DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Should I be concerned about this?
- piste basher
- Topic Author
- Offline
- Big Contributor
Less
More
- Posts: 1199
- Thank you received: 9
17 Apr 2021 09:28 #99080
by piste basher
Should I be concerned about this? was created by piste basher
Long time Draytek user but inexperienced with the VPN side of things. I've recently set up an L2TP/IPSec VPN on my 2927ac so that I can view my IP cameras when travelling, which all works fine. However I notice in the VPN syslog that unknown IP addresses appear to be trying to connect (without success, so far at least).
The IPs I've seen so far are all in the US, with Hurricane Electric being one of them. For those the Syslog reports, for example, "Responding to Main Mode from 216.218.206.90" and then "Ignore Phase1 SA proposals of DES/3DES/MD5/DH G1 G2/"
Others give different messages, such as "L2TP client from 146.88.240.4:1701 ." followed by "[L2TP][Radius/LDAP][0:myname][@146.88.240.4] maximum retries exceed"
These types of events occur every night and look to me as though someone/something is trying to connect to my network. Is the VPN system sufficiently secure that I need not worry about this?
The IPs I've seen so far are all in the US, with Hurricane Electric being one of them. For those the Syslog reports, for example, "Responding to Main Mode from 216.218.206.90" and then "Ignore Phase1 SA proposals of DES/3DES/MD5/DH G1 G2/"
Others give different messages, such as "L2TP client from 146.88.240.4:1701 ." followed by "[L2TP][Radius/LDAP][0:myname][@146.88.240.4] maximum retries exceed"
These types of events occur every night and look to me as though someone/something is trying to connect to my network. Is the VPN system sufficiently secure that I need not worry about this?
Please Log in or Create an account to join the conversation.
- adrianh54
- Offline
- Member
Less
More
- Posts: 428
- Thank you received: 0
17 Apr 2021 10:32 #99082
by adrianh54
Replied by adrianh54 on topic Re: Should I be concerned about this?
Both IP addresses are abusers. 146.88.240.4 has just under 12000 complaints lodged against it.
Looking at the log in my Turris Omnia this IP address has been caught attempting SIP connections and blocked this week.
Take a look here :
https://www.abuseipdb.com/check/146.88.240.4
https://www.abuseipdb.com/check/216.218.206.90
They are scanning probing for open ports. "146.88.240.4" is reported as "SIP attacks, trying to connect to Voip ports.
If your ports were open I think they would have been in by now. Can you run your cameras on a guest network?
Looking at the log in my Turris Omnia this IP address has been caught attempting SIP connections and blocked this week.
Take a look here :
They are scanning probing for open ports. "146.88.240.4" is reported as "SIP attacks, trying to connect to Voip ports.
If your ports were open I think they would have been in by now. Can you run your cameras on a guest network?
Please Log in or Create an account to join the conversation.
- piste basher
- Topic Author
- Offline
- Big Contributor
Less
More
- Posts: 1199
- Thank you received: 9
17 Apr 2021 15:51 #99085
by piste basher
Replied by piste basher on topic Re: Should I be concerned about this?
I don't have any ports open in the range up to 1056. I do have some Voip ports open - they have been for years and as far as I can tell that's not been a problem. I could run the cameras on their own LAN but I was hoping to use the VPN for other purposes, such as surfing from public wifi hotspots, and to allow restricted access to a folder on my NAS.
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
17 Apr 2021 20:09 #99088
by hornbyp
Sadly, it goes with the territory
You can block persistent offenders:
https://www.draytek.com/support/knowledge-base/5982
... but otherwise, all you can really do is make sure you have sufficiently robust User Credentials and and Pre-Shared-Key. (If you were always connecting from a fixed IP, the PSK can be ditched and the IP address used instead - but of course, you're not)
If you really only want access to the cameras, you can at least restrict access, to just them - via the firewall. (
https://www.draytek.com/support/knowledge-base/6001
)
Since you're using L2TP/IPsec, check that you don't allow just IPSec. Otherwise, from my experiments, it seems that an attacker who simply doesn't attempt to authenticate the L2TP tunnel can still make a connection.
The snag is, that the "they " are the likes of https://shodan.io (just one example of this kind of 'service'). Any remaining "security through obscurity" evaporates, once you're indexed and categorised I would like to see ISPs block these sods; they're a menace :x
Replied by hornbyp on topic Re: Should I be concerned about this?
Piste Basher wrote:
However I notice in the VPN syslog that unknown IP addresses appear to be trying to connect (without success, so far at least).
...
These types of events occur every night and look to me as though someone/something is trying to connect to my network. Is the VPN system sufficiently secure that I need not worry about this?
Sadly, it goes with the territory
You can block persistent offenders:
If you really only want access to the cameras, you can at least restrict access, to just them - via the firewall. (
Since you're using L2TP/IPsec, check that you don't allow just
AdrianH54 wrote:
Theyare scanning probing for open ports. "146.88.240.4" is reported as "SIP attacks, trying to connect to Voip ports.
The snag is, that the "they
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
17 Apr 2021 20:12 #99089
by hornbyp
Replied by hornbyp on topic Re: Should I be concerned about this?
.
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
17 Apr 2021 20:14 #99090
by hornbyp
Replied by hornbyp on topic Re: Should I be concerned about this?
Nowhere to hide :shock:
A list of 742,906 Draytek Routers running VPN servers:
https://www.shodan.io/search?query=draytek+vpn
(Actually, looking at the returned results, I think their database search needs some more work:wink: )
[I did eventually figure out what the proper query should be...but it's not my intention to write a 'HowTo guide':oops: ]
A list of 742,906
(Actually, looking at the returned results, I think their database search needs some more work
[I did eventually figure out what the proper query should be...but it's not my intention to write a 'HowTo guide'
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek