VPN attacks? Blocking?

RouterOS General
1

Hello,
every night someone trying to connect via vpn to my mikrotik. It’s going on for about last 1 week. Have enabled L2TP/IPSEC.

IP address is 216.218.206.201, 216.218.206.206 etc. (changed every night)
1.jpg

Just added this rule but don’t know if it will be ok.

/ip firewall filter
add action=drop chain=input comment=“drop ipsec attacks” dst-port=500,1701,4500 protocol=udp src-address-list=access_blacklist

Address list:
Name: access_blacklist
216.218.206.1-216.218.206.255

Can you recommend me any measures please?
Thank you.

2

Allow in input chain only predefined ip pools you need. Others will be droped. That’s it.

3

I don’t think I can do this. I’m connecting to VPN from work and from a lot of other IP pools (a lot of places)

4

Create address list and add these pools there. You can add /18 or /16 subnets.

5

Having a public facing VPN sever will get prodded regularly by people trying to gain access maliciously.

If you have absolutely no way of locking down the accepted IP’s then the best you can do is use complex usernames and passwords with a good passphrase.

Do a whois lookup on the IP and add the subnet to an address list called “blocked” then have your first firewall rule as drop traffic from “blocked” list. It’s manual and you’ll be forever updating your list.

6

Think of port-knocking implementation (it’s really flexible and it’s only you who decide how paranoid you are to complicate the procedure) or similar techniques. Router would automatically add your IP into white list and you’ll be able to connect afterwards. Other attempts for the direct connection without proper knocking would be refused (or even could be forever or temporary blocked).

You can set expiration time for white-listed addresses to the desired period (e.g. 10 minutes, 1 hour, 10 days whatever). This would give you an opportunity to skip manual cleaning of addresses.

Knocking could be automated by self-written scripts or 3rd party apps.

That’s not really a big overhead for feeling “a bit more secured”.

7

The nightly scans are ISAKMP vulnerability probe requests executed by the Shadowserver Foundation. Actually nothing to worry about.

https://isakmpscan.shadowserver.org/

We are querying all computers with routable IPv4 addresses that are not firewalled from the internet with a specifically crafted 64 byte ISAKMP packet and capturing the response. We intend no harm, but if we are causing problems, please contact us at: dnsscan (at) shadowserver (dot) org.

8

I’ve created a little facility for my home dial-in VPN system that addresses the issue you stated.

  1. When a client successfuly connects to VPN server (meaning it’s a valid user), a script is triggered that adds source address to whitelist.

PPP/Profiles/name of L2TP profile you are using/Scripts (“On Up” field):

/system script run vpn-on_connect

This is the source of vpn-on_connect script (variables are global so you can easily debug them in System/Script/Environment):

:delay delay-time=3

:global l2tpCount [interface l2tp-server print count-only]

:if ($l2tpCount != 0) do {
	:foreach i in=[/interface l2tp-server find] do={
		:global clientNameL2TP [/interface l2tp-server get $i name]       
		:global clientAddrL2TP [/interface l2tp-server get $i client-address]
		/ip firewall address-list add list=vpn_whitelist address=$clientAddrL2TP comment=$clientNameL2TP
	}
}
  1. Firewall rules handle the rest of the logistics.
  • Create “WAN” interface list
  • Make sure you have known IP addresses in the “allowed_access” list. Apart from manually adding entries, the above script will automatically add known IPs to vpn whitelist
  • Adjust timers to your liking and paste this to your router (with my rules clients have a chance to try to connect 3x in 10 minutes):
/ip firewall filter
add action=accept chain=forward comment="optimize: forward" connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="optimize: input" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=jump chain=input comment="access control: wan" in-interface-list=WAN jump-target=input-access
add action=drop chain=input-access src-address-list=vpn_blacklist
add action=accept chain=input-access src-address-list=allowed_access
add action=accept chain=input-access protocol=icmp
add action=jump chain=input-access dst-port=500,1701,4500 jump-target=input-vpn protocol=udp
add action=jump chain=input-access dst-port=1723 jump-target=input-vpn protocol=tcp
add action=accept chain=input-vpn src-address-list=vpn_whitelist
add action=add-src-to-address-list address-list=vpn_blacklist address-list-timeout=none-dynamic chain=input-vpn log-prefix=added_to_blacklist src-address-list=vpn_stage3
add action=add-src-to-address-list address-list=vpn_stage3 address-list-timeout=10m chain=input-vpn src-address-list=vpn_stage2
add action=add-src-to-address-list address-list=vpn_stage2 address-list-timeout=10m chain=input-vpn src-address-list=vpn_stage1
add action=add-src-to-address-list address-list=vpn_stage1 address-list-timeout=none-dynamic chain=input-vpn
add action=accept chain=input-vpn
add action=drop chain=input-access
l2tp,on up scripts get src.address?
9

Thank you guys. Added one rule and seems it works.

/ip firewall filter
add action=drop chain=input comment="drop attackers ip pools (vpn)" src-address-list=block_attackers

in block_attackers address list have 216.218.206.0/24

10

Is there any chance to implement GeoIP check and block every foreign attempts?

11

Check this:

https://mikrotik-geoip.com/how-to-use?view=article&id=40&catid=2