This assumes that you are going to port knock in the input chain (on a non-NAT'd router IP/port).
The port knock sequence will be 90, 91, and 92. Anyone with 3 bad attempts no further than 2 minutes apart each will get blocked for 24 hours. Make sure you adjust the rule that grants administrative access via the LAN port, and permit anything else you need to, and that it fits with the rest of your firewall rules. It also does not contain any NAT rules you might need, those of course stay the same.
Might contain errors. Written in a text editor only.
/ip firewall filter
add chain=input src-address-list=blocked action=drop
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input protocol=tcp dst-port=90 action=add-src-to-address-list address-list=portKnockStage1 address-list-timeout=00:00:10
add chain=input protocol=tcp dst-port=91 src-address-list=portKnockStage1 action=add-src-to-address-list address-list=portKnockStage2 address-list-timeout=00:00:10
add chain=input protocol=tcp dst-port=92 src-address-list=portKnockStage2 action=add-src-to-address-list address-list=portKnocker address-list-timeout=00:30:00
add chain=input in-interface=LAN action=accept
add chain=input src-address-list=scannerStage2 action=add-src-to-address-list address-list=blocked address-list-timeout=24:00:00
add chain=input src-address-list=scannerStage1 action=add-src-to-address-list address-list=scannerStage2 address-list-timeout=00:02:00
add chain=input action=add-src-to-address-list address-list=scannerStage1 address-list-timeout=00:02:00
add chain=input action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=LAN action=accept
add chain=forward src-address-list=portKnocker action=accept
add chain=forward action=drop
The basics behind this are listed in the wiki articles on how to blacklist brute force SSH or FTP attackers. You're just watching every port in the same fashion.