There is step by step that i have done.
- Set Firewall rule to detect bruteforce to an address list
add chain=output action=accept protocol=tcp content="530 Login
incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp
content="530 Login incorrect" address-list=ftp_blacklist addresslist-timeout=5m10s
- Set firewall rule to drop the attacker
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist
action=drop comment="drop ftp brute forcers"
- set mail for reporting event
/tool e-mail set address=[:resolve smtp.gmail.com user=aaaa.bbbb@gmail.com password=xxxx port=587 start-tls=yes from=<Attack Report>
- Test the email by sending manually through MikroTik
- Email Testing succeeded.
- Set the logging for email topics.
- Put script on the list
name="send_ftp" owner="admin"
policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
source=
:foreach a in=[/ip firewall address-list find list=ftp_blacklist] do={
:local ftpip [/ip firewall address-list get $a address];
:log warning ("FTP Attack from:" .$ftpip)
:local sysname [/system identity get name];
:local date [/system clock get date];
:local time [/system clock get time];
/tool e-mail send from="$sysname<aaaa.bbbb@gmail.com>" to=cccc.dddd@yahoo.com
tls=yes server=[:resolve smtp.gmail.com] port=587 password=xxxx subject="FTP Attack!"
body=" Dear Admin,
\n \n We have note that on $date at $time. There are FTP attack to $sysname from IP
$ftpip, and has been blocked by firewall.
\n See http://whois.sc/$ftpip for detail IP attacker information.
\n \n Thanks & Regard”}
- Set the scheduler to running the script.
---------------------------------TESTING---------------------------------- - Doing ftp login incorrect 9 times
- My IP address that i using to do ftp login incorrect, listed to address list and has been blocked.
----------------------------------MY PROBLEM-------------------------
I dont get any email report.
Please help me to make it right.
Sorry for the long post.