Community discussions

MikroTik App
 
Fleishmachine
newbie
Topic Author
Posts: 25
Joined: Tue Jul 13, 2021 5:31 pm

PPP - PPTP brute force attack

Thu Apr 21, 2022 3:10 pm

Hi guys,

I`m having issues with Brute Force Attack on the PPTP.
I`m using the unique names and rather solid password for few of my users, so I should not worry too much, but in the logs , I can see at least authentication failures in topic pptp / ppp / error with various user logins. Any chance you could help me protecting this service?

Regards,
Fleishmachine
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 3:13 pm

Do not use PPTP, its not secure...
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 3:21 pm

PPTP is inherently unsafe by today standards, see
https://en.wikipedia.org/wiki/Point-to- ... l#Security

If you have known IP ranges from were your PTPP users are connecting, you can improve the situation a little bit by restricting source IPs of PPTP clients.
But still, if security is a concern, PPTP should avoided in our days.
 
Fleishmachine
newbie
Topic Author
Posts: 25
Joined: Tue Jul 13, 2021 5:31 pm

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 3:23 pm

How else can I replace it in the way I can access my network remotely?
 
Fleishmachine
newbie
Topic Author
Posts: 25
Joined: Tue Jul 13, 2021 5:31 pm

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 3:27 pm

If you have known IP ranges from were your PTPP users are connecting, you can improve the situation a little bit by restricting source IPs of PPTP clients.
I should be able to restrict it via IP range, but if you say than it`s not secure anyway than I would rather try another available service that will give me the same features.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 3:35 pm

Since you already use the device for PPTP-access, it should be fairly easy to setup wireguard and have your clients connect using that protocol.
Windows / Mac / Android / iPhone/ ... all have client tools available to make that happen.

But it requires that you upgrade your device to ROS7 which might not be what you want ?
 
Fleishmachine
newbie
Topic Author
Posts: 25
Joined: Tue Jul 13, 2021 5:31 pm

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 3:42 pm

Since you already use the device for PPTP-access, it should be fairly easy to setup wireguard and have your clients connect using that protocol.
Windows / Mac / Android / iPhone/ ... all have client tools available to make that happen.

But it requires that you upgrade your device to ROS7 which might not be what you want ?
I started digging and I can see that I should switch PPTP to L2TP/IPsec - I assume it gives me the same features with better security.
I don't need the high performance over VPN.

I`m running RB110AH which I assume is ROS6? I want to upgrade this router anyway, so switching to another ROS shouldn't be a problem unless I can easily import configuration to the new router.
I will need to research wireguard, never heard of this - but in Windows, when I setup the VPN connection I can only see PPTP, L2TP/IPsec, SSTP and IKEv2.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 3:50 pm

Wireguard is a separate app for windows but dead simple.
It blows any other vpn out of the water as far as performance and speed is concerned.
 
Fleishmachine
newbie
Topic Author
Posts: 25
Joined: Tue Jul 13, 2021 5:31 pm

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 4:16 pm

OK, I can see that I can upgrade RB1100AH to ROS7... why did you mention that I might not want to do this?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 4:31 pm

For business services that require such things as BGP and such, its not quite ready.
However for your case it probably is just fine. So without knowledge of your actual requirements he urged prudently to be cautious.
Many folks without complex business class requirements are using it just fine.

I recommend myself going the Wireguard route if you want to give yourself secure access to your router from remote locations.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 4:54 pm

Ding ding ... we have a winner :lol:
 
Fleishmachine
newbie
Topic Author
Posts: 25
Joined: Tue Jul 13, 2021 5:31 pm

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 5:53 pm

Right, got your points guys. Thank you for yours advice.

At this moment, before I will upgrade to a newer router I will stay with ROS6 and L2TP/Isec - I have implemented that, it works and I just need to test it few days.
But, as I had the issues with brute force attack on PPTP than I will keep having this same issue over L2TP/Isec, isn't it?

According to what I have seen it is also possible to connect two sites - is it gonna be worth to replace existing EOIP tunnel between two sites with Wireguard as well?
Actually I will need to add additional site to existing two sites, so at least the new site I may connect in the new way for testing.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 6:17 pm

According to what I have seen it is also possible to connect two sites - is it gonna be worth to replace existing EOIP tunnel between two sites with Wireguard as well?
EOIP is ethernet over IP, so L2. Most contemporary tunels, including wireguard, are IP, so L3. It then depends how in particular you have EOIP tunnel (and related things) configured, wireguard could be either almost drop-in replacement or mission impossible.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: PPP - PPTP brute force attack

Thu Apr 21, 2022 9:19 pm

How else can I replace it in the way I can access my network remotely?
L2TP/IPsec, OVPN, Wireguard, IKEv2 are some of the protocols you can use for Road warriors but for Site to Site tunnels as well ...
 
Fleishmachine
newbie
Topic Author
Posts: 25
Joined: Tue Jul 13, 2021 5:31 pm

Re: PPP - PPTP brute force attack

Fri Apr 22, 2022 4:18 pm

Cool. I have tried to block attacks over PPTP but couldn't manage to do so, so this way I have listened to you and I have disabled PPTP service.
I have tested L2TP/Isec, it works fine and I`ll implement that for my Road Warriors at this stage, however, I will look closer to WireGuard once I will
have new routers with ROS7 on board.

Thanks for your advice.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: PPP - PPTP brute force attack

Fri Apr 22, 2022 4:24 pm

If/once you do, make sure to do a proper testing of throughput.
Then move to Wireguard and watch the results for the same test method ... I'd say you'll get at least 20-30% more and it's faster too (lower response times).

One thing which using IPSEC has over WG, is that (on some devices which support it) it can be HW offloaded which can make up for (some) speed loss.
WG is purely SW, it can not do that.
 
lil0
just joined
Posts: 7
Joined: Fri Mar 28, 2014 6:54 pm
Location: BG
Contact:

Re: PPP - PPTP brute force attack

Fri May 12, 2023 10:52 am

Hello,
You can try this rules:
add action=drop chain=input comment="pptp brute force drop 1/4 - complete comunication DROP" src-address-list=pptp_blacklist_DROP
add action=add-src-to-address-list address-list=pptp_blacklist_DROP address-list-timeout=1d1h10m chain=input comment="pptp brute force drop 2/4" content="authentication failed" protocol=gre \
src-address-list=pptp_blacklist_stage_2
add action=add-src-to-address-list address-list=pptp_blacklist_stage_2 address-list-timeout=30s chain=input comment="pptp brute force drop 3/4" content="authentication failed" protocol=gre \
src-address-list=pptp_blacklist_stage_1
add action=add-src-to-address-list address-list=pptp_blacklist_stage_1 address-list-timeout=30s chain=input comment="pptp brute force drop 4/4" content="authentication failed" protocol=gre

for my setup is working.

add action=drop chain=input comment="pptp brute force drop 1/4 - complete comunication DROP" src-address-list=pptp_blacklist_DROP ---- this denied any access from source
or
add action=drop chain=input
protocol=gre
comment="pptp brute force drop 1/4 - complete comunication DROP" src-address-list=pptp_blacklist_DROP -- only gre

Who is online

Users browsing this forum: Rickie and 30 guests