MikroTik

Posted: **Fri May 06, 2022 4:58 pm**

Hello

i use my routeros as vpn server but the problem is there's too many login attempts, how can i block them ?

# may/ 6/2022 13:48:13 by RouterOS 7.1.5
# software id = TI09-7WK3
#
 09:55:20 system,error,critical router was rebooted without proper shutdown
 09:55:27 interface,info wireguard link up
 09:55:28 route,ospf,info OspfInstance { version: 2 0 rid: <CENSORED> } created
 09:55:42 system,critical,info ntp change time May/06/2022 09:55:56 => May/06/2022 09:55:42
 10:01:55 pptp,info TCP connection established from 78.128.113.70
 10:01:55 pptp,ppp,error <0>: user 3 authentication failed
 10:04:21 pptp,info TCP connection established from 78.128.113.68
 10:04:21 pptp,ppp,error <1>: user test authentication failed
 11:17:59 pptp,info TCP connection established from 91.191.209.236
 11:17:59 pptp,ppp,error <2>: user ip authentication failed
 11:21:09 pptp,info TCP connection established from 78.128.113.67
 11:21:09 pptp,ppp,error <3>: user ww authentication failed
 11:45:53 pptp,info TCP connection established from 91.191.209.235
 11:45:53 pptp,ppp,error <4>: user test authentication failed
 11:46:16 pptp,info TCP connection established from 91.191.209.234
 11:46:16 pptp,ppp,error <5>: user 777 authentication failed
 12:01:08 pptp,info TCP connection established from 91.191.209.236
 12:01:08 pptp,ppp,error <6>: user az authentication failed
 12:10:32 pptp,info TCP connection established from 91.191.209.234
 12:10:32 pptp,ppp,error <7>: user 4 authentication failed
 12:52:01 ipsec,info respond new phase 1 (Identity Protection): 217.182.xxx.10[500]<=>192.241.222.107[45049]
 12:53:23 ipsec,error phase1 negotiation failed due to time up 217.182.xxx.10[500]<=>192.241.222.107[45049] 111555f681d524ef:f6d090bf71840787
 12:54:14 system,error,critical login failure for user M via local
 13:07:20 pptp,info TCP connection established from 91.191.209.236
 13:07:23 pptp,ppp,error <11>: user yy authentication failed
 13:10:52 pptp,info TCP connection established from 78.128.113.70
 13:10:53 pptp,ppp,error <12>: user cc authentication failed

its my firewall rules:

add action=accept chain=input comment=Winbpx dst-port=6945 protocol=tcp
add action=accept chain=input comment=VPN dst-port=1993,1945,1994,500,4500,1701 protocol=udp
add action=accept chain=input dst-port=1993,1945,1994,1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input connection-state=established
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=Ping disabled=yes protocol=icmp
add action=drop chain=input comment=Protection

Posted: **Fri May 06, 2022 5:20 pm**

VPN server?
And what you expect if the service is reachable from worldwide?
Ignoring the obsolescence and the vulnerability of the PPTP,

on your rules where you permit pptp, simply add one address lists that is ckecked against if the IP is allowed or not.

Check twice when your clear private info...
OspfInstance { version: 2 0 rid: <CENSORED> } created

Je vous souhaite une bonne journée

Posted: **Fri May 06, 2022 5:21 pm**

You can use whitelist or port knocking. Or you can use strong usernames and passwords and just ignore this messages.

Posted: **Fri May 06, 2022 5:22 pm**

Ignore this? PPTP is vulnerable...

Posted: **Fri May 06, 2022 5:32 pm**

My fail2ban setup is readily adapted to this case. Basically, change the SSH login failure matcher to match the “pptp” log messages instead.

Posted: **Fri May 06, 2022 5:34 pm**

My fail2ban setup is readily adapted to this case. Basically, change the SSH login failure matcher to match the “pptp” log messages instead.

nice work, thank you

Posted: **Fri May 06, 2022 5:37 pm**

VPN server?
And what you expect if the service is reachable from worldwide?
Ignoring the obsolescence and the vulnerability of the PPTP,

on your rules where you permit pptp, simply add one address lists that is ckecked against if the IP is allowed or not.

Check twice when your clear private info...
OspfInstance { version: 2 0 rid: <CENSORED> } created

Je vous souhaite une bonne journée

oh you right, i removed my ip from all lines but forget that. sorry

Posted: **Fri May 06, 2022 5:40 pm**

does ptpp have vulnerabilities (not mitm attacks, because the guys from the log are not capable of this) that allow you to take over the server or log in to it without a login and password?

Posted: **Fri May 06, 2022 5:45 pm**

the main issue is this:

system,error,critical router was rebooted without proper shutdown

my routeros is crashing 3 or 4 times per day, i think these login attempts is causing this, so its not related right ?

and maybe i should use l2tp

Posted: **Fri May 06, 2022 5:50 pm**

oh, no...
again the xyproblem....

Posted: **Fri May 06, 2022 5:56 pm**

oh, no...
again the xyproblem....

you destroyed me

)))

Posted: **Fri May 06, 2022 6:02 pm**

A prerequisite to my fail2ban setup is getting the logs off the router using rsyslog. That can help with unexpected reboots since you get “last dying gasp” type messages that can help you diagnose the cause.

Posted: **Wed May 11, 2022 1:23 pm**

A prerequisite to my fail2ban setup is getting the logs off the router using rsyslog. That can help with unexpected reboots since you get “last dying gasp” type messages that can help you diagnose the cause.

i dont have linux server but i think i can do that with writing logs on routeros disk, routeros is a VPS.

MikroTik

How can i block this type of attack ?

How can i block this type of attack ?

Re: How can i block this type of attack ?

Re: How can i block this type of attack ?

Re: How can i block this type of attack ?

Re: How can i block this type of attack ?

Re: How can i block this type of attack ?

Re: How can i block this type of attack ?

Re: How can i block this type of attack ?

Re: How can i block this type of attack ?

Re: How can i block this type of attack ?

Re: How can i block this type of attack ?

Re: How can i block this type of attack ?

Re: How can i block this type of attack ?