To detect and see which users are trying to carry out a brute force attack on a MikroTik router, you can review the system logs, where access attempts and suspicious activities are recorded.

Brute force attacks are typically characterized by numerous failed login attempts in a short period of time. MikroTik RouterOS is quite robust in its logging capabilities, providing details that can help you identify this type of anomalous behavior.

Steps to Check Brute Force Attack Logs:

1. Access to Records (Logs):
   • From WinBox: You can access the logs by selecting “Log” in the main menu. This will show you a list of recent events, including login attempts.
   • By Terminal: Use the command /log print to view the logs. You can filter by specific event types if you're looking for something in particular, such as login attempts.
2. Search for Failed Login Events: Search the logs for entries indicating failed login attempts. These will often be labeled with messages such as “login failure” and may include the IP address of the source of the access attempt.
3. Identify Brute Force Attack Patterns: A brute force attack is characterized by multiple failed login attempts from the same IP address or a range of IPs within a short period of time. Review the logs to identify such patterns.

Additional Actions:

• Block Suspicious IP Addresses: You can create rules in the MikroTik firewall to block specific IP addresses that you think are attempting brute force attacks.
• Enable Dynamic Blacklist: Consider using dynamic blacklists to automatically block IP addresses attempting brute force attacks.
• Change Standard Service Ports: Changing port numbers for services such as SSH, Winbox, and WebFig to non-standard ports can help reduce brute force attacks.
• Limit Failed Login Attempts: MikroTik allows you to set a limit on the number of failed login attempts before temporarily blocking access from the suspicious IP address.
• Enable Two-Factor Authentication (2FA): If possible, enable two-factor authentication to improve security.

Monitoring your MikroTik router logs regularly is a recommended practice to maintain the security of your network. By quickly identifying and responding to brute force attacks, you can protect your network from unauthorized access and potential vulnerabilities.