potential vulnerability: error unknown msg on OVPN server

11:12:25 ovpn,info TCP connection established from 192.35.169.80
11:12:25 ovpn,debug,error,63032,14304,12812,12240,31696,40220,14232,12808,l2tp,info,12812,debug,79,65535,critical,64600,15944,21392,79,40
1928,40220,37872,40220,error unknown msg!
11:12:26 ovpn,info TCP connection established from 192.35.169.80
11:12:30 ovpn,info TCP connection established from 192.35.169.80

https://www.abuseipdb.com/check/192.35.169.80

The IP has been blacklisted, but based on the error message and the source IP it could be that they are probing for a vulnerability to some or other exploit.

I have provided a supout to Mikrotik.

I have noticed same messages in the logs for my routers. RouterOS is 6.47

09:18:01 ovpn,info TCP connection established from 192.35.168.249
09:18:01 ovpn,debug,error,64828,40456,40460,39584,22512,25020,39248,40456,l2tp,info,40460,debug,79,65535,critical,64968,3500,912,79,25096,3480,3648,4043,24420,25020,17424,25020,warning unknown msg!
09:18:01 ovpn,info TCP connection established from 192.35.168.249
09:18:01 ovpn,info TCP connection established from 192.35.168.249

The IP is nearly identical too. Would be good if you could submit a supout as well to them. My ticket number is SUP-23883

The IP space is allocated to https://censys.io/ censys.io. Censys is a well-known network security organization. They run many scans across the internet like Shodan.

Good catch that you’re seeing this. My guess is that Censys has found or is aware of a potential vulnerability. If so, they would be attempting responsible disclosure with Mikrotik and scanning the internet for potentially vulnerable hosts at the same time.

I’ve got similar log messages.

sep/15 23:55:51 ovpn,debug,error,63032,13296,13300,12024,31696,31260,12088,13296,l
2tp,info,13300,debug,79,65535,critical,32952,15944,37776,79,31336,40328,19200,4043
,30660,31260,54256,31260,warning unknown msg! 
sep/15 23:55:52 ovpn,info TCP connection established from 162.142.125.194 
sep/15 23:55:52 ovpn,info TCP connection established from 162.142.125.194 
sep/16 06:40:02 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:02 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:04 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:06 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:08 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:10 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:12 ovpn,info TCP connection established from 68.183.40.22
sep/22 06:26:15 ovpn,info TCP connection established from 154.89.5.38 
sep/22 06:26:15 ovpn,debug,error,63032,13296,13300,12024,31696,31260,12088,13296,l2tp,info,13300,debug,79,65535,critical,32952,15944,37776,79,31336,40328,19200,4043,30660,31260,54256,31260,warning msg too short 
sep/22 06:26:31 ovpn,info TCP connection established from 154.89.5.21 
sep/22 06:26:32 ovpn,info TCP connection established from 154.89.5.21 
sep/22 06:26:32 ovpn,debug,error,63032,13296,13300,12024,31696,31260,12088,13296,l
2tp,info,13300,debug,79,65535,critical,32952,15944,37776,79,31336,40328,19200,4043,30660,31260,54256,31260,warning msg too short

I have the same errors. It was scanner Сensys.io. I’d recommend create drop rules that blocked all their IPs

Yeah, already done.

l contacted them and asked why they were scanning my IPs which they did not respond to, so I reported it to my government as a malicious actor.

Can you please publish this blocking rule please ?

https://www.whois.com/whois/192.35.169.80

their IP range is 192.35.168.0/23.

Add this to an IP list called badguys: ip → firewall → address list
then add a new rule: chain=input src_address_list=badguys action=drop and chain=forward src_address_list=badguys action=drop. Make sure those two rules are high up in your firewall so that they get blocked early.

Thanks