Hello,
I have a Openvpn server on my Mikrotik router
I’m able to connect to it - and everything is working
when I connect to the server it’s from unknown\dynamic IP (using android device on cellular network)
today I saw there are many Ip that are trying to connect (which are not my trying)
for example:
162.142.125.129
167.94.138.117
167.248.133.63
how can I block them ?
I can’t do “Port-Knocking” because I’m using the standart openVPN app
is there something I can do ?
Thanks,
Two approaches I can think of: whitelisting or blacklisting.
I used to have a blacklist and added IP blocks by hand, based on logging. I stopped with that as the list got very long. But it might suit you. I know there are also geo lists available.
This is what I thought to do also - but as you said it’s whould be maintain manually
is there any way to know maybe if the user put wrong pass 3 times from the same IP - then I will block it for 1 hour (example of thinking)
So ? Just install a “port-knock” app on your Android device.
This has nothing to do with the VPN-app.
The only thing : you first need to execute the portknock-app, then launch the OpenVPN app.
I use an Android app call “Port Knocker” where you can setup the sequence that needs to be knocked.
This may just be port tester.
You can block IP trying to get inn if there are x number of failed attempts. (Solution found in this forum) I do use it.
You can block all IP trying to use a port that is not open on your router, for example for 24 hours. This stops port scanners as soon as it hits first blocked port. I do use this solution as well. (Solution found in this forum)
You could use 3 stage address-list. Works in all chains input, nat, raw.. Example for SSH
add action=drop chain=input comment="Drop SSH brute forcers from WAN <- Src. Address List: ssh_blacklist" dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="Address-list SSH 4th attempt: add ssh_stage3 -> ssh_blacklist" connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m chain=input comment="Address-list SSH 3rd attempt: add ssh_stage2 -> ssh_stage3" connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list= ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m chain=input comment="Address-list SSH 2nd attempt: add ssh_stage1 -> ssh_stage2" connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="Address-list SSH first attempt: -> add ssh_stage1" connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp
I didn’t know there is an Andriod App for this … thanks!
but now that I’m thinking about it , I have another problem
my Mikrotik is behind another router that he is the main gateway
in the “Main router” I have only port forward the VPN port TCP_1194 - so will the port knocking is not afective , unless I open another port and forward it to the Mikrotik - no?
this is what I see in the log , it’s seem that some success connect to my netwrok, no ?
15:20:28 ovpn,info TCP connection established from 167.94.138.47
15:20:28 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=7843a8f18b30eeb3 pid=0 DATA len=0
15:20:28 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=3d56fddc9a0938f pid=0 DATA len=0
15:20:28 ovpn,debug,packet sent P_ACK kid=0 sid=7843a8f18b30eeb3 [0 sid=3d56fddc9a0938f] DATA len=0
15:20:28 ovpn,debug <167.94.138.47>: disconnected <peer disconnected>
15:20:28 ovpn,info TCP connection established from 167.94.138.47
15:20:28 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=15f09831dff6ddb4 pid=0 DATA len=0
You need to open all port you like to use in port knocking on the front router to reach your MikroTik router.