Greetings ,for the last days, every time I open the log, I see a list of critical login failures via ssh and telnet and the source ip belongs to my network. Is possible someone has copied this ip, placed in a device and be trying invade the routerboard?
Sorry for my bad English , but I am worried about this.
You can block the access for SSH disable SSH if you don’t need SSH
Or you can make that you IP-address can connect with SSH
Go to “IP” “services”
Doubbleclick on the line SSH
Than give you a IP-address from the PC that can login with SSH
I use this solution… Allow a few attempts, then filter the IP.
/ip firewall filter
add action=drop chain=input src-address-list=blacklist
add action=log chain=input connection-state=new dst-port=22 \
log-prefix="SSH Brute Force Blocked" protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=blacklist \
address-list-timeout=4w chain=input comment="Block SSH 4th Attemp" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment="Log SSH 3rd Attemp" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment="Log SSH 2st Attemp" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="Log SSH 1st Attemp" \
connection-state=new dst-port=22 protocol=tcp
Ty everyone , for the fast response. I will close the topic.
@intrusdave
Why all the lists?
Looks like you are blocking anyway after multiple tries.
Could be blocked from the start?
Actually I get it. Upon successful connection the first time. Source Ip is only listed in 1stage list.
Only endup in blacklist upon multiple failed tries 
Exactly. You get 3 attempts, then blocked.
I am no Mikrotik guru but I would say it is easier to use a different port for SSH. We use a 5 digit port number (same one of course) on every one of our servers. Never got broken into. We used PF on the Servers (running FreeBSD). IThen you can use the firewall rule the person above said to use for the new ssh port. Just not sure if you can block port scans but I suspect one can do that too.
personally I would use the firewall to limit access to the ssh port from known good locations.
All you need it 4-5 rsync’s and scps and ssh’s to put yourself on the blacked list.
If you limit to known good internal ip address, and your on the internet, use a VPN to get inside and then connect outside.
security by obscurity is not the best.