MikroTik

Hi guys,

I`m having issues with Brute Force Attack on the PPTP.
I`m using the unique names and rather solid password for few of my users, so I should not worry too much, but in the logs , I can see at least authentication failures in topic pptp / ppp / error with various user logins. Any chance you could help me protecting this service?

Regards,
Fleishmachine

Do not use PPTP, its not secure...

PPTP is inherently unsafe by today standards, see
https://en.wikipedia.org/wiki/Point-to- ... l#Security

If you have known IP ranges from were your PTPP users are connecting, you can improve the situation a little bit by restricting source IPs of PPTP clients.
But still, if security is a concern, PPTP should avoided in our days.

How else can I replace it in the way I can access my network remotely?

If you have known IP ranges from were your PTPP users are connecting, you can improve the situation a little bit by restricting source IPs of PPTP clients.

I should be able to restrict it via IP range, but if you say than it`s not secure anyway than I would rather try another available service that will give me the same features.

Since you already use the device for PPTP-access, it should be fairly easy to setup wireguard and have your clients connect using that protocol.
Windows / Mac / Android / iPhone/ ... all have client tools available to make that happen.

But it requires that you upgrade your device to ROS7 which might not be what you want ?

Since you already use the device for PPTP-access, it should be fairly easy to setup wireguard and have your clients connect using that protocol.
Windows / Mac / Android / iPhone/ ... all have client tools available to make that happen.

But it requires that you upgrade your device to ROS7 which might not be what you want ?

I started digging and I can see that I should switch PPTP to L2TP/IPsec - I assume it gives me the same features with better security.
I don't need the high performance over VPN.

I`m running RB110AH which I assume is ROS6? I want to upgrade this router anyway, so switching to another ROS shouldn't be a problem unless I can easily import configuration to the new router.
I will need to research wireguard, never heard of this - but in Windows, when I setup the VPN connection I can only see PPTP, L2TP/IPsec, SSTP and IKEv2.

Wireguard is a separate app for windows but dead simple.
It blows any other vpn out of the water as far as performance and speed is concerned.

OK, I can see that I can upgrade RB1100AH to ROS7... why did you mention that I might not want to do this?

For business services that require such things as BGP and such, its not quite ready.
However for your case it probably is just fine. So without knowledge of your actual requirements he urged prudently to be cautious.
Many folks without complex business class requirements are using it just fine.

I recommend myself going the Wireguard route if you want to give yourself secure access to your router from remote locations.

Ding ding ... we have a winner

Right, got your points guys. Thank you for yours advice.

At this moment, before I will upgrade to a newer router I will stay with ROS6 and L2TP/Isec - I have implemented that, it works and I just need to test it few days.
But, as I had the issues with brute force attack on PPTP than I will keep having this same issue over L2TP/Isec, isn't it?

According to what I have seen it is also possible to connect two sites - is it gonna be worth to replace existing EOIP tunnel between two sites with Wireguard as well?
Actually I will need to add additional site to existing two sites, so at least the new site I may connect in the new way for testing.

According to what I have seen it is also possible to connect two sites - is it gonna be worth to replace existing EOIP tunnel between two sites with Wireguard as well?

EOIP is ethernet over IP, so L2. Most contemporary tunels, including wireguard, are IP, so L3. It then depends how in particular you have EOIP tunnel (and related things) configured, wireguard could be either almost drop-in replacement or mission impossible.

How else can I replace it in the way I can access my network remotely?

L2TP/IPsec, OVPN, Wireguard, IKEv2 are some of the protocols you can use for Road warriors but for Site to Site tunnels as well ...

Cool. I have tried to block attacks over PPTP but couldn't manage to do so, so this way I have listened to you and I have disabled PPTP service.
I have tested L2TP/Isec, it works fine and I`ll implement that for my Road Warriors at this stage, however, I will look closer to WireGuard once I will
have new routers with ROS7 on board.

Thanks for your advice.

If/once you do, make sure to do a proper testing of throughput.
Then move to Wireguard and watch the results for the same test method ... I'd say you'll get at least 20-30% more and it's faster too (lower response times).

One thing which using IPSEC has over WG, is that (on some devices which support it) it can be HW offloaded which can make up for (some) speed loss.
WG is purely SW, it can not do that.

Hello,
You can try this rules:
add action=drop chain=input comment="pptp brute force drop 1/4 - complete comunication DROP" src-address-list=pptp_blacklist_DROP
add action=add-src-to-address-list address-list=pptp_blacklist_DROP address-list-timeout=1d1h10m chain=input comment="pptp brute force drop 2/4" content="authentication failed" protocol=gre \
src-address-list=pptp_blacklist_stage_2
add action=add-src-to-address-list address-list=pptp_blacklist_stage_2 address-list-timeout=30s chain=input comment="pptp brute force drop 3/4" content="authentication failed" protocol=gre \
src-address-list=pptp_blacklist_stage_1
add action=add-src-to-address-list address-list=pptp_blacklist_stage_1 address-list-timeout=30s chain=input comment="pptp brute force drop 4/4" content="authentication failed" protocol=gre

for my setup is working.

add action=drop chain=input comment="pptp brute force drop 1/4 - complete comunication DROP" src-address-list=pptp_blacklist_DROP ---- this denied any access from source
or
add action=drop chain=input

protocol=gre

comment="pptp brute force drop 1/4 - complete comunication DROP" src-address-list=pptp_blacklist_DROP -- only gre