LOG SSTP access

Jeroen1000 · December 15, 2014, 8:18pm

Hi fellow Mikrotik users,

For PPTP I do this for logging:

14   ;;; PPTP-VPN rules
     chain=input action=accept protocol=tcp dst-port=1723 

15   chain=input action=log protocol=gre log-prefix="" 

16   chain=input action=accept protocol=gre

When a GRE tunnel is established, I know someone logged has in with success.

However, I get more than a 100 hits on port 443 every day. How can I log whether a SSTP tunnel has been established with success vs just another harmless port scanner driving by?

Regards,
Jeroen

Jeroen1000 · December 15, 2014, 9:03pm

I got a step closer!

You can find users that logged in with success via below line of code, pasted in a terminal. Of course, appropriate logging should be enabled first in order for this to work.

log print detail where buffer=memory  && message~"authenticated"

It will produce this output

time=dec/10 20:35:02 topics=sstp,ppp,info message="<sstp-TESTUSER>: authenticated"

I can now try and write a script to condense the output to, for instance, TESTUSER logged in on dec/10 20:35:02 and feed this BACK into a log topic of choice.

Unless someone knows a better way haha:-)

jarda · December 15, 2014, 10:04pm

Move sstp server from port 443 to some other port.

Jeroen1000 · December 17, 2014, 7:31pm

Doesn’t Windows 7/8/8.1 always connect to 443? Must try that asap and I’ll post whether or not it can be changed