How can I protect my VPN network from attempted intrusion?

IgnacioAA · December 27, 2023, 2:10pm

Hello, I would appreciate it if you could help me with the following problem,
I have configured an openvpn vpn and another l2tp-ipse.
In both I have noticed that I see connection attempts to the VPNs in the logs.
I would like to know how to block those access attempts that are rejected. Thank you

holvoetn · December 27, 2023, 2:16pm

My view:
Don’t bother.
It’s more effort then what it will give you as added value. Besides, it will be a continuous fight which you never can win.
As long as they can not get in (and with OVPN or L2tp/IPSEC it should be safe), there is no problem.

You could use some creative dynamic address lists but it will take away resources from your router and at some point you will also be blocked by it as well when you’re all of a sudden at an unexpected place and need to get in. Usually such a thing happens when it is least convenient !! Been there, done that.

mkx · December 27, 2023, 2:17pm

If the intended VPN tunnel partners have static IP addresses, then you can limit access to VPN service to only those few select IP addresses. If VPN peers’ addresses are dynamic, then you can’t do much. Just make sure that used credentials are strong … and occasionally change them.

holvoetn · December 27, 2023, 2:22pm

On that last part … I need to search for it again but I read an article some time ago changing credentials on a frequent basis actually makes the access LESS secure.

mkx · December 27, 2023, 2:32pm

How so? Unless the reason is sociological (a person needs time to remember a new password and during that time he has it written on a postit) I’m not buying it. Every proper encryption layer changes session encryption key every now and then, IPsec does it so the contents are better protected. Then there’s ipsec secret (I guess used only during initial connection setup). It probably doesn’t matter if one changes it or not as long as it’s target of brute-force atrack, only having it set to long string which is not part of any dictionary helps somehow. But I can hardly believe that changing secrets makes connection less secure.

anav · December 27, 2023, 2:35pm

change default ports if you can. Hence why I like wireguard as you can elect to use any port…

holvoetn · December 27, 2023, 2:47pm

I seem to recall that was the main reason. From convenience point frequent changes usually result in passwords which are less secure and easier to remember and/or are more reproduced (written on paper or in some plain electronic list where it is pretty easy to collect).

Even Microsoft advices against it now ?
They do recommend to use a DoNoTUse-list for passwords and ofcourse, MFA.

https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide

But we’re getting way off-topic now …

LdB · December 30, 2023, 1:55pm

Rextended has a script you put in scheduler to run every 5 mins that puts them in a bruteforce_blacklist which you drop on raw filter. Limits the annoyance in logs. That is about all you can do.

# Created Jotne && rextended 2022 v1.5
#
# This script add ip of user who with "IPSEC negotiation failed", "SPI* not registered" and "Invalid exchange" to a block list for 1 day
# Schedule the script to run every 5 min
# It should run on all routerOS version
# 1.3 added "Invalid exchange"
# 1.4 added dot behind "negotiation failed" to get only lines with IP
# 1.4 made all inn to one loop, based on idea by rextended
# 1.5 Fixed typo

:local logMessage ""
:local logIp ""
/log
:foreach i in=[find where message~"phase1 negotiation failed\\." or message~"SPI.*not regist" or message~"Invalid exchange"] do={
    :set logMessage [get $i message]

    :if ($logMessage~"phase1 negotiation failed\\.") do={
        :set logIp [:toip [:pick $logMessage -1 [:find $logMessage " "]]]
        :if ([:len [/ip fire addr find where list=bruteforce_blacklist address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list=bruteforce_blacklist timeout=1d
            :log info message="script=IPSEC_failed src_ip=$logIp why=negotiation_failed"
        }
    }

    :if ($logMessage~"SPI .* not registered for") do={
        :set logIp [:toip [:pick $logMessage ([:find $logMessage "for "]+4) [:find $logMessage "["]]]
        :if ([:len [/ip fire addr find where list=bruteforce_blacklist address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list=bruteforce_blacklist timeout=7d
			:log info message="script=IPSEC_failed src_ip=$logIp why=SPI_not_registered"
        }
    }

    :if ($logMessage~"Invalid exchange") do={
        :set logIp [:toip [:pick $logMessage ([:find $logMessage "from "]+5) [:find $logMessage "["]]]
        :if ([:len [/ip fire addr find where list=bruteforce_blacklist address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list=bruteforce_blacklist timeout=7d
			:log info message="script=IPSEC_failed src_ip=$logIp why=Invalid_exchange"
        }
    }
}

anav · December 30, 2023, 7:20pm

CPU usage for no gain. Simply dont log it. Out of sight out of mind.

LdB · January 2, 2024, 6:20am

That doesn’t stop brute force attacks and they can end up ddos-ing the router … ask the OP you can end up with many very determined attackers.

Blacklisting and dropping packets makes the attacks a lot harder as the attack IPs are continually blacklisted and dropped.
Okay if they had a massive number you could still ddos the router but it is infinitely more unlikely.

As an example I currently have 33 attackers onto one router right now and it is not uncommon to see 300-400.