I setup a VPN in a Mikrotik yesterday and I have a question about the log. I havent locked down the router yet as we are still testing and the site is not a site that really needs to be secured yet, but if the log shows entries like this, but doesnt show an authentication failure, what are they? Are they log in attempts? If it shows tcp established, but no authentication success or failure, what does that tell me? Could that just come from a port scan?
07:09:58 pptp,info TCP connection established from 164.52.6.146
07:09:58 pptp,info TCP connection established from 164.52.6.146
07:10:01 pptp,info TCP connection established from 164.52.6.146
Great. So you don’t mind if your ISP cuts you off the internet? Because that’s what shall happen if some device on that site (possibly the Mikrotik itself) gets infected and starts attacking other devices to further spread the malware, or sending spam, or participating in DDoS attacks - whatever its new remote administrator decides to order it to do. Or you may find yourself mining crypto-currencies for someone else while you pay the electricity bill.
if the log shows entries like this, but doesnt show an authentication failure, what are they? Are they log in attempts? If it shows tcp established, but no authentication success or failure, what does that tell me? Could that just come from a port scan?
07:09:58 pptp,info TCP connection established from 164.52.6.146
07:09:58 pptp,info TCP connection established from 164.52.6.146
07:10:01 pptp,info TCP connection established from 164.52.6.146
A port scan doesn’t seem likely to me as pptp listens at a single port and the connections come from the same IP address within a short window of time. I’d rather expect something to try to break in using some vulnerability which permits to bypass authentication, which may not exist on Mikrotik or may be unknown. Recording that traffic into a file using ****
/tool sniffer
and then inspecting the record using Wireshark or other packet analyzer is the only way to find out what is actually happening.
I am the ISP. The site in question is a remote tower with 1 piece of hardware plugged into it and the VPN has not been active for 24 hours yet. We fully intend to protect the site, the router itself is already firewalled and the network that feeds it is ridiculously protected, but right now we were just verifying that we could get in successfully from a few locations before proceeding with VPN related rules. I was just curious what could trigger that log message. Easier to firewall if I know what that is.
This doesn’t explain, though, why the scan came three times in a row from the same source. And sorry for overreacting, I’ve simply seen too many people surprised that their device got conquered minutes after being exposed to the internet without any security setup.
We get around 10,000 scan attempts a day on some of our main routers. I’ve never really looked to see if the bots send multiple probes at the same time or not. We will lock this down to only allow a couple of IP’s access some time today. I’ve never done a VPN with MT so at first I was thinking established meant that someone had actually logged in already, but after reviewing it further I see thats not the case.
And don’t worry about apologizing. As an IT person we tend to think everybody else is stupid. Most of the time we are correct.
Most of the time we are correct.