路由器接上了公网，不可避免被扫描端口，暴力登陆。因此有个这个脚本，可以检测在一定时间内，登陆失败次数过多的IP进行封禁。

废话不多说，直接上脚本。

设置防火墙阻断列表

input链阻断对路由器本身的访问，既然对方不怀好意，那么索性将forward链也阻断，这样对方也无法访问映射的服务。

记住这里的src-address-list名称，在后面的自动检测脚本中需要用到。

/ip/firewall/filter/add chain=input in-interface=ether1 src-address-list=block_list comment="Block IP Address"

/ip/firewall/filter/add chain=forward in-interface=ether1 src-address-list=block_list comment="Block IP Address"

通过脚本维护封禁IP地址列表

有几个变量需要设置，blockList使用上面防火墙中配置的地址列表，timeout表示封禁时间，1d表示一天，within表示多长时间内，配合maxAttempts变量，表示$within时间内$maxAttempts次登陆失败，将会被封禁$timeout时间。

/system script add name="auto-block-ip" source={
# auto block IP address with too many failed login attempts
# an IP address will be blocked if it reaches the number of
# failed login attempts within the time period entered below
#
# author: Yaser Hsueh
# email:  xueye404@icloud.com
# site:   https://www.simaek.com
# block address list
:local blockList "block_list"
# block time, blocked IP address will be unlocked after the timeout entered below
:local timeout "1d"
# login within
:local within "10m"
# maximum login attempts
:local maxAttempts 5

# block IP address with too many failed login attempts
:local currentTime ([/system/clock/get time] - $within)
:local addressCount []
:foreach counter=log \
in=[/log/print as-value where topics=system,error,critical] \
do={
    :local logTime [:totime ($log->"time")]
    :if ($logTime > $currentTime) do={
        :local message ($log->"message")
        # filter ssh login failures
        :if (([:find $message "via ssh"]) >= 0 && ([:find $message "login failure"]) >= 0) do={
            # pick IP address
            :local start ([:find $message "from"] + 5)
            :local end ([:find $message "via ssh"] - 1)
            :local blockIP [:pick $message $start $end]
            # count login attempts
            :set ($addressCount->$blockIP) (($addressCount->$blockIP) + 1)
        }
    }
}
# add address to block address list
:foreach k,v in=$addressCount do={
    if ($v >= $maxAttempts) do={
        if ([/ip/firewall/address-list/print as-value where list=$blockList && address=$k]) \
        do={
            /log/info message=("[AutoBlock] " . $k . " was already exist in block list")
        } else={
            /ip/firewall/address-list add list=$blockList address=$k timeout=$timeout
            /log/info message=("[AutoBlock] " . $k . " was newly added to block list")
        }
    }
}
}

设置定时任务

最后就是定时执行脚本，执行的频率酌情选择。

/system/scheduler /add name=auto-block-ip on-event=auto-block-ip interval=10m

写在最后

此处只针对了SSH进行封禁，对于其他服务FTP等也可以进行相应的操作。只需要根据日志内容进行关键词匹配即可。