May/11/2019 21:24:45 | memory | pptp, info | TCP connection established from 60.191.52.254
That IP is registered to China. I threw the whole /24 subnet into a drop rule at the top of my firewall’s ACL.
I have a PPTP because a buddy of mine’s ISP has a firewall that blocks outbound Peer-to-peer traffic, preventing him from playing his nintendo switch online (He has one of those LTE wireless things, and the “firewall” is at their discretion, he can’t change it or use his own). I set him up with a PPTP VPN on my Tik so he can connect and play so he didn’t have to pay monthly for a VPN service. I have tons of bandwidth. It has a solid password, but I understand PPTP isn’t the best. I know how to setup OVPN’s or L2TPs, but speed was the essence here, not security.
What’s weird, is I don’t see any PPTP logs showing where this connection authenticated with my PPTP secrets, and I know my Tik isn’t compromised. I don’t use the default Winbox port, I drop all unrelated/unestablished inbound traffic, and all services (except winbox) are disabled.
I guess my questions are:
How did this TCP connection get established and what does it mean for me
Can I setup a script on RouterOS that, upon this log entry happening, sends me an email? Sort of like an SNMP alert.
I believe my Tik is as hardened as it can be, but if you have hardening tips, please comment. Maybe you know something I don’t.
The successful establishment of a TCP connection is a pre-requisite for the user authentication process to ever start, as that session is used to carry the authentication conversation and subsequently also for control of establishing of a GRE connection carrying the actual PPTP tunnel. Establishment of a TCP session cannot itself be authenticated. Its establishment is logged as an “info” severity event to make you aware about the progress. The fact that no further message is there indicates that the attacker hasn’t succeeded in guessing the password - if they did, there would be either another line informing you about user login, or even the “tcp session established” one would be missing if the attacker was ready to barge into a Mikrotik in particular and thus knew how to remove the evidence from the log.
PPTP’s security is low, so you should at least make sure that whatever comes in via that particular PPTP tunnel cannot establish connections to your Mikrotik itself or your LAN. If using PPTP for the purpose you’ve described, it’s enough - at maximum the Chinese guys will use your box to bypass the Great Firewall of China. If you were using PPTP as a way to securely access your LAN from remote, it would be a mistake.
If you want to minimize the amount of those messages, in your particular scenario it is enough to restrict access to your TCP port 1723 only to the few public IP subnets your friend’s mobile operator uses to NAT subscriber connections.