Hello,
it would be great if you could implement a fail2ban like feature for RouterOS for the services offered by the router (ssh, winbox, vpn...), this is assuming you need to let the ports open to the world because the clients aren't on a fixed network. I know there are some scripts out there but they don't cut it for me.

+1 for that

No need of scripts. Just few firewall rules need to be added.

Firewall rules are not entirely bad, something can be done with them, but they are still at ugly hack level, because they don't actually watch for failed logins. Well, except L7 for FTP's "530 Login incorrect", but that's far from elegant solution too. For other services it's just connection rate limiting. Better than nothing of course...

But if every service had an option like "If there are <number> of failed logins in <number> seconds, then add source address to list <name> with timeout <time>", that would be something. Or "On Login Failed" event for more DIY solution would be fine too.

Right. I agree with you. It would be nice.