I have made firewall rules as found in http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention to protect my mail-server. They look for authentication failure messages my mail server is sending out and add the destination to a blacklist.
add chain=forward action=drop src-address-list=mail_blacklist
add chain=forward content="-ERR Authentication" dst-limit=1/1m,3,dst-address/1m protocol=tcp src-port=110
add chain=forward content="-ERR Authentication" action=add-dst-to-address-list address-list=mail_blacklist address-list-timeout=1w log=yes log-prefix=block_pop3 protocol=tcp src-port=110
The problem is that the add-dst-to-address-list - rule get triggered before the dst-limit rule above. One minute later the count on the dst-limit rule starts to rise to exactly the value of the add-dst-to-address-list - rule.
Any ideas what could be wrong here? Is dst-limit or rule order broken in v6.31?
Is there a better solution as found in the wiki?