Is there a way to block all these others trying anything to get in the mikrotik
step by step please i am new to this thanks
Add a firewall filter rule with that as a source address. Better still, set up a blacklist and block the traffic from that. This will allow you to add and remove problem IPs easily.
/ip firewall address-list
add address=190.66.7.7 list=blacklist
/ip firewall filter
add action=drop chain=input src-address-list=blacklist \
comment="drop anything from blacklist"
That will block all traffic from that IP to the router. If you just want to prohibit ssh, narrow the blacklist and filter rule to the ssh port.
/ip firewall address-list
add address=190.66.7.7 list=ssh-blacklist
/ip firewall filter
add action=drop chain=input src-address-list=ssh-blacklist protocol=tcp dst-port=22 \
comment="drop anything from the ssh blacklist"
I usually use webfig to move the rules into the right order via drag and drop.
BTW - There are some good firewall white papers on the wiki which show you how to dynamically detect attacks and generate a blacklist for the problem IPs. See - http://wiki.mikrotik.com/wiki/Firewall
The best solution would be to come up with a list of networks that should be allowed to access the router administratively, and block everything else. What’s the point of blacklisting if all valid traffic is always coming from an admin network? If you need remote access, set up a remote access VPN (PPTP, IPsec) and add that address pool to the list of permitted networks.
/ip firewall address-list
add list=admin-networks address=192.168.1.0/24
add list=admin-networks address=10.0.0.0/24
/ip firewall filter
add chain=input src-address-list=admin-networks protocol=tcp dst-port=21,22,23,80,443,8291 action=accept
add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop
Excellent point. I was thinking rouge user or compromised machine on the private side of the router. But limiting which network addresses can access the apps is a better first step. I limited that via the IP services so using a firewall rule to do it didn’t occur to me.
/ip service
set telnet address=192.168.1.0/24 disabled=yes port=23
set ftp address=192.168.1.0/24 disabled=yes port=21
set www address=192.168.1.0/24 disabled=yes port=80
set ssh address=192.168.1.0/24 disabled=no port=22
set www-ssl address=192.168.1.0/24 certificate=XXX disabled=no port=443
set api address=192.168.1.0/24 disabled=yes port=8728
set winbox address=192.168.1.0/24 disabled=yes port=8291
GabSky - You would want to replace 192.168.1.0/24 with the addresses for your local admin segment.