In my logs I have lots of entrys like
(50 messages not shown)
dec/10/2007 16:05:09 system,error,critical login failure for user username from 222.112.170.217 via ssh
dec/10/2007 16:05:12 system,error,critical login failure for user username from 222.112.170.217 via ssh
dec/10/2007 16:05:16 system,error,critical login failure for user user from 222.112.170.217 via ssh
dec/10/2007 16:05:19 system,error,critical login failure for user root from 222.112.170.217 via ssh
dec/10/2007 16:05:22 system,error,critical login failure for user admin from 222.112.170.217 via ssh
dec/10/2007 16:05:26 system,error,critical login failure for user test from 222.112.170.217 via ssh
dec/10/2007 16:05:29 system,error,critical login failure for user root from 222.112.170.217 via ssh
dec/10/2007 16:05:32 system,error,critical login failure for user root from 222.112.170.217 via ssh

Is there a way to automaticly block this ip after 3-4 failed logins?



Thanks

you can use access-list - so when host connects for the first time, he gets in a starting list, if it connects another time, it get further, when it connects 4th or 5th time its ip address is added to block list and he is dropped for some time.

My recommendation is to block the ports for router access in the input chain and allow connection to these port only by your ip address (or range) - this will prevent possible router hacking.
The ports are: 21,22,23,80,8291 all tcp.

Access-lists can only be used with wireless interfaces...

My router has no wireless interfaces.

Public interface, DMZ interface and LAN interface (all wires)

On WAN i have static IP addresses and my log's are full of failed login attempts from the same IP address for hours....

I can't block remote access because i connect to the router the same way.

But regardless of where the attempts are comming from. Is there any way to prevent this?
Is there a way to add users IP to an address-list when he failes to logon? and count souch logins? If number of failed logins is greater than eg. 5 in the last minute, bloch the IP for 45 minutes?

I'm pretty new to scripting and some of the more advanced functions but i understand a good example!

Regards

/ip firewall filter add chain=input src-address="YOURIPORSUBNET" action=accept
/ip firewall filter add chain=input action=drop

For mutiple input ip/subnets execute first rule as many times as you have ip/subnets that has to communicate with router directly.
Alternatively, you can use this:
/ip firewall filter add chain=input action=drop dst-port=21
/ip firewall filter add chain=input action=drop dst-port=22
/ip firewall filter add chain=input action=drop dst-port=23
/ip firewall filter add chain=input action=drop dst-port=80
/ip firewall filter add chain=input action=drop dst-port=8291
instead of the drop rule above to drop only "auth-type" services.

Putting ip addresses to access-list is still not secure enough (what is somebody guess you user/pass at first time?)

I think that it is less likely that someone will guess my username and password at first...

And forgive me, i forgot to say that i must be able to access the router over the internet. I am connected thru DSL so i can't create a rule to give me access based on the IP address.

If i was on a static ip, i wouldn't be asking here.
Is there a way to do this?

Example in wiki http://wiki.mikrotik.com/wiki/Bruteforc ... %26_SSH%29

The wiki has a great script - you could also just change the ssh port on your router...

i have pptp server enabled, so i can log in from wherever i need and some sites in whitelist, so i do not have to create pptp tunnel to access from these sites.