Seeking help! RouterOS RDP brute-force prevention has failed. Could an expert please help me modify the rules?

cillininfo · November 21, 2025, 3:33am

My computer is connected to the LAN behind a ROS (RouterOS) router, with port 3389 (Remote Desktop Protocol - RDP) mapped to the ROS public IP on port 2059. Someone is brute-forcing my remote desktop connection, and my goal is to add the attacking IP address to a blacklist after three failed password attempts. Below are my ROS firewall rules, but even I am being added to the blacklist before I even reach the password entry screen when I try to remote connect myself. My objective is specifically to blacklist the IP only after three failed password attempts.

Below are all of my current ROS (RouterOS) firewall rules. Could you please help me modify them or rewrite a new set of rules that can meet my requirement?

Press F1 for help

[admin@MikroTik] ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; 0-DROP RDP Blacklist IPs
chain=forward action=drop protocol=tcp src-address-list=rdp_blacklist log=no log-prefix=""

1 ;;; 1-FINAL Blocker (Max 10 Conn)
chain=forward action=add-src-to-address-list connection-limit=30,24 protocol=tcp dst-address=10.16.1.1
address-list=rdp_blacklist address-list-timeout=1w dst-port=3389 limit=1,5:packet
dst-limit=1,5,dst-address/1m40s log=no log-prefix=""

2 ;;; 2-FINAL Blocker (Max 100/5m)
chain=forward action=add-src-to-address-list protocol=tcp dst-address=10.16.1.1 address-list=rdp_blacklist
address-list-timeout=1w dst-port=3389 limit=100/5m,10:packet log=no log-prefix=""

3 ;;; 3-Accept established and related
chain=forward action=accept connection-state=established,related log=no log-prefix=""

4 ;;; 4-Accept legitimate RDP traffic
chain=forward action=accept protocol=tcp dst-address=10.16.1.1 dst-port=3389 log=no log-prefix=""

5 ;;; 5-Drop invalid connections
chain=forward action=drop connection-state=invalid log=no log-prefix=""

Amm0 · November 21, 2025, 4:09am

A partial configuration does not help that much. You might want post at minimum your full firewall rules or ideally the redacted export if you want any meaningful help.

The critical question is are the current rules shown above getting hit? Open ports at some level always expose some risk...now using a different port is helpful but perhaps you change the port which may minimize the risk somewhat. The other thing to consider is using a "whitelist" and/or require VPN to access RDP.

cillininfo · November 21, 2025, 7:56am

Press F1 for help

[admin@MikroTik] > ip firewall filter printFlags: X - disabled, I - invalid; D - dynamic0 ;;; DROP RDP Blacklistchain=forward action=drop connection-state=new protocol=tcp dst-address=10.16.1.1src-address-list=RDP_Blacklist dst-port=3389 log=no log-prefix=""

1 ;;; RDP-Stage3-Final-Blockchain=forward action=add-src-to-address-list connection-state=new protocol=tcp dst-address=10.16.1.1src-address-list=RDP_Stage3 address-list=RDP_Blacklist address-list-timeout=4w2d dst-port=3389 log=nolog-prefix=""

2 ;;; RDP-Stage3chain=forward action=add-src-to-address-list connection-state=new protocol=tcp dst-address=10.16.1.1src-address-list=RDP_Stage2 address-list=RDP_Stage3 address-list-timeout=10m dst-port=3389 log=nolog-prefix=""

3 ;;; RDP-Stage2chain=forward action=add-src-to-address-list connection-state=new protocol=tcp dst-address=10.16.1.1src-address-list=RDP_Stage1 address-list=RDP_Stage2 address-list-timeout=10m dst-port=3389 log=nolog-prefix=""

4 ;;; RDP-Stage1chain=forward action=add-src-to-address-list connection-state=new protocol=tcp dst-address=10.16.1.1address-list=RDP_Stage1 address-list-timeout=10m dst-port=3389 log=no log-prefix=""

5 ;;; Accept RDP to LAN PCchain=forward action=accept connection-state=established,related,new protocol=tcp dst-address=10.16.1.1dst-address-list="" dst-port=3389 log=no log-prefix=""

holvoetn · November 21, 2025, 8:13am

Someone is not listening ...

@OP
Open terminal
/export file=anynameyouwish
Move file to PC
Edit file, remove serial, any passwd, public IP, ...
Post back between Code quotes < / >

Amm0 · November 21, 2025, 8:16am

If those are really your only firewall rules... that may be problem as you're not protecting anything.

rextended · November 21, 2025, 8:28am

It's simply stupid to expose the internet port of a service that's so easy to hack...

To connect, you must FIRST use some form of VPN (other than PPtP) and THEN use RDP.

As long as every single password attempt comes from different IPs, the filter won't block ANYTHING...

And if it's that easy to hack, the user is probably "administrator" or "rdp" or something similar...