Hello,
could you give me a hint how to block incoming IP adress from wan trying to login to our server over RDP port?
I want to block IP for example after 5 attend in one hour.
I know how to create rule for dynamicly add address to addres list and than block it, but I dont know how to create rule like I wrotte above.
Thank you
Hi,
you can count attempts in mangle prerouting chain. There is dst. limit in Extra tab when you can set rate to 5 / hours and set action accept for this rule. Then you have to add another rule that simply puts abusive IP to some address list which you will block.
I do not think the Mangle section will be the right place for such a rule. I am suggesting to use firewall raw section with
dst-limit
parameters.
In general its safer to capture in filter, but okay to drop in raw as raw is stateless and thus easier to accidentally actually capture normal traffic…
I won’t argue with you, you’re probably right. This is how I configured and solved similar problem when there wasn’t option to use raw section 
Would be possible describe more detaily, how to setup rule? When i try, I can reach only 2 conditions. All incoming address accessing over RDP ports are blocked immediately or no IP is included. I am not able bring counting rule to life.
I’ve used following example with success. http://kniko.net/block-brute-force-on-microsoft-rdp-using-mikrotik-router/
Config from our firewall: 3 consecutive connection attempts, with less than 5 minutes between each attempt results in blacklist for a few weeks.
This one works for ports 21,3389,3390
add action=reject chain=forward comment="wan - block blacklist" connection-state=new log-prefix="wan - blocked blacklist" reject-with=icmp-network-unreachable src-address-list=rdp_Blacklist
add action=add-src-to-address-list address-list=rdp_Blacklist address-list-timeout=12w6d chain=forward comment="wan - 3389 add to blacklist added" connection-state=new dst-port=21,3389-3390 in-interface-list="wan interfaces" log=yes log-prefix="rdp blacklist added" protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 address-list-timeout=5m chain=forward comment="wan - 3389 add to blacklist stage 3" connection-state=new dst-port=21,3389-3390 in-interface-list="wan interfaces" log-prefix="rdp blacklist stage3" protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 address-list-timeout=5m chain=forward comment="wan - 3389 add to blacklist stage 2" connection-state=new dst-port=21,3389-3390 in-interface-list="wan interfaces" log-prefix="rdp blacklist stage2" protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 address-list-timeout=5m chain=forward comment="wan - 3389 add to blacklist stage 1" connection-state=new dst-port=21,3389-3390 in-interface-list="wan interfaces" log-prefix="rdp blacklist stage1" protocol=tcp
add action=accept chain=forward comment="lan - server4 rdp" connection-state=new dst-port=3389 log=yes log-prefix="allow rdp" protocol=tcp
This working well, thank you! Also I understand how to create similar rules now.
Think about VPN and not limiting …
From Outside direct avaible Services will be Hacked in some case
Look at winbox hack
Look to ubnt
Look were you want, direct exposed Services are an invitation
the only was to do Secure this, is yousing a VPN
I am using VPN where is possible, but in some cases It is necessary have access over WAN RDP, because I sometime connect from different places from different devices.
I do use a different port than 3389.
Then I have a bruteforce access list some alike above. 3 RDP session in the same 5 min, send it to black list.
After that I have a generic block list. If some tries any non open port, block for 24 hour.
Last I have a port knocking that will add my IP to a white list for 24 hour.
You can also use only port knocking, and close RDP until correct port is knocked.
Eks port top oen is 53333 43333 63333
To knock a port, just use browser and open hp://your.ip:53333 then hp://your.ip:43333 and last h**p://your.ip:63333
This would then open RDP for a fixed time.