Community discussions

MikroTik App
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

How can i block this type of attack ?

Fri May 06, 2022 4:58 pm

Hello

i use my routeros as vpn server but the problem is there's too many login attempts, how can i block them ?
# may/ 6/2022 13:48:13 by RouterOS 7.1.5
# software id = TI09-7WK3
#
 09:55:20 system,error,critical router was rebooted without proper shutdown
 09:55:27 interface,info wireguard link up
 09:55:28 route,ospf,info OspfInstance { version: 2 0 rid: <CENSORED> } created
 09:55:42 system,critical,info ntp change time May/06/2022 09:55:56 => May/06/2022 09:55:42
 10:01:55 pptp,info TCP connection established from 78.128.113.70
 10:01:55 pptp,ppp,error <0>: user 3 authentication failed
 10:04:21 pptp,info TCP connection established from 78.128.113.68
 10:04:21 pptp,ppp,error <1>: user test authentication failed
 11:17:59 pptp,info TCP connection established from 91.191.209.236
 11:17:59 pptp,ppp,error <2>: user ip authentication failed
 11:21:09 pptp,info TCP connection established from 78.128.113.67
 11:21:09 pptp,ppp,error <3>: user ww authentication failed
 11:45:53 pptp,info TCP connection established from 91.191.209.235
 11:45:53 pptp,ppp,error <4>: user test authentication failed
 11:46:16 pptp,info TCP connection established from 91.191.209.234
 11:46:16 pptp,ppp,error <5>: user 777 authentication failed
 12:01:08 pptp,info TCP connection established from 91.191.209.236
 12:01:08 pptp,ppp,error <6>: user az authentication failed
 12:10:32 pptp,info TCP connection established from 91.191.209.234
 12:10:32 pptp,ppp,error <7>: user 4 authentication failed
 12:52:01 ipsec,info respond new phase 1 (Identity Protection): 217.182.xxx.10[500]<=>192.241.222.107[45049]
 12:53:23 ipsec,error phase1 negotiation failed due to time up 217.182.xxx.10[500]<=>192.241.222.107[45049] 111555f681d524ef:f6d090bf71840787
 12:54:14 system,error,critical login failure for user M via local
 13:07:20 pptp,info TCP connection established from 91.191.209.236
 13:07:23 pptp,ppp,error <11>: user yy authentication failed
 13:10:52 pptp,info TCP connection established from 78.128.113.70
 13:10:53 pptp,ppp,error <12>: user cc authentication failed
its my firewall rules:
add action=accept chain=input comment=Winbpx dst-port=6945 protocol=tcp
add action=accept chain=input comment=VPN dst-port=1993,1945,1994,500,4500,1701 protocol=udp
add action=accept chain=input dst-port=1993,1945,1994,1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input connection-state=established
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=Ping disabled=yes protocol=icmp
add action=drop chain=input comment=Protection
Last edited by rextended on Fri May 06, 2022 5:24 pm, edited 1 time in total.
Reason: Censored real IP
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How can i block this type of attack ?

Fri May 06, 2022 5:20 pm

VPN server?
And what you expect if the service is reachable from worldwide?
Ignoring the obsolescence and the vulnerability of the PPTP,

on your rules where you permit pptp, simply add one address lists that is ckecked against if the IP is allowed or not.

Check twice when your clear private info...
OspfInstance { version: 2 0 rid: <CENSORED> } created

Je vous souhaite une bonne journée
 
akakua
newbie
Posts: 49
Joined: Mon Apr 06, 2020 4:52 pm

Re: How can i block this type of attack ?

Fri May 06, 2022 5:21 pm

You can use whitelist or port knocking. Or you can use strong usernames and passwords and just ignore this messages.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How can i block this type of attack ?

Fri May 06, 2022 5:22 pm

Ignore this? PPTP is vulnerable...
 
tangent
Forum Guru
Forum Guru
Posts: 1329
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: How can i block this type of attack ?

Fri May 06, 2022 5:32 pm

My fail2ban setup is readily adapted to this case. Basically, change the SSH login failure matcher to match the “pptp” log messages instead.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: How can i block this type of attack ?

Fri May 06, 2022 5:34 pm

My fail2ban setup is readily adapted to this case. Basically, change the SSH login failure matcher to match the “pptp” log messages instead.
nice work, thank you
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: How can i block this type of attack ?

Fri May 06, 2022 5:37 pm

VPN server?
And what you expect if the service is reachable from worldwide?
Ignoring the obsolescence and the vulnerability of the PPTP,

on your rules where you permit pptp, simply add one address lists that is ckecked against if the IP is allowed or not.

Check twice when your clear private info...
OspfInstance { version: 2 0 rid: <CENSORED> } created

Je vous souhaite une bonne journée
oh you right, i removed my ip from all lines but forget that. sorry
 
akakua
newbie
Posts: 49
Joined: Mon Apr 06, 2020 4:52 pm

Re: How can i block this type of attack ?

Fri May 06, 2022 5:40 pm

does ptpp have vulnerabilities (not mitm attacks, because the guys from the log are not capable of this) that allow you to take over the server or log in to it without a login and password?
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: How can i block this type of attack ?

Fri May 06, 2022 5:45 pm

the main issue is this:

system,error,critical router was rebooted without proper shutdown

my routeros is crashing 3 or 4 times per day, i think these login attempts is causing this, so its not related right ?

and maybe i should use l2tp
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How can i block this type of attack ?

Fri May 06, 2022 5:50 pm

oh, no...
again the xyproblem....
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: How can i block this type of attack ?

Fri May 06, 2022 5:56 pm

oh, no...
again the xyproblem....
you destroyed me :))))
 
tangent
Forum Guru
Forum Guru
Posts: 1329
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: How can i block this type of attack ?

Fri May 06, 2022 6:02 pm

A prerequisite to my fail2ban setup is getting the logs off the router using rsyslog. That can help with unexpected reboots since you get “last dying gasp” type messages that can help you diagnose the cause.
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: How can i block this type of attack ?

Wed May 11, 2022 1:23 pm

A prerequisite to my fail2ban setup is getting the logs off the router using rsyslog. That can help with unexpected reboots since you get “last dying gasp” type messages that can help you diagnose the cause.
i dont have linux server but i think i can do that with writing logs on routeros disk, routeros is a VPS.

Who is online

Users browsing this forum: Bing [Bot], rplant and 65 guests