MikroTik

Hello there,

I'm a novice Mikrotik user. Device model
CCR1036-12G-4S.

I see "pptp, info - TCP connection established from" records in the logs. I don't know who these ip addresses are.



Is this a security hole? If so how can I turn this off?

Thank you.

You are probably running OpenVPN or some other server. That's not a security hole if the firewall is properly configured, it's just an attempted TCP connection from those IPs.

They can be bots/human attackers or researchers like Censys. I regularly get attempted "hacks" from Censys (which is a good thing).

So what I did was, I created an easter egg for hackers/Censys/Security researchers on port 80 with my Telegram contact link. It's kinda fun. No one ever managed to break in, but they do click my Telegram link though.

The mentioned addresses are from "stretchoid", another one of those pests.

Those are services that just try all addresses on internet for commonly known services, and maintain a database of what they find where.
When some vulnerability is found, their paying customers can use queries on that database to quickly find victims to attack.

E.g. when it becomes known that there is some vulnerability in the PPTP implementation on MikroTik routers (other than the wellknown limitations of its authentication), their customers can ask "who on internet is running PPTP on a MikroTik router" and they receive a list of IP addresses that they can use to send their malware.
They then don't need to do the search themselves at that time, it already has been prepared. Thereby the avoid the problem that some users would install a software update to remediate the problem, so they would have to act "fast".

So it is not as much a current attack, but sure it is preparation for a future one.
Also, because there are now so many of those "services", every system on internet is now receiving a constant stream of "noise" of all those services trying everything.
I have a /16 network on internet and it gets a constant flow of 1-2 Mbit/s of this crap.
I run some automatic blacklisting on that network (which is not as straightforward as you would think), and it lists 70000-80000 systems doing such scans all the time.

I have a /16 network on internet and it gets a constant flow of 1-2 Mbit/s of this crap.
I run some automatic blacklisting on that network (which is not as straightforward as you would think), and it lists 70000-80000 systems doing such scans all the time.

That would be too complex for most retail users to accomplish. Best is keep ROS updated, maintain the firewall filters, should give a safer environment.

I have a /16 network on internet and it gets a constant flow of 1-2 Mbit/s of this crap.
I run some automatic blacklisting on that network (which is not as straightforward as you would think), and it lists 70000-80000 systems doing such scans all the time.

That would be too complex for most retail users to accomplish. Best is keep ROS updated, maintain the firewall filters, should give a safer environment.

I agree, there are quite a number of pitfalls with that. I would not recommend to setup an automatic blacklist filter unless all the implications are known and workarounds for known problems are included.
The reason for the blacklist is not really "security", it is more to reduce the noise traffic on the network (which consists of many much slower links behind the outside router).
I mainly mention it to indicate the scale of the problem. There are many of those scanning systems now, some claim to be for "research", some are more plainly indicating it is to collect attack surface information, some are just trying what ports are open, others are trying to login using default passwords etc, and aside of the more organized scanning networks there are the individuals that have a go at it themselves.

The result is log messages like the above. And other issues, like very large connection tables.
Personally I do not have pptp service, but when I needed to have it I would try to setup a list of authorized source addresses and just drop everything outside of that, to reduce the number of doorbell ringings.

You are probably running OpenVPN or some other server. That's not a security hole if the firewall is properly configured, it's just an attempted TCP connection from those IPs.

They can be bots/human attackers or researchers like Censys. I regularly get attempted "hacks" from Censys (which is a good thing).

So what I did was, I created an easter egg for hackers/Censys/Security researchers on port 80 with my Telegram contact link. It's kinda fun. No one ever managed to break in, but they do click my Telegram link though.

I have the same concerns regarding constantly being bombarded with tcp, ipsec and pptp requests. What exactly is an "easter egg" and how does it work? How can i create one? Thank you very much!