allows only 10 FTP login incorrect answers per minute

it work great with me but i like to know from where
content=“530 Login incorrect”
i can see that scrpit bulid on =“530 Login incorrect” but i cant find from where script read it

what if i want to edit and make work with winbox



allows only 10 FTP login incorrect answers per minute


in /ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
comment=“drop ftp brute forcers”

add chain=output action=accept protocol=tcp content=“530 Login incorrect” dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content=“530 Login incorrect”
address-list=ftp_blacklist address-list-timeout=3h

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties

content (string; Default: ) Match packets that contain specified text

Packets sent back by FTP servers refusing login due to incorrect logins contain that string.

Note that this is a very expensive thing to make your firewall do. Inspecting every outbound TCP packet for that string is, in my opinion, a bad idea. At the very least only inspect ports that you know you run TCP on. You can also safely limit to connection-bytes=0-10000 or even lower as the login is going to be denied early in the connection - it is pointless to inspect every byte of a 100MB file transfer if you’re looking to deny logins.