Community discussions

MikroTik App
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Think i'm being attacked

Thu May 28, 2020 11:24 pm

Hello everybody. I'm posting a photo of part of my log below. I keep getting those logs (there is no pattern like in a specific hour or something like that). The IP's differ every time, what's happening? is anyone attacking me? how do i stop this?
You do not have the required permissions to view the files attached to this post.
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Re: Think i'm being attacked

Thu May 28, 2020 11:28 pm

i should also say that i have an always active vpn connection to my router, although i don't know if that has anything to do with the above logs!
 
blingblouw
Member Candidate
Member Candidate
Posts: 298
Joined: Wed Aug 25, 2010 9:43 am

Re: Think i'm being attacked

Thu May 28, 2020 11:37 pm

This is the reason I wish MT would finally add fail2ban or their own implementation. After X amount of failed logins (you decide the service) add the IP to an address-list and you can then decide what to do with that. Someone is just trying login to your pptp VPN server (which you prob shouldn't be using FWIW). Seems to come from the same range, just drop input from src-address=92.63.194.0/24
 
sindy
Forum Guru
Forum Guru
Posts: 5507
Joined: Mon Dec 04, 2017 9:19 pm

Re: Think i'm being attacked

Thu May 28, 2020 11:39 pm

It has to do with your "always on" VPN in terms that your PPTP server is listening, and some bot has found that while browsing the ner and is now trying to get in to your router by guessing usernames and passwords. The owner of those IP addresses is most likely unaware of this happening because the bot is a malware which managed to squat on those devices. If the public IPs of the VPN client you use are limited to some subnet(s) known in advance, you may permit access to the PPTP TCP port (1723) only from these subnets; it will not stop the attacker from trying but he'll not get to the authentication phase as the TCP connection will never be responded.

Other than that, the encryption used by PPTP has been considered really weak for years already. I'd suggest to at least L2TP/IPsec or, even better, to IKEv2. It won't prevent attackers from trying to log in, but it will make it much more complex to read the VPN data sniffed between the VPN client and the VPN server.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1788
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Think i'm being attacked

Thu May 28, 2020 11:47 pm

I agree with Sindy, PPTP should not be used on the public internet.

What you can do.
* Block the 92.63.194.0/24 net.
* Use a script that block the ip if wrong username is used.

One of these scripts should work with just some small modification:
viewtopic.php?p=730484#p730484
viewtopic.php?p=743883#p743883

PS I do use some filter rules, that block the IP for 24 hours if some tries to access one port that its not open.
This way they get blocked before they find open ports and start to script attack those ports.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
anav
Forum Guru
Forum Guru
Posts: 4781
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Think i'm being attacked

Fri May 29, 2020 2:05 am

I think MT should remove PPTP and add wireguard LOL
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Re: Think i'm being attacked

Fri May 29, 2020 7:59 am

My VPN connection is a L2TP. Not a PPTP. I don't know why PPTP is open. I'm posting below my config 'cause i'm new and may have some mistakes!
# may/29/2020 07:49:53 by RouterOS 6.46.6
# software id = C8B5-GX6M
#
# model = 2011UiAS-2HnD
# serial number = xxx
/interface bridge
add admin-mac=xxx arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=1wan
set [ find default-name=ether2 ] arp=proxy-arp name=2desktop
set [ find default-name=ether3 ] name=3ipcamera
set [ find default-name=ether4 ] name=4laptop
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=1wan name=pppoe-out1 \
 password=xxx service-name=xxx use-peer-dns=yes user=xxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=xxx disabled=no distance=indoors frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge name=wifi ssid=xxx \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=xxx \
    wpa2-pre-shared-key=xxx
/ip pool
add name=dhcp ranges=192.168.88.90-192.168.88.99
add name=vpn ranges=192.168.88.88
add name=vpn-nvr ranges=192.168.89.89
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes dns-server=192.168.88.1 interface-list=LAN \
    local-address=192.168.88.1 name=default-encryption2 remote-address=\
    xxx use-encryption=yes
set *FFFFFFFE dns-server=192.168.88.1 interface-list=LAN local-address=\
    192.168.88.1 remote-address=xxx
/system logging action
add email-to=xxx name=xxx target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=2desktop
add bridge=bridge comment=defconf interface=3ipcamera
add bridge=bridge comment=defconf interface=4laptop
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=xxx use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=1wan list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=1wan
/ip dhcp-server lease
add address=192.168.88.101 client-id=1:0:2a:2b:fe:44:72 mac-address=\
     server=defconf
add address=192.168.88.102 client-id=1:0:e0:4c:68:0:1c mac-address=\
     server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none
add action=dst-nat chain=dstnat dst-port=8999 in-interface=bridge protocol=\
    tcp to-addresses=192.168.88.101
/ip service
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set www-ssl address=192.168.88.0/24
/lcd
set backlight-timeout=never default-screen=stat-slideshow flip-screen=yes \
    touch-screen=disabled
/lcd interface
set sfp1 disabled=yes
set "1wan" disabled=yes
set "3ipcamera" disabled=yes
set "4laptop" disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/lcd interface pages
set 0 interfaces=wifi
/ppp secret
add name=xxx password=xxx profile=default-encryption service=l2tp
add name=xxx password= profile=default-encryption2 service=\
    l2tp
/system clock
set time-zone-name=xxx
/system logging
add action=xxx topics=l2tp,ppp,info,account
add action=xxx topics=ups
/system ups
add min-runtime=45m name=UPS offline-time=45m port=usbhid1
/tool e-mail
set address=xxx from=xxx password=xxx
    port=xxx start-tls=yes user=xxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Re: Think i'm being attacked

Fri May 29, 2020 8:01 am

if i drop this one, what's going to change? will it affect the current situation or just block the attacker?
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1788
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Think i'm being attacked

Fri May 29, 2020 8:10 am

That is one of your problem.

