Had several bruteforce rules setup based on this wiki page: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
They worked perfectly in 6.17 after the upgrade we were getting tons of false positives.
Here is an example of one of my filters:
/ip firewall filter
add action=reject chain=forward comment="WP Failed Logins" disabled=yes \
dst-address=207.109.170.0/24 dst-port=80 protocol=tcp reject-with=\
icmp-admin-prohibited src-address-list=WPFailedBlacklist
/ip firewall mangle
add chain=forward comment="WPLogin Allow 5 per Min" content=\
"<div id=\"login_error\">" dst-limit=1/1m,5,dst-address/1m protocol=tcp \
src-address=207.109.170.12 src-port=80
add action=add-dst-to-address-list address-list=WPFailedBlacklist \
address-list-timeout=4h chain=forward comment="WPLogin block 6th" \
content="<div id=\"login_error\">" protocol=tcp src-address=\
207.109.170.12 src-address-list=!DOS_Bypass src-port=80
The rule is designed to catch packets containing part of the error message from a failed wordpress login, and block after 6 failed attempts per minute. Seems to be blocking after the second failed attempt. All of my other filter rules using this method are also behaving the same way. The router is a ccr1016-12G. The filter rule is disabled for the moment until I can get this figured out.
Thanks