Mikrotik: Block invalid SSH and FTP login attempts
Paste this into Mikrotik terminal
/ip firewall filter add action=log chain=input comment="Drop FTP Brute Force" disabled=no dst-port=21 log-prefix=FTP_DROP protocol=tcp src-address-list=ftp_blacklist add action=drop chain=input comment="Drop FTP Brute Force" disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist add action=accept chain=output comment="Drop FTP Brute Force - Allow 'Incorrect Login' reply" content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="Drop FTP Brute Force - Failed login IP to List: Drop" content="530 Login incorrect" disabled=no protocol=tcp add action=log chain=input comment="Drop SSH Brute Force" disabled=no dst-port=22 log-prefix=SSH_DROP protocol=tcp src-address-list=ssh_blacklist add action=drop chain=input comment="Drop SSH Brute Force" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="Drop SSH Brute Force - Failed login IP to List: Drop" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="Drop SSH Brute Force - Failed login IP to List: Stage 3" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="Drop SSH Brute Force - Failed login IP to List: Stage 2" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="Drop SSH Brute Force - Failed login IP to List: Stage 1" connection-state=new disabled=no dst-port=22 protocol=tcp