i'm using this methode to block unwanted ip trying to brute force my mikrotik via FTP

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

# accept 10 incorrect logins per minute
/ ip firewall filter
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

#add to blacklist
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h

but when i try it to block unwanted ip that login via ssh (port 22) and via telnet (port23) it doesn't work

anyone can help?

Try leaving "interface" value in blank. The list must be first and the rule that blocks this list at next.

(1º Rule)
/ ip firewall filter add chain=input protocol=tcp dst-port=20-23 connection-limit=1,32 action=add-src-to-address-list address-list=blacklist_ssh address-list-timeout=1w comment="ssh_telnet_ftp_limit" disabled=no

(2º Rule)
/ ip firewall filter add chain=input src-address-list=blacklist_ssh action=drop disabled=no

Result:
[admin@MikroLAN_Base] > ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 D blacklist_ssh 205.237.197.197
1 D blacklist_ssh 203.99.57.238
2 D blacklist_ssh 201.20.202.70
3 D blacklist_ssh 200.49.201.26
4 D blacklist_ssh 66.143.175.134
5 D blacklist_ssh 218.22.16.86
6 D blacklist_ssh 190.24.131.35
7 D blacklist_ssh 87.22.67.187
8 D blacklist_ssh 210.210.81.250
9 D blacklist_ssh 200.36.107.165
10 D blacklist_ssh 216.230.147.164
11 D blacklist_ssh 202.143.182.162
12 D blacklist_ssh 83.94.142.40
[admin@MikroLAN_Base] >

Try leaving "interface" value en blank. The list must be first and the rule that blocks this list at next.

(1º Rule)
/ ip firewall filter add chain=input protocol=tcp dst-port=20-23 connection-limit=1,32 action=add-src-to-address-list address-list=blacklist_ssh address-list-timeout=1w comment="ssh_telnet_ftp_limit" disabled=no

(2º Rule)
/ ip firewall filter add chain=input src-address-list=blacklist_ssh action=drop disabled=no

Result:
[admin@MikroLAN_Base] > ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 D blacklist_ssh 205.237.197.197
1 D blacklist_ssh 203.99.57.238
2 D blacklist_ssh 201.20.202.70
3 D blacklist_ssh 200.49.201.26
4 D blacklist_ssh 66.143.175.134
5 D blacklist_ssh 218.22.16.86
6 D blacklist_ssh 190.24.131.35
7 D blacklist_ssh 87.22.67.187
8 D blacklist_ssh 210.210.81.250
9 D blacklist_ssh 200.36.107.165
10 D blacklist_ssh 216.230.147.164
11 D blacklist_ssh 202.143.182.162
12 D blacklist_ssh 83.94.142.40
[admin@MikroLAN_Base] >

How about giving him 5 chance trying before blacklist his IP, what should i fill in the value

i got a question with your answer. after that when we the person be able to reconnect with that same ip address

after that when we the person be able to reconnect with that same ip address

One week. The duration can be set in address-list-timeout

easiest fix is to change the serviceports to something else, then the scripts the hacker use dont trigger.. Ive changed default serviceport on all my rb's and never have a problem with bruteforce.. I had alot of bruteforces before I did that..