This took me a bit of time but it's solved!
- First create an address list from the failed logins:
/ip firewall filter
add chain=input protocol=tcp src-address-list=hotspot_blacklist action=drop comment="Hotspot bruteforce prevention"
add chain=output action=accept protocol=tcp content="invalid username or password" dst-limit=2/1m,4,dst-address/2m comment="Hotspot bruteforce prevention"
add chain=output action=add-dst-to-address-list protocol=tcp content="invalid username or password" address-list=hotspot_blacklist address-list-timeout=3h
Thanks to
https://goo.gl/yJfPYE I didn't know that "invalid username or password" was carried from tcp in this scenario.
- Move those filters above all the hotspot filters.
Ok, after 6 failed logins (in 2 minutes) all the tcp connections for those ip addresses are dropped. The list will expire after 3hours.
My dhcp server lease time is quite short (and I need to keep it short) so I wrote down another script. It does an ip to mac conversion by using arp, but i believe that can be done by the dhcp server (indeed it also collects mac addresses). If you don't wanna play around: just -> Add arp for leases.
#Hotspot IP to MAC binding#
:local ipaddr value="";
:local mac value="";
:foreach a in=[/ip firewall address-list find where dynamic=yes and list=hotspot_blacklist] do={
:set $ipaddr [/ip firewall address-list get $a value-name=address];
:local m [/ip arp find where address=$ipaddr dynamic=yes];
:set $mac [/ip arp get $m mac-address];
/ip hotspot ip-binding add type=blocked mac-address=$mac comment="blocked from script";
/ip firewall address-list remove $a;
:log warning ("Blocked from Hotspot " . " MAC: " . $mac);
}
Set this one on the scheduler and just remember to run it before the hotspot_blacklist expires.
Ciao