-
-
psycoclan1
Frequent Visitor
- Posts: 65
- Joined:
- Location: England
vpn attacks and how to block these connections
Hi guys, my vpn server is being attacked by a /24 subnet, not just a single ip. i created a filter rule which is input, and source address is the whole subnet 92.63.194.0/24 and the action is dropped. Few hours later the same person still tries to connect with failed attempts, so i changed the action to reject with network unreachable message. He can still access the server. i would really appreciate if you can help me with blocking them!
Re: vpn attacks and how to block these connections
Here you go:
viewtopic.php?f=2&t=152953&p=758068&hilit=%2F24#p758068
Don't reject because the other side is not listening. If you do that in RAW then that gives the least impact on your router.
viewtopic.php?f=2&t=152953&p=758068&hilit=%2F24#p758068
Don't reject because the other side is not listening. If you do that in RAW then that gives the least impact on your router.
-
-
psycoclan1
Frequent Visitor
- Posts: 65
- Joined:
- Location: England
Re: vpn attacks and how to block these connections
Thanks msatter. I read your script. Correct me if im wrong the script reads the connections table and automatically puts the /24 subnet into an address list and then? you manually set a filter rule?
edit : i manually created an address list with the 92.63.194.0/24 subnet called it vpn-attack_1
and added as source address list in RAW with drop action. correct? if yes, it remains to see if they try to connect again
edit : i manually created an address list with the 92.63.194.0/24 subnet called it vpn-attack_1
and added as source address list in RAW with drop action. correct? if yes, it remains to see if they try to connect again-
-
jvanhambelgium
Forum Veteran
- Posts: 989
- Joined:
- Location: Belgium
Re: vpn attacks and how to block these connections
Impossible! This means you filtering rule is not working or applied wrong.Hi guys, my vpn server is being attacked by a /24 subnet, not just a single ip. i created a filter rule which is input, and source address is the whole subnet 92.63.194.0/24 and the action is dropped. Few hours later the same person still tries to connect with failed attempts, so i changed the action to reject with network unreachable message. He can still access the server. i would really appreciate if you can help me with blocking them!
Offcourse you will keep seeing attempts up to the Mikrotik, but should not arrive at your backend VPN server!
Your "VPN server" ? How do you reach it ? You have some DNAT-entry to it ?
Or are you talking about VPN-services on the Mikrotik itself ? Very unclear in your opening post...
-
-
psycoclan1
Frequent Visitor
- Posts: 65
- Joined:
- Location: England
Re: vpn attacks and how to block these connections
This is what i get in the log file :
https://ibb.co/Gsq8cps
i mean reach it as they can still try to connect using various usernames. Im not sure what im doing wrong. there were a few other IPs in the past which attempted to login with admin/root whatever user/pass to the mikrotik and since i blocked them with filter rules they stopped. but this specific type of connections are still "reachable". im not sure if im using the right terminology. i apologize for this!
https://ibb.co/Gsq8cps
i mean reach it as they can still try to connect using various usernames. Im not sure what im doing wrong. there were a few other IPs in the past which attempted to login with admin/root whatever user/pass to the mikrotik and since i blocked them with filter rules they stopped. but this specific type of connections are still "reachable". im not sure if im using the right terminology. i apologize for this!
-
-
jvanhambelgium
Forum Veteran
- Posts: 989
- Joined:
- Location: Belgium
Re: vpn attacks and how to block these connections
Are you still using the VPN for other reasons ? (pptp is insecure and you should move on to something else)This is what i get in the log file :
https://ibb.co/Gsq8cps
i mean reach it as they can still try to connect using various usernames. Im not sure what im doing wrong. there were a few other IPs in the past which attempted to login with admin/root whatever user/pass to the mikrotik and since i blocked them with filter rules they stopped. but this specific type of connections are still "reachable". im not sure if im using the right terminology. i apologize for this!
These other connection perhaps where made to SSH/Winbox ports etc?
Perhaps you should post the complete config here (like other would suggest too) but without sensitive info. => /export hide-sensitive
-
-
psycoclan1
Frequent Visitor
- Posts: 65
- Joined:
- Location: England
Re: vpn attacks and how to block these connections
pptp is only for a few tests. i use l2tp with ipsec. Since the blacklist configuration in address list and the RAW firewall rule i had no attacks. I believe this was the solution
-
-
jvanhambelgium
Forum Veteran
- Posts: 989
- Joined:
- Location: Belgium
Re: vpn attacks and how to block these connections
Good it was fixed. Probably indeed because the pre-routing/RAW is very early after the packet arrives in your router interface.pptp is only for a few tests. i use l2tp with ipsec. Since the blacklist configuration in address list and the RAW firewall rule i had no attacks. I believe this was the solution
Re: vpn attacks and how to block these connections
I don't use the connections table. Every connection on a specfic port(s) are put on list one with a timeout on it.Thanks msatter. I read your script. Correct me if im wrong the script reads the connections table and automatically puts the /24 subnet into an address list and then? you manually set a filter rule?
As soon as there more than lets 5 connection from the same subnetmask while the timeout is not past that subnet is set in list 2. List two is the list that blocks.
Adding the same unique address to list 1 is not possible. Looking for new connections for list 1 do that is in filter. Blocking happens in RAW.
Who is online
Users browsing this forum: No registered users and 61 guests