You have to many open port.
L2TP/IPSec needs UDP/500 1701 4500
Rest should be removed.
Last edited by Jotne on Fri May 29, 2020 8:23 am, edited 2 times in total.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Re: Think i'm being attacked

Fri May 29, 2020 8:18 am

i just dropped 1723 and 443 and left open only the 3 needed (500, 1701, 4500).
Anything else that's wrong in my config and leave me vulnerable?
Many thanks in advance!
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1788
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Think i'm being attacked

Fri May 29, 2020 8:23 am

I think this:
add action=dst-nat chain=dstnat dst-port=8999 in-interface=bridge protocol=\
    tcp to-addresses=192.168.88.101
Should be your utside interface not bridge.
add action=dst-nat chain=dstnat dst-port=8999 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.88.101
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1788
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Think i'm being attacked

Fri May 29, 2020 8:30 am

Not sure why you have a DHCP pool on only 10 IP when you are using a C net.
Maybe you have only a few host, or lots of devices with fixed IP?
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Re: Think i'm being attacked

Fri May 29, 2020 8:38 am

what do you mean by c net? i have a few fixed-ip and only left 10 addresses in the dhcp pool for the devices that's not always connected. the fixed ip's are for devices that are always on!
Thank you again for your time, always good to learn from experienced people!
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1788
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Think i'm being attacked

Fri May 29, 2020 9:38 am

192.168.88.0/24 and 172.16.22.0/24 are both c net. 256 Address.
Was just asking since your scope was so small :)

172.16.0.0/16 is a b net

10.0.0.0/8 is a a net
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Re: Think i'm being attacked

Fri May 29, 2020 10:00 am

Oh yes i do know those things, have already read those stuff. I've made some changes based on your instructions and i'm posting below my new config, if not a problem, can you read it and advice any other changes? Mostly on my security, the other stuff i think i can handle!
# may/29/2020 09:49:16 by RouterOS 6.46.6
# software id = C8B5-GX6M
#
# model = 2011UiAS-2HnD
# serial number = xxx
/interface bridge
add admin-mac=xxx arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=1wan
set [ find default-name=ether2 ] arp=proxy-arp name=2desktop
set [ find default-name=ether3 ] name=3ipcamera
set [ find default-name=ether4 ] name=4laptop
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=1wan name=pppoe-out1 \
    password=xxx service-name=xxx use-peer-dns=yes user=\xxx\
 /interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=xxx disabled=no distance=indoors frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge name=wifi ssid=xxx \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=xxx \
    wpa2-pre-shared-key=xxx
/ip pool
add name=dhcp ranges=192.168.88.90-192.168.88.99
add name=xxx ranges=192.168.88.88
add name=xxx ranges=192.168.89.89
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=3h name=defconf
/ppp profile
add change-tcp-mss=yes dns-server=192.168.88.1 interface-list=LAN \
    local-address=192.168.88.1 name=default-encryption2 remote-address=\xxx
 use-encryption=yes
set *FFFFFFFE dns-server=192.168.88.1 interface-list=LAN local-address=\
    192.168.88.1 remote-address=xxx
/system logging action
add email-to= name= target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=2desktop
add bridge=bridge comment=defconf interface=3ipcamera
add bridge=bridge comment=defconf interface=4laptop
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=xxx use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=1wan list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=1wan
/ip dhcp-server lease
add address=192.168.88.101 client-id=1:0:2a:2b:fe:44:72 mac-address=\
    xxx server=defconf
add address=192.168.88.102 client-id=1:0:e0:4c:68:0:1c mac-address=\
    xxx server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=drop chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none
add action=dst-nat chain=dstnat dst-port=8999 in-interface=1wan protocol=tcp \
    to-addresses=192.168.88.101
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set pptp disabled=yes
set dccp disabled=yes
/ip service
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set www-ssl address=192.168.88.0/24
/lcd
set backlight-timeout=never default-screen=stat-slideshow flip-screen=yes \
    touch-screen=disabled
/lcd interface
set sfp1 disabled=yes
set "1wan" disabled=yes
set "3ipcamera" disabled=yes
set "4laptop" disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/lcd interface pages
set 0 interfaces=wifi
/ppp secret
add name=xxx password=xxx profile=default-encryption service=l2tp
add name=xxx password=xxx profile=default-encryption2 service=\
    l2tp
/system clock
set time-zone-name=xxx
/system logging
add action=xxx topics=l2tp,ppp,info,account
add action=xxx topics=ups
add action=xxx topics=error
/system ups
add min-runtime=45m name=UPS offline-time=45m port=usbhid1
/tool e-mail
set address=xxx from=xxx password=xxx \
    port=xxx start-tls=yes user=xxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
For example, what's the best option for ARP in the interfaces? (i have some proxy-arp and some enabled)
 
anav
Forum Guru
Forum Guru
Posts: 4781
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Think i'm being attacked

Fri May 29, 2020 4:11 pm

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

What is this for........... ???
/ip service
set www address=192.168.88.0/24
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
ssantos
just joined
Topic Author
Posts: 13
Joined: Fri May 22, 2020 11:25 am

Re: Think i'm being attacked

Tue Jun 02, 2020 7:52 am

Hello friend. If you refer to:
/ip service
set www address=192.168.88.0/24

then it's for browsing via my vpn. I have specified the subnet that i want to browse so as the rest cannot.

Who is online

Users browsing this forum: si458 and 128 guests