I would like to prevent bruteforce attacks on mail server which is behind mikrotik router/firewall.
I used FTP bruteforce example http://wiki.mikrotik.com/wiki/Bruteforc ... ntion_(FTP
and I changed chains, ports, content (-ERR [AUTH] Invalid login ).
My question is regarding dst-limit. It allways triggers that rule, and rule below that is never triggered (the one which will add address to address list)
Code: Select all
/ip firewall filter add action=tarpit chain=forward comment="drop pop brute force - block all from list" dst-port=110 \ protocol=tcp src-address-list=pop_blacklist src-port="" add chain=forward comment="drop pop brute force - accept 5 failed logins per minute" content=\ "ERR [AUTH] Invalid login" dst-limit=1/1m,5,src-address/1m protocol=tcp src-port=110 add action=add-dst-to-address-list address-list=pop_blacklist address-list-timeout=10m chain=forward comment=\ "drop pop brute force - add everything else to address list" content="ERR [AUTH] Invalid login" \ protocol=tcp src-port=110
what should I change to stop POP bruteforce ?