Community discussions

 
Term
newbie
Topic Author
Posts: 37
Joined: Thu Jan 11, 2018 11:42 pm

VPN attacks? Blocking?

Wed Jul 11, 2018 11:20 am

Hello,
every night someone trying to connect via vpn to my mikrotik. It's going on for about last 1 week. Have enabled L2TP/IPSEC.

IP address is 216.218.206.201, 216.218.206.206 etc. (changed every night)
1.jpg


Just added this rule but don't know if it will be ok.
/ip firewall filter
add action=drop chain=input comment="drop ipsec attacks" dst-port=500,1701,4500 protocol=udp src-address-list=access_blacklist

Address list:
Name: access_blacklist
216.218.206.1-216.218.206.255
Can you recommend me any measures please?
Thank you.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 903
Joined: Fri Jul 28, 2017 2:53 pm

Re: VPN attacks? Blocking?

Wed Jul 11, 2018 11:28 am

Allow in input chain only predefined ip pools you need. Others will be droped. That's it.
 
Term
newbie
Topic Author
Posts: 37
Joined: Thu Jan 11, 2018 11:42 pm

Re: VPN attacks? Blocking?

Wed Jul 11, 2018 11:30 am

I don't think I can do this. I'm connecting to VPN from work and from a lot of other IP pools (a lot of places)
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 903
Joined: Fri Jul 28, 2017 2:53 pm

Re: VPN attacks? Blocking?

Wed Jul 11, 2018 11:39 am

Create address list and add these pools there. You can add /18 or /16 subnets.
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 902
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: VPN attacks? Blocking?

Wed Jul 11, 2018 12:41 pm

Having a public facing VPN sever will get prodded regularly by people trying to gain access maliciously.

If you have absolutely no way of locking down the accepted IP's then the best you can do is use complex usernames and passwords with a good passphrase.

Do a whois lookup on the IP and add the subnet to an address list called "blocked" then have your first firewall rule as drop traffic from "blocked" list. It's manual and you'll be forever updating your list.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
Chiverel
newbie
Posts: 38
Joined: Fri Jan 12, 2018 7:28 pm

Re: VPN attacks? Blocking?

Wed Jul 11, 2018 2:00 pm

Think of port-knocking implementation (it's really flexible and it's only you who decide how paranoid you are to complicate the procedure) or similar techniques. Router would automatically add your IP into white list and you'll be able to connect afterwards. Other attempts for the direct connection without proper knocking would be refused (or even could be forever or temporary blocked).

You can set expiration time for white-listed addresses to the desired period (e.g. 10 minutes, 1 hour, 10 days whatever). This would give you an opportunity to skip manual cleaning of addresses.

Knocking could be automated by self-written scripts or 3rd party apps.

That's not really a big overhead for feeling "a bit more secured".
 
nescafe2002
Member
Member
Posts: 488
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: VPN attacks? Blocking?

Wed Jul 11, 2018 2:57 pm

The nightly scans are ISAKMP vulnerability probe requests executed by the Shadowserver Foundation. Actually nothing to worry about.

https://isakmpscan.shadowserver.org/
We are querying all computers with routable IPv4 addresses that are not firewalled from the internet with a specifically crafted 64 byte ISAKMP packet and capturing the response. We intend no harm, but if we are causing problems, please contact us at: dnsscan (at) shadowserver (dot) org.
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Oct 07, 2005 1:04 pm

Re: VPN attacks? Blocking?

Wed Jul 11, 2018 3:34 pm

I've created a little facility for my home dial-in VPN system that addresses the issue you stated.

1) When a client successfuly connects to VPN server (meaning it's a valid user), a script is triggered that adds source address to whitelist.

PPP/Profiles/name of L2TP profile you are using/Scripts ("On Up" field):
/system script run vpn-on_connect

This is the source of vpn-on_connect script (variables are global so you can easily debug them in System/Script/Environment):
:delay delay-time=3

:global l2tpCount [interface l2tp-server print count-only]

:if ($l2tpCount != 0) do {
	:foreach i in=[/interface l2tp-server find] do={
		:global clientNameL2TP [/interface l2tp-server get $i name]       
		:global clientAddrL2TP [/interface l2tp-server get $i client-address]
		/ip firewall address-list add list=vpn_whitelist address=$clientAddrL2TP comment=$clientNameL2TP
	}
}

2) Firewall rules handle the rest of the logistics.
- Create "WAN" interface list
- Make sure you have known IP addresses in the "allowed_access" list. Apart from manually adding entries, the above script will automatically add known IPs to vpn whitelist
- Adjust timers to your liking and paste this to your router (with my rules clients have a chance to try to connect 3x in 10 minutes):
/ip firewall filter
add action=accept chain=forward comment="optimize: forward" connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="optimize: input" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=jump chain=input comment="access control: wan" in-interface-list=WAN jump-target=input-access
add action=drop chain=input-access src-address-list=vpn_blacklist
add action=accept chain=input-access src-address-list=allowed_access
add action=accept chain=input-access protocol=icmp
add action=jump chain=input-access dst-port=500,1701,4500 jump-target=input-vpn protocol=udp
add action=jump chain=input-access dst-port=1723 jump-target=input-vpn protocol=tcp
add action=accept chain=input-vpn src-address-list=vpn_whitelist
add action=add-src-to-address-list address-list=vpn_blacklist address-list-timeout=none-dynamic chain=input-vpn log-prefix=added_to_blacklist src-address-list=vpn_stage3
add action=add-src-to-address-list address-list=vpn_stage3 address-list-timeout=10m chain=input-vpn src-address-list=vpn_stage2
add action=add-src-to-address-list address-list=vpn_stage2 address-list-timeout=10m chain=input-vpn src-address-list=vpn_stage1
add action=add-src-to-address-list address-list=vpn_stage1 address-list-timeout=none-dynamic chain=input-vpn
add action=accept chain=input-vpn
add action=drop chain=input-access
 
Term
newbie
Topic Author
Posts: 37
Joined: Thu Jan 11, 2018 11:42 pm

Re: VPN attacks? Blocking?

Sat Jul 14, 2018 10:51 am

Thank you guys. Added one rule and seems it works.
/ip firewall filter
add action=drop chain=input comment="drop attackers ip pools (vpn)" src-address-list=block_attackers
in block_attackers address list have 216.218.206.0/24

Who is online

Users browsing this forum: DanielM1 and 75 guests