/ip firewall filter

add action=jump chain=input comment="sshbruteforces chain" connection-state=
new dst-port=22 jump-target=sshbruteforces protocol=tcp add action=drop chain=sshbruteforces comment="drop ssh brute forcers"
src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=sshbruteforces connection-state=new
src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=sshbruteforces connection-state=new
src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=sshbruteforces connection-state=new
src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=sshbruteforces connection-state=new add chain=sshbruteforces dst-port=22 protocol=tcp add action=drop chain=forward comment="drop ssh brute downstream" disabled=
no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add chain=sshbruteforces dst-port=22 protocol=tcp connection-state=new add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22
protocol=tcp src-address-list=ssh_blacklist