SSHHere is an example of how to defend against bruteforce attacks on an SSH port. Please note, that ssh allows 3 login attempts per connection, and the address lists are not cleared upon a successful login, so it is possible to blacklist yourself accidentally.
/ip firewall filter add action=add-src-to-address-list address-list=bruteforce_blacklist address-list-timeout=1d chain=input comment=Blacklist connection-state=new dst-port=22 protocol=tcp src-address-list=connection3
/ip firewall filter add action=add-src-to-address-list address-list=connection3 address-list-timeout=1h chain=input comment=”Third attempt” connection-state=new dst-port=22 protocol=tcp src-address-list=connection2,!secured
/ip firewall filter add action=add-src-to-address-list address-list=connection2 address-list-timeout=15m chain=input comment=”Second attempt” connection-state=new dst-port=22 protocol=tcp src-address-list=connection1
/ip firewall filter add action=add-src-to-address-list address-list=connection1 address-list-timeout=5m chain=input comment=”First attempt” connection-state=new dst-port=22 protocol=tcp
/ip firewall filter add action=accept chain=input dst-port=22 protocol=tcp src-address-list=!bruteforce_blacklist
If the timeouts were kept at 1min for all three lists – connection1/2/3 – then someone could perform 9 guesses every minute, with the above structure they can do a maximum of 3 guesses per 5min.
https://help.mikrotik.com/docs/display/ROS/Bruteforce+prevention
WinBox
/ip firewall filter add action=jump chain=output comment=”F2B Winbox: Jump to Fail2Ban-Destination-IP chain” content=”invalid user name or password” jump-target=Fail2Ban-Destination-IP protocol=tcp src-port=8291
/ip firewall filter add action=add-dst-to-address-list address-list=BlackList address-list-timeout=10m chain=Fail2Ban-Destination-IP comment=”3 Attempt –> BlackList” dst-address-list=LoginFailure02
/ip firewall filter add action=add-dst-to-address-list address-list=LoginFailure02 address-list-timeout=2m chain=Fail2Ban-Destination-IP comment=”2 Attempt –> LoginFailure02″ dst-address-list=LoginFailure01
/ip firewall filter add action=add-dst-to-address-list address-list=LoginFailure01 address-list-timeout=1m chain=Fail2Ban-Destination-IP comment=”1 Attempt –> LoginFailure01″
/ip firewall raw add action=drop chain=prerouting comment=”Drop all” src-address-list=BlackList
https://mhelp.pro/mikrotik-fail2ban-blocking-brute-force-attacks/