Would be possible describe more detaily, how to setup rule? When i try, I can reach only 2 conditions. All incoming address accessing over RDP ports are blocked immediately or no IP is included. I am not able bring counting rule to life.
I've used following example with success.
http://kniko.net/block-brute-force-on-m ... ik-router/
Config from our firewall: 3 consecutive connection attempts, with less than 5 minutes between each attempt results in blacklist for a few weeks.
This one works for ports 21,3389,3390
add action=reject chain=forward comment="wan - block blacklist" connection-state=new log-prefix="wan - blocked blacklist" reject-with=icmp-network-unreachable src-address-list=rdp_Blacklist
add action=add-src-to-address-list address-list=rdp_Blacklist address-list-timeout=12w6d chain=forward comment="wan - 3389 add to blacklist added" connection-state=new dst-port=21,3389-3390 in-interface-list="wan interfaces" log=yes log-prefix="rdp blacklist added" protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 address-list-timeout=5m chain=forward comment="wan - 3389 add to blacklist stage 3" connection-state=new dst-port=21,3389-3390 in-interface-list="wan interfaces" log-prefix="rdp blacklist stage3" protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 address-list-timeout=5m chain=forward comment="wan - 3389 add to blacklist stage 2" connection-state=new dst-port=21,3389-3390 in-interface-list="wan interfaces" log-prefix="rdp blacklist stage2" protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 address-list-timeout=5m chain=forward comment="wan - 3389 add to blacklist stage 1" connection-state=new dst-port=21,3389-3390 in-interface-list="wan interfaces" log-prefix="rdp blacklist stage1" protocol=tcp
add action=accept chain=forward comment="lan - server4 rdp" connection-state=new dst-port=3389 log=yes log-prefix="allow rdp" protocol=tcp