hi, i tried to implement this “https://wiki.mikrotik.com/wiki/Bruteforce_login_prevention” to my routerboard.
i can see the counter increase and put the multiple attempt ip to the blacklist list.
however, from log still can see the same ip are attempt to access my router, can i said, this script no longer working ?
It does work, but not too well.
For FTP it counts actual failed login attempts, so that part is fine. Inspecting content of packets is not very effective, but you only need to watch control connection (src-port=21 should be added to output rules), so it’s probably ok. But then, who really cares about FTP on router…
For SSH (or WinBox, which could use same rules) it’s just simple connection counter, because you can’t see what’s inside. So you get four connection attemps and then four login attempts for each (ok, it won’t help real bruteforcer too much). But be too quick, connect more than three times in one minute and next time you’re blocked too, even if you do know the password. So it’s not perfect, but better than nothing.
Ideally each service would allow user to configure failed login limits and then watch for them itself. And then either run some script, add source address to list, or something like that. But currently such functionality is not present in RouterOS. Maybe one day.
for ssh, i add this is end of the wiki script:
add chain=input src-address-list=ssh_blacklist action=drop comment=“drop ssh brute forcers IP” disabled=no
then, it’s blocked that black-list ip at all.