Hi There,
I am fairly new to MikroTik routers & am currently only using the WEB Gui. The last day or so I noted that a hostile party it tring to brute force my 3 servers with RPD attempts (TCP connection) each is on a different port 33891 33892 & 33893 respectively. I was hoping someone might help me create some firewall filter rules to blacklist an IP that forces more than 5 failed connections/login attempts per minute & then enforces rules to ban that IP from connecting for 30 days once on the list.

I cannot run with an allowed IP address configuration because I have users connecting in from dynamic IP's.

Get some ideas from here
https://wiki.mikrotik.com/wiki/Brutefor ... prevention

Hmmmm, there is no reason why the action drop rule should be in the RAW firewall filter and NOT the input chain.
As the rhyme goes. I would like to slap the peepee of the person that wrote the wikee. Slow day.

Highly recommend you read through this thread for some sage advice!
viewtopic.php?f=2&t=139793&p=689467&hil ... ts#p689467

Hmmmm, there is no reason why the action drop rule should be in the RAW firewall filter and NOT the input chain.

In simple english, why drop is in input chain, not in raw? Perhaps linked wiki is intended to show the principle, not working configuration. You never know what other firewall rules are there and testing blacklisting in raw can break something.

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

Just change port 22 with port you want to drop!

Exposing anything to that vast outside world will always incur hackers trying to be.......hackers. Usually but as you've already cut off, allowing only a set IP list is the answer. How about a VPN server? Then you don't have to expose any of your local devices directly to the internet?

Hmmmm, there is no reason why the action drop rule should be in the RAW firewall filter and NOT the input chain.
As the rhyme goes. I would like to slap the peepee of the person that wrote the wikee. Slow day.

Highly recommend you read through this thread for some sage advice!
viewtopic.php?f=2&t=139793&p=689467&hil ... ts#p689467

That wiki article is from 2013, many many moons before RAW was available in ROS.