Community discussions

MikroTik App
 
sende
just joined
Topic Author
Posts: 1
Joined: Mon Dec 28, 2020 8:17 pm

About log records " pptp, info - TCP connection established from xxxx "

Mon Dec 28, 2020 8:24 pm

Hello there,

I'm a novice Mikrotik user. Device model
CCR1036-12G-4S.

I see "pptp, info - TCP connection established from" records in the logs. I don't know who these ip addresses are.

Image

Is this a security hole? If so how can I turn this off?

Thank you.
You do not have the required permissions to view the files attached to this post.
 
DarkNate
Member Candidate
Member Candidate
Posts: 273
Joined: Fri Jun 26, 2020 4:37 pm

Re: About log records " pptp, info - TCP connection established from xxxx "

Tue Dec 29, 2020 11:07 am

You are probably running OpenVPN or some other server. That's not a security hole if the firewall is properly configured, it's just an attempted TCP connection from those IPs.

They can be bots/human attackers or researchers like Censys. I regularly get attempted "hacks" from Censys (which is a good thing).

So what I did was, I created an easter egg for hackers/Censys/Security researchers on port 80 with my Telegram contact link. It's kinda fun. No one ever managed to break in, but they do click my Telegram link though.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7185
Joined: Mon Jun 08, 2015 12:09 pm

Re: About log records " pptp, info - TCP connection established from xxxx "

Tue Dec 29, 2020 11:17 am

The mentioned addresses are from "stretchoid", another one of those pests.

Those are services that just try all addresses on internet for commonly known services, and maintain a database of what they find where.
When some vulnerability is found, their paying customers can use queries on that database to quickly find victims to attack.

E.g. when it becomes known that there is some vulnerability in the PPTP implementation on MikroTik routers (other than the wellknown limitations of its authentication), their customers can ask "who on internet is running PPTP on a MikroTik router" and they receive a list of IP addresses that they can use to send their malware.
They then don't need to do the search themselves at that time, it already has been prepared. Thereby the avoid the problem that some users would install a software update to remediate the problem, so they would have to act "fast".

So it is not as much a current attack, but sure it is preparation for a future one.
Also, because there are now so many of those "services", every system on internet is now receiving a constant stream of "noise" of all those services trying everything.
I have a /16 network on internet and it gets a constant flow of 1-2 Mbit/s of this crap.
I run some automatic blacklisting on that network (which is not as straightforward as you would think), and it lists 70000-80000 systems doing such scans all the time.
 
DarkNate
Member Candidate
Member Candidate
Posts: 273
Joined: Fri Jun 26, 2020 4:37 pm

Re: About log records " pptp, info - TCP connection established from xxxx "

Tue Dec 29, 2020 12:25 pm

I have a /16 network on internet and it gets a constant flow of 1-2 Mbit/s of this crap.
I run some automatic blacklisting on that network (which is not as straightforward as you would think), and it lists 70000-80000 systems doing such scans all the time.
That would be too complex for most retail users to accomplish. Best is keep ROS updated, maintain the firewall filters, should give a safer environment.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7185
Joined: Mon Jun 08, 2015 12:09 pm

Re: About log records " pptp, info - TCP connection established from xxxx "

Tue Dec 29, 2020 2:15 pm

I have a /16 network on internet and it gets a constant flow of 1-2 Mbit/s of this crap.
I run some automatic blacklisting on that network (which is not as straightforward as you would think), and it lists 70000-80000 systems doing such scans all the time.
That would be too complex for most retail users to accomplish. Best is keep ROS updated, maintain the firewall filters, should give a safer environment.
I agree, there are quite a number of pitfalls with that. I would not recommend to setup an automatic blacklist filter unless all the implications are known and workarounds for known problems are included.
The reason for the blacklist is not really "security", it is more to reduce the noise traffic on the network (which consists of many much slower links behind the outside router).
I mainly mention it to indicate the scale of the problem. There are many of those scanning systems now, some claim to be for "research", some are more plainly indicating it is to collect attack surface information, some are just trying what ports are open, others are trying to login using default passwords etc, and aside of the more organized scanning networks there are the individuals that have a go at it themselves.

The result is log messages like the above. And other issues, like very large connection tables.
Personally I do not have pptp service, but when I needed to have it I would try to setup a list of authorized source addresses and just drop everything outside of that, to reduce the number of doorbell ringings.

Who is online

Users browsing this forum: No registered users and 54 guests