Hi
My very fist firewall filter rule is
[xxx@mkt-sx-00] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; drop blacklisted
chain=forward action=drop src-address-list=DenyLIst log=yes log-prefix="deny-"
I have IP 190.6.38.79 in my DenyLIst
yet it seem to find a way to Winbox
what am I missing ?
It is from IP 190.6.38.79 towards what? An IP on another network, or just local to the router where this rule is defined?
Missing the “deny-” in any log line.
Local acces to the router is the “input” chain, not the “forward” chain.
Access to an IP address in the same subnet as the source probably never passes the firewall, but is just bridged.
Without seeing your whole config, no one here can help you playing guessing games…
/export hide-sensitive file=anynameyouwish
move the rule from /ip firewall filter (forward) to /ip firewall raw (prerouting)
is winbox ACL (/ip service winbox) and is a router service (input chain), not a routed service (forward chain)
if you use “forward” you do not intercept “input” traffic vs the Router CPU, and if you see that on log, is working right.
ping
Under /ip → services, you have the list with various services like http,https,ssh,winbox,api etc.
Only ENABLE those that are relevant and set the IP’s from which is allowed. By default they are world reachable if you do not narrow them down of filter them otherwise (eg. on prerouting chain)
Not an answer to your question, but for me it seems that you have Winbox open to internet???
If so, you are at high risk of being hacked. (older RouterOS has a big bug)
Use VPN to access winbox, then you do not need to block anyone.
If VPN can not be used, follow these steps.
Your access list does block some IP to not access Winbox. In step 4, you should block all, only allow valid IP.
Thans for all those excellent advises that I am implenting as we speak !
A bit of a thread drift but how do you do port knocking in mikrotk ?
The search will give you plenty of detailed posts on this.
Also,
https://mum.mikrotik.com/presentations/US10/discher.pdf
https://mum.mikrotik.com/presentations/ID08/portknock.pdf
https://systemzone.net/securing-mikrotik-router-with-port-knocking/
and so on and so on.
You can decide yourself howmany “stages” the sequence must be, but 3-stage is pretty secure with extemely small chance of somebody ever hitting the jackpot 
I would also implement something to put “portscanners” on a ban-list if too many attempts are made in a certain time-window, because otherwise you can keep trying port-combinations forever.
65535^3 = 281,462,092,005,375 (depends on how you implement it)
for example:
honeypot IP: some free Public IP
or if free Public IP is not available:
honeypot TCP port: 1433 (SQL for example)
honeypot UDP port: 1434 (SQL for example)
port scan on honeypot indicated surely unwanted connection
the IP directly go on raw/blacklist
And since you can use either TCP (64K ports) or UDP (64K ports) or ICMP that number is only getting larger 
Anyone who tries 1 port on my router that are not default open (like 443 is open) will be banned for all ports for 24 hour, even the open ports (443).
There are avrund 5000 to 10000 ip in the block list at any time.
Pfff, where is the hospitality these days
Better one topic apart, but SOMEONE know a program for shrink ip blackist?
Like when find inside blacklist something like:
1.2.232.0 (/32)
1.2.232.1 (/32)
1.2.232.2 (/32)
1.2.232.3 (/32)
1.2.232.4 (/32)
1.2.232.5 (/32)
1.2.232.6 (/32)
1.2.32.0/23
1.2.34.0/23
shrink it like:
1.2.232.0/30
1.2.232.4/31
1.2.232.6 (/32)
1.2.32.0/22
Here you go:
https://tehnoblog.org/ip-tools/ip-address-aggregator/
Input
1.2.232.0
1.2.232.1
1.2.232.2
1.2.232.3
1.2.232.4
1.2.232.5
1.2.232.6
1.2.32.0/23
1.2.34.0/23
Result
1.2.32.0/22
1.2.232.0/30
1.2.232.4/31
1.2.232.6/32
You are very welcome to visit me, but just use the correct door, or else you may loose your head 
If you come on Italy close to my city, I’m pleased to offer a Pizza :))
Maybe I will one day 
Coming from the cold north a pizza is always welcome...
Rewritten for accuracy!!