VPN Security: unknown users trying to connect PPTP VPN

vpn

As @ChristopherPerrin said, it's the background noise of the internet. Scripts and bots are constantly scanning the internet, doing the equivalent of jiggling door handles looking for ones that are unlocked or poorly locked. I do however disagree that there is nothing you can do about it.

Use those logs to block them at the firewall level. On linux I use fail2ban do to this. There may be similar solutions for windows, or you could write your own script to do it.

There are a few reasons for doing this:

  • Even if you have strong passwords, given an infinite number of guesses, they will get in. If you don't enforce strong passwords, eventually John Smith will change his password to "password". Blocking them gives them a limited number of guesses.

  • Firewalls can drop the traffic using far less system resources. It's not a big deal when one bot is scanning you. But if 30 of them all decide to hone in on your server at once, it can slow down authentication or VPN traffic in general for all the legitimate users. By blocking them at the firewall level, the scripts usually get the hint and move on to the next target quickly.

  • You can block them from other resources at the same time. Fail to login to the VPN 20 times in the last 5 minutes? Block them from the entire network so they can't keep scanning other services for vulnerabilities. Fail to login to the website 20 times in the last 5 minutes? Blocked from everything, including the VPN. Make the number of failures allowed and the length of the ban as lax as you need to for it to not regularly affect real users.

  • It limits the amount of spam in your logs, so you can see real problems that you otherwise wouldn't notice.

The way fail2ban works is to watch the log files, and when it sees 5 failed login attempts from the same IP address within 5 minutes, it runs an iptables command to add a firewall rule blocking them for 30 minutes. After the ban expires it removes that firewall rule. The numbers are configurable, as are the actions.

You may also want to set a few addresses that it will NEVER block, no matter how many failed tries there are - like your local LAN, or some public addresses of servers you control, so there's no risk of you being locked out.


It is normal that unknown users try to connect with standard usernames. You can view it as the noise of the internet.

If you have strong passwords there is no need to worry. Take it as it is and keep your software updated. There is about nothing you can do.

Related

firefox tries to open http subdomain as https [ nginx configuration ]
Can an Apache proxy send one request to multiple servers?
How do you properly do Disaster Recovery for a file server?
CPU Affinity setting not sticking
Is there a way to grep gzipped content in hdfs without extracting it?
Emails sent from my server to Hotmail never arrive
Is enabling https on a Cisco router a considerable security risk?
Is there any reason to keep the power option on default "Balanced" instead of "high performance"?
Do I have 2 different Apache installations on my VPS
Can vSphere PowerCLI cmdlets execute from a PS1 file?
Filtering GRE enacpsulated packets with tcpdump
postfix not relying mail from remote hosts