Hello.
I am having PPTP tunnel for my users, but seems like I got a lot of brute forces recently.
How to add an IP to a blacklist after let say 3 sequential tries ?
PPTP should be avoided. Not secure at all.
Setup IPSec L2TP
Here is a script for IPSec L2TP
http://forum.mikrotik.com/t/black-list-for-failed-login-to-ipsec-vpn/130090/4
I wish to go with PPTP since it’s already used thing, and switching among the external users will be quite messy work.
Is there a way to log and block the users which trying to enter with incorrect credentials ?
or
ignore logins which is outside some sort of whitelist if possible ?
Quick search, see this post for reference.
http://forum.mikrotik.com/t/implementing-a-blacklist/130806/1
Add the IP port being used for PPTP (TCP/1723 ?).
Successful logins might also appear on that level 1 list but as long as they are successful, they should never hit level 2.
Otherwise play with the timeouts etc.
Be sure to test properly and make SURE you have a local escape path using another port so you do not lock yourself out when setting this up.
But I agree with jotne not to use PPTP anymore…
We’re not using clay tablets anymore either, do we ?
Look at it from another angle… why do you think you’re getting bruteforced using that port ? Because PPTP is “relatively” easy to crack, that’s why they try. Sooner or later someone will hit the magic section and then you’re so out of luck …
No need to change all at once. You can also do it gradually.
But sooner or later you will have to. Better now. Inconvenience is rarely a good reason to postpone.
My view.
Hmm.. how to change it gradually ?
You mean that the two types of tunneling to co-exists for some time ? Wouldn’t be there any kind of issue ?
No problem to have different tunnel types.
Setup IPSec/L2TP alongside with PPTP.
Then move 1 by 1 over to the new secure solution.
To answer the more real question - as the same problem exists for l2tp (my logs fill up all the time people trying to connect)
You can definitely put a whitelist on using an address-list for accepted clients, then only allow connections on TCP/1723 from src-address-list of that whitelist.
Or what I like to do is a bruteforce filter using the same concept as the ssh one just changing the dst-port, or a newer way using connection rate limit option.