VPN log full with failed attempts -> any way to make sure the system is not compromised?

madcat · April 1, 2015, 4:49pm

Hi,

I have setup VPN succesfully using l2tp with ipsec (using a strong secret and user/passwd) and use it many times because i do not trust open wifi spots.

I’m in the illusion i have set it up secure, but i was checking my logs and saw that yesterday there where massive errors in the logfile of a possible hacker/script kidddy who might be brute forcing it’s way in

There are many errors in the log like these:
phase1 negotiation failed.
failed to pre-process ph1 packet (side: 1, status 1).
failed to get valid proposal.

As far as i can see there is no connection established, but i’m not able to trace the source ip.
I do have a firewall script which checks for ipscans and blocks it’s ip when there where to many of them, but it was not triggered.

Is there a way to do a sanity check or a way to trace the ip who tried to login?

Normally for a valid VPN request the first logline is:
first L2TP UDP packet received from IP
but i could not find it in the log, so how can i be sure my mikrotik is not compromised?
i did found a “check installation” under “packages”, but it just went to 100% and did not report any result.

Thanks in advanced

marrold · April 3, 2015, 10:18am

I share this concern. Currently I only use site-to-site VPN’s whitelisted by IP, but I would like to open this up to mobile clients.

As far as I know, Mikrotik has no bruteforce protection for VPN’s. Maybe it’s possible via the firewall but this seems a little crude, Ideally I’d like ‘fail2ban’ type behaviour.

madcat · April 3, 2015, 12:03pm

At least the source ip should be logged, so i can add it to a firewall rule

kivimart · April 3, 2015, 12:17pm

Could you share how this is done.

Skickat från min HTC One via Tapatalk

madcat · April 14, 2015, 8:48pm

That’s kind of my question, but i assume it’s not possible in the current build of the RouterOS