I have 3 mikrotik routers (3011, 4011 and CCR1016) at 3 sites. All show access attempts from IPs that lead to a site called ‘shadowserver’.
IPs are 64.62.197.93, 94, 80, 14 and 74.82.47.4 and others. See the attached images for the log and shadowserver page.
Has anyone heard of this? Any action necessary?
Help appreciated,
Dave
Well, that is expected if one has VPNs open to the world, bots or others will find your IP address and attempt to connect on those ports.
Nothing unusual there but all the more reason to use Solid VPN mechansims and not something known to be weak such PPTP etc…
I prefer wireguard and changing the port to something obscure compared to the fixed ports of other types, as I dont need the complexity of certificates etc…
Once I tried to mitigate attacks from DigitalOcean network. I tried to reach their abuse/security department very hard with no adequate reaction. In my opinion, it was a serious issue, with a real malicious activity. It seems, ShadowServer works on opposite side—they try to make the Internet more secure, they are “white hackers”. If I correctly understand their nature, of course.
Or are they bad actors merely posing as white hackers, who knows these days. 
I’m using Windows 10 built in VPN to access these machines remotely using L2TP-IPsec with PSK.
Another user suggested a reboot for these routers, and this stopped the failed access attempts. They hadn’t been rebooted for more than 30 days. Any suggested changes I should look at?
Thanks,
Dave