drop ip when authorization fails - probably newbie question

Maryan · January 22, 2009, 4:26pm

Hi there

First I would like to say that I am VERY new to RouterOS so my question may look silly to more advanced people.
I recently noticed that someone is trying to log in to my router trying to find user - normal dictionary atack - every 4 seconds new username is send.
I put rule on firewall to drop that ip atack comes from, but atacker changed his ip and atack still goes on.
Since ip adress is from china my local ISP told me that there is no point in reporting this to police etc.

Is there any way to set rule that after 2 or 3 failed logins ip goes blacklisted and is droped/rejected ? Is there any other better way ?

Regards

M.

normis · January 23, 2009, 10:31am

change the port of SSH in RouterOS (if the hacker is using SSH to login)
allow access ONLY from a local known network with the firewall
always use non-default username for the admin

you can also do fancy stuff like temporarily blocking the guy, if you want, but if he changes the IP, no use to do it:
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention