Hi!
I’ve got multiple log in attempts over pptp from multiple IP adrresses. It goes one after another every few seconds…
pptp info TCP connection established from xx.xx.xx.xx
pptp ppp info waiting for call
pptp ppp info terminating …- cntrl message too big
pptp ppp info disconnected
So, what ports I have to block to prevent this attempts? Can anyone help me?
Do you have the pptp server running? If so, do you need it? If you do NOT need it, then:
/interface pptp-server server set enabled=no
Yes… colleague is using it often. I turned it off for now… thx.
So, is there a way to protect it from further brute force attacks? Problem is that it was from a multiple ip addresses.
There are a number of methods that you could use. I am not vouching for the 100% security of any of them, but some ideas are:
Set up a port knocking application that will be required prior to accessing the pptp server (there’s an example in the wiki here: http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router ) The explanation in that link isn’t the most lucid, but I can’t find the other one I thought was there.
If you know the IP addresses that will be accessing the pptp server, there is no need for port knocking. You can simply permit pptp only from those IP addresses using firewall.
Depending on the traffic pattern, you may be able to detect the IP addresses making these failed attempts and use some form of “hacker IP tracking” (my term) and block their access in the firewall.
Be CERTAIN that your pptp secrets use secure passwords and not something silly like the person’s last name or phone number or whatever.
There are likely some other ideas that you could implement, but these are the first things off the top of my head.