I am using this as "inteligent" firewall from attacks on port 22 but it can also be used for telnet and more... I always open only port 22 from "everywhere". Because it add dynamic address to address list, after reboot all is droped, so everyday it converting all blacklisted to static. If you have any tip for doing it better, I will be glad for it
ros code
/ip firewall filter add action=reject chain=input comment=\ "SSH PublicIP reject if blacklisted" connection-state=\ new dst-address-list=PublicIP dst-port=22,8291 protocol=tcp \ reject-with=icmp-admin-prohibited src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist chain=\ input comment="SSH to PublicIP blacklisting blacklist" \ connection-state=new dst-address-list=PublicIP dst-port=22 \ protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input comment=\ "SSH to PublicIP blacklisting stage 2" connection-state=\ new dst-address-list=PublicIP dst-port=22 protocol=tcp \ src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input comment=\ "SSH to PublicIP blacklisting stage 1" connection-state=\ new dst-address-list=PublicIP dst-port=22 protocol=tcp add chain=input comment=\ "SSH to PublicIP accept if not blacklisted" \ connection-state=new dst-address-list=PublicIP dst-port=22 \ protocol=tcp src-address-list=!ssh_blacklist /system scheduler add comment="Auto convert dynamic blacklist to static" interval=1d \ name=blacklist-forever on-event=":global IP\r\ \n:foreach DIP in [/ip firewall address-list find list=ssh_blackli\ st dynamic=yes]\\\r\ \ndo { \\\r\ \n\r\ \n:set IP [/ip firewall address-list get \$DIP address]\r\ \n/ip firewall address-list remove \$DIP\r\ \n/ip firewall address-list add list=ssh_blacklist address=\$IP\r\ \n\r\ \n}" policy="ftp,reboot,read,write,policy,test,winbox,password,sni\ ff,sensitive,api" start-date=apr/10/2014 start-time=01:01:00