0/24 list=lista_ip_facebook
add address=31.13.67.0/24 list=lista_ip_facebook
add address=31.13.68.0/24 list=lista_ip_facebook
add address=31.13.69.0/24 list=lista_ip_facebook
add address=31.13.70.0/24 list=lista_ip_facebook
add address=31.13.71.0/24 list=lista_ip_facebook
add address=31.13.72.0/24 list=lista_ip_facebook
add address=31.13.73.0/24 list=lista_ip_facebook
add address=31.13.74.0/24 list=lista_ip_facebook
add address=31.13.75.0/24 list=lista_ip_facebook
add address=31.13.76.0/24 list=lista_ip_facebook
add address=31.13.77.0/24 list=lista_ip_facebook
add address=31.13.79.0/24 list=lista_ip_facebook
add address=31.13.80.0/24 list=lista_ip_facebook
add address=31.13.81.0/24 list=lista_ip_facebook
add address=31.13.82.0/24 list=lista_ip_facebook
add address=31.13.83.0/24 list=lista_ip_facebook
add address=31.13.84.0/24 list=lista_ip_facebook
add address=31.13.85.0/24 list=lista_ip_facebook
add address=31.13.86.0/24 list=lista_ip_facebook
add address=31.13.87.0/24 list=lista_ip_facebook
add address=31.13.89.0/24 list=lista_ip_facebook
add address=31.13.90.0/24 list=lista_ip_facebook
add address=31.13.91.0/24 list=lista_ip_facebook
add address=31.13.92.0/24 list=lista_ip_facebook
add address=31.13.93.0/24 list=lista_ip_facebook
add address=31.13.94.0/24 list=lista_ip_facebook
add address=31.13.95.0/24 list=lista_ip_facebook
add address=31.13.96.0/19 list=lista_ip_facebook
add address=45.64.40.0/22 list=lista_ip_facebook
5a) save the file and import on routerboard.
5b) paste 400 lines at a time on the terminal
Almost good suggestion but it will stop if the entry is duplcated. http://forum.mikrotik.com/t/6-16-import-stops-when-there-is-a-duplicate-entry/83056/1
Addressing the symptoms is not necessarily addressing the root cause.
Perhaps I am wrong but lets look at it from another viewpoint
Stepping back at the problem —> How is your admin account accessible to anybody on the internet.
Since you have not provided your config its hard to tell.
The first question that came to mind… Does your input chain allow WAN access to the router?
Is that WAN access encrypted (VPN, port knocking etc…)
/export hide-sensitive file=anynameyouwish.
why pay for a useless blacklist?
secure your device properly.
I am in contact with @ehbowen … His Router is not under attack … its his Synology Webserver admin account that is under attack … Lots of issues with his RoS config plus his ATT Gateway. So hopefully will have that resolved soon. Its not a MOAB issue 
Thanks that there is a foe list.
ahh the homeowner that runs a server on his network with no protection trick.
that one sounds familiar, gluck straightening out the situation.
It does NOT stop if my method 5b) is followed, it just continue, not caring about the “duplicate”.
Darn, the personal Blacklist only works when I am logged in.