Community discussions

MikroTik App
 
jmay
Member
Member
Topic Author
Posts: 336
Joined: Tue Jun 23, 2009 8:26 pm

VPN and log question

Thu Apr 19, 2018 5:43 pm

I setup a VPN in a Mikrotik yesterday and I have a question about the log. I havent locked down the router yet as we are still testing and the site is not a site that really needs to be secured yet, but if the log shows entries like this, but doesnt show an authentication failure, what are they? Are they log in attempts? If it shows tcp established, but no authentication success or failure, what does that tell me? Could that just come from a port scan?

07:09:58 pptp,info TCP connection established from 164.52.6.146
07:09:58 pptp,info TCP connection established from 164.52.6.146
07:10:01 pptp,info TCP connection established from 164.52.6.146
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN and log question

Thu Apr 19, 2018 7:35 pm

I havent locked down the router yet as we are still testing and the site is not a site that really needs to be secured yet.
Great. So you don't mind if your ISP cuts you off the internet? Because that's what shall happen if some device on that site (possibly the Mikrotik itself) gets infected and starts attacking other devices to further spread the malware, or sending spam, or participating in DDoS attacks - whatever its new remote administrator decides to order it to do. Or you may find yourself mining crypto-currencies for someone else while you pay the electricity bill.

if the log shows entries like this, but doesnt show an authentication failure, what are they? Are they log in attempts? If it shows tcp established, but no authentication success or failure, what does that tell me? Could that just come from a port scan?

07:09:58 pptp,info TCP connection established from 164.52.6.146
07:09:58 pptp,info TCP connection established from 164.52.6.146
07:10:01 pptp,info TCP connection established from 164.52.6.146
A port scan doesn't seem likely to me as pptp listens at a single port and the connections come from the same IP address within a short window of time. I'd rather expect something to try to break in using some vulnerability which permits to bypass authentication, which may not exist on Mikrotik or may be unknown. Recording that traffic into a file using
/tool sniffer
and then inspecting the record using Wireshark or other packet analyzer is the only way to find out what is actually happening.
 
jmay
Member
Member
Topic Author
Posts: 336
Joined: Tue Jun 23, 2009 8:26 pm

Re: VPN and log question

Thu Apr 19, 2018 7:49 pm

I am the ISP. The site in question is a remote tower with 1 piece of hardware plugged into it and the VPN has not been active for 24 hours yet. We fully intend to protect the site, the router itself is already firewalled and the network that feeds it is ridiculously protected, but right now we were just verifying that we could get in successfully from a few locations before proceeding with VPN related rules. I was just curious what could trigger that log message. Easier to firewall if I know what that is.

I was asking for information, not a lecture.
 
jmay
Member
Member
Topic Author
Posts: 336
Joined: Tue Jun 23, 2009 8:26 pm

Re: VPN and log question

Thu Apr 19, 2018 7:58 pm

I just ran a test. If you scan port 1723 the Mikrotik will log a TCP connection established like my log in my first post indicated.

Maybe this will help the next guy.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN and log question

Thu Apr 19, 2018 8:05 pm

I just ran a test. If you scan port 1723 the Mikrotik will log a TCP connection established like my log in my first post indicated.
This doesn't explain, though, why the scan came three times in a row from the same source. And sorry for overreacting, I've simply seen too many people surprised that their device got conquered minutes after being exposed to the internet without any security setup.
 
jmay
Member
Member
Topic Author
Posts: 336
Joined: Tue Jun 23, 2009 8:26 pm

Re: VPN and log question

Thu Apr 19, 2018 8:26 pm

We get around 10,000 scan attempts a day on some of our main routers. I've never really looked to see if the bots send multiple probes at the same time or not. We will lock this down to only allow a couple of IP's access some time today. I've never done a VPN with MT so at first I was thinking established meant that someone had actually logged in already, but after reviewing it further I see thats not the case.

And don't worry about apologizing. As an IT person we tend to think everybody else is stupid. :) Most of the time we are correct.

Who is online

Users browsing this forum: Ahrefs [Bot], CGGXANNX and 83 guests