Block IP after X login failures

Qrew · September 15, 2010, 5:43am

Is there a way to automatically block IP-adresses after X times login failures and put them on the block list for XX hours?

So if host 66.344.222.35 is trying to login in my routerboard 5 times and do not succed, routerboard automatically put this IP to drop packets from it on the firewall.

is that possible?

Regards Peter

dssmiktik · September 15, 2010, 5:52am

No, not natively supported.

You could, however, parse the log for failed login attempts, disabling accounts (or block IP) once a threshold is reached.
This should get you started: Log Parser - Event Trigger Script

mrz · September 15, 2010, 5:57am

To block ssh and ftp bruteforcers, use this one
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

angboontiong · March 18, 2017, 3:15pm

I can see the ip in the blacklist, however, the ip in the blacklist still attempting to access according to the log …

IntrusDave · March 18, 2017, 5:56pm

You need to put in a filter rule (preferably in the RAW table) to block the blacklisted IP’s

angboontiong · March 20, 2017, 5:52am

end up, i add this in:
add chain=input src-address-list=ssh_blacklist action=drop comment=“drop ssh brute forcers IP” disabled=no

IntrusDave · March 20, 2017, 3:33pm

That’s find, but make sure that the rule is placed above any accept rule for established connections.