How to block an unknown IP address which keeps dialing VPN to Vigor Router?

 Español

As the VPN server, Vigor Router always listens to the VPN ports for accepting VPN connection from on the internet. Sometimes, we may see some unknown IP addresses keep sending VPN request to Vigor Router on Syslog, but cannot find out who the remote peer is. It is annoying and might be a security risk. This document will demonstrate how to block the unknown IP address which keeps dialing VPN to Vigor Router.

Since firmware 4.4.0, Vigor Router supports the local filter that can be applied for Vigor Router itself. With the local filter, we can block some unknown IP addresses which keep dialing the VPN or keep trying to access the router with the HTTP protocol. Moreover, we can also block IPs from specified countries to prevent the attack by the IP from a specified country. In this article, we demonstrate some practical applications for the local filter.

Application 1: Add the unknown IP into IP Blacklist

  1. Go to Firewall >> Defense Setup and enable Dos Defense.
  2. Click White/Black IP List Option.
  3. Select log if you want to see from Syslog Explorer.
    Input the unknown peer's IP and click Add to add the IP into Black IP List.

    Note: The Source IP supports 4 options to define IP properties.
    IP range can input single IP address.
    IP object can apply to object profile defined in Objects Setting >> IP Object in advance.
    IP group can apply to group object profile defined in Objects Setting >> IP Group in advance.
    Country Object can only apply to object profile defined in Objects Setting >> Country Object in advance.

    In the Syslog, we will receive an alert from the router when the IP in blacklist attempt to access.

Application 2: Allow the VPN service from a specified country

  1. Go to Objects Setting >> Country Object to create a profile.
    1. Give a profile name.
    2. Add the country we would like to allow.
    3. Click OK to save.
  2. Go to Objects Setting >> Service Type Object to create a profile.
    Here we take SSL VPN for example.
    1. Give a profile name.
    2. Choose the protocol this service uses.
    3. Enter the port this service would use in Destination Port.
    4. Click OK to save.
  3. Note: Different service uses different service port
    PPTP -> TCP 1723, GRE(protocol 47)
    L2TP -> TCP 1701, UDP 500/4500
    IPsec -> UDP 500/4500, ESP(protocol 50)
    SSL -> TCP 443
    OpenVPN -> TCP 443/1194, UDP 1194
  4. (Optional) If we want to block many services, we can add those service objects into the Service Type Group.
  5. Go to Firewall >> Filter Setup to create a rule that block the VPN service from any Source IP.
    1. Enable this rule.
    2. Choose WAN->Localhost for Direction.
    3. Select Any on Source IP/Country.
    4. Select the Service Object(or Service Group) created in Step2 on Service Type.
    5. Choose Block If no further match for Filter. (Check Syslog to show the logs of this rule.)
    6. Click OK to save.
  6. Create another rule to allow the specified country to use this service.
    1. Enable this rule.
    2. Choose WAN->Localhost for Direction.
    3. Select the Country Object created in step1 on Source IP/Country.
    4. Select the Service Object(or Service Group) created in Step2 on Service Type.
    5. Choose Pass Immediately for Filter. (Check Syslog to show the logs of this rule.)
    6. Click OK to save.
  7. Note: If the service is SSL, please change the Management Port of the router. Otherwise, the firewall rule would also block the access of the router's WUI page.
  8. In the Syslog, we will see the firewall logs when an IP from this country tries to dial a VPN connection.

Application 3: Block VPN connection by Brute Force Protection

Vigor Router supports VPN server options in Brute Force Protection which enables users to deny VPN account login attempts from brute-force attack