Use non-standard port + Strong Password and username != admin.
Throttle connection attempts. Mikrotik disconnects connection on invalid login, so only allow one connection per 15 seconds.
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
I use this sneaky trick:
- Server listens on non-standard port.
- To connect, your IP must be on "TEMP_ALLOW" address list.
- To easily add yourself to the TEMP_ALLOW address list, I try and connect to a "trigger" port. This port doesn't connect to anything, but there is a firewall input rule that adds src IP to TEMP_ALLOW for 1 hour.
- However a port scan by a hacker will inadvertently may cause him to be added to the TEMP_ALLOW list. So I create another firewall input rule for ports on either side of the trigger port that will put the src-address on a BANNED list. Only an IP that is NOT in the BANNED list can will be added to the TEMP_ALLOW list.
- With this method, only 2 additional rules are required.