again with ([/system clock get time] - 5m) ???
00:01:00 - 5m = -23:56:00
read this
http://forum.mikrotik.com/t/black-list-for-failed-login-to-ipsec-vpn/130090/8
I suggest using blacklist and drop without any kind of response on /firewall raw
instead of adding the IP to the route table.
The list can grow so large and the LIMITED routes table can fill up very quickly.
and use this script for the blacklist:
# Revised from Rextended v1.2.rex
#
# Created Jotne 2019 v1.2
#
# This script add ip with "denied winbox" to a block list for 7 days
# Schedule the script to run every 5 min
# It should run on all routerOS version - Rex test it on 6.47.9
# may / 28 12:39:14 warning denied winbox / dude connect from 181.46.136.147
:local logMessage ""
:local logIp 10.6.6.6
/log
:foreach i in=[find where message~"denied winbox"] do={
:set logMessage [get $i message]
:if ($logMessage~"denied winbox") do={
:set logIp [:toip [:pick $logMessage ([:find $logMessage "from " -1]+5) [:len $logMessage]]]
:if ([:len [/ip fire addr find where address=$logIp]] < 1) do={
/ip fire addr add address=$logIp list=blacklist timeout=7d
:log info message="add $logIp to list blacklist"
}
}
}
If you want stil to add routes instead of drop traffic:
# Revised from Rextended v1.2.rex
#
# Created Jotne 2019 v1.2
#
# This script add blackhole route for each "denied winbox"
# Schedule the script to run every 5 min
# It should run on all routerOS version - Rex test it on 6.47.9
# may / 28 12:39:14 warning denied winbox / dude connect from 181.46.136.147
:local logMessage ""
:local logIp 10.6.6.6
/log
:foreach i in=[find where message~"denied winbox"] do={
:set logMessage [get $i message]
:if ($logMessage~"denied winbox") do={
:set logIp [:toip [:pick $logMessage ([:find $logMessage "from " -1]+5) [:len $logMessage]]]
:if ([:len [/ip route find where dst-address=($logIp."/32") and type=blackhole]] < 1) do={
/ip route add dst-address=$logIp type=blackhole comment="ips-malicioso"
:log info message="add $logIp to blackhole route"
}
}
}