---
Tanya

bisa nggak dibuat script yang otomatis nge blok ip yang coba2 login (login failure > 5 kali ) 
baik lewat winbox, webbox, atau ftp. kemudian setelah 1 jam ip tersebut di lepas kembali...?

mohon bantuannya yah master2 mikrotik...

Jawab

kita bisa mendafarkan ip yg berusaha masuk ke daftar black-list, contoh untuk ssh sbb: 
dibawah untuk usaha pertama masuk, jika membandel diproses ke tahap berikutnya ....Cara 1

##

kalo kode diatas ini jika dalam 1 menit berusaha 10 kali login 
(lht script baris kedua, dst-limit=1/1m,9 di login nya yg kesepuluh masuk daftar hitam 
dan diban selama 3jam, address-list=blacklist address-list-timeout=3h).

nah akhirnya kalo masih bandel udah 3 kali mo nyoba masuk terus, maka ip nya di ban 
selama 1 hari (lihat timeout diatas).  ... Cara 2


Cara 1

/ ip firewall filter
add chain=input protocol=tcp dst-port=22 connection-state=new \
action=add-src-to-address-list address-list=bl_list_ssh1 address-list-timeout=1m comment="" \
disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=bl_list_ssh1 action=add-src-to-address-list address-list=bl_list_ssh2 address-list-timeout=1m \
comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=bl_list_ssh2 action=add-src-to-address-list address-list=bl_list_ssh3 address-list-timeout=1m \
comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=bl_list_ssh3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d \
comment="" disabled=no

/ ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop \
comment="drop ssh brute forcers" disabled=no

-------------------------------------------------------------------------------------------

Cara 2

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=22 src-address-list=ftp_blacklist action=drop

# accept 10 incorrect logins per minute
/ ip firewall filter
add chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m

#add to blacklist
add chain=output action=add-dst-to-address-list protocol=tcp content=530 Login incorrect \
address-list=blacklist address-list-timeout=3h



From www.forummikrotik.com, by okto_2005

########################################################################

  Documentation,Editing,Optimization by baratev.sourceforge.net

########################################################################