Detect pptp attack

Kampfwurst · August 13, 2019, 6:26pm

HI,

I would like to detect the PPTP attacks from Bots and put them to a black list.

I tried it with the following rules.

6 ;;; detect PPTP attack
chain=input action=add-src-to-address-list connection-state=new connection-limit=4,32 protocol=tcp src-address-list=!black_list address-list=black_list address-list-timeout=1w dst-port=1723 dst-limit=3/1m,3,src-address/1m40s log=no
log-prefix=“PPTP LOG”

7 ;;; drop PPTP Blacklist
chain=input action=drop src-address-list=black_list log=no log-prefix=“”

I found very less information about the “Extra” in the firewall rules, I would like put the scr-address to the black list after 4 wrong authentications. Maybe someone can help with the settings or rules.

Chris.

mistry7 · August 14, 2019, 6:02am

Why you Are Using PPTP, it is outdated, and a Risk.
Why not L2tp with IPSec it is easy to Use as PPTP

Kampfwurst · August 14, 2019, 8:33am

because i never had luck with the L2TP/IPsec with the mikrotik. In my mind its to complicated and with every new version something is not working. With the pptp i never had this problems.

mistry7 · August 14, 2019, 9:29am

Thats not true we use it on all sites, and it has no problems, most user problems are Firewall related.
PPtP is brocken and easy to hack, eG Apple has removed it form all devices

Jotne · August 14, 2019, 11:37am

I did test out PPTP first, but are now running L2TP/IPSec PSK.
It could be using a certificate as well.

There are several tutorials on the net on how to set it up.

PPTP is a non encrypted tunnel, so no security at all. Do not use.

Kampfwurst · August 14, 2019, 4:00pm

Ok so i tried to set up L2TP with IPsec

I looks not so bad. I get my other router connectet over the “L2TP Client” under Interfaces. Under encoding is writen “cbc(aes) + hmac(sha1)” is this correct?
On my main side i use the hAP ac² with the IPsec hardware acceleration. The other side is using a RB941-2nD. There is not much traffic so that should be ok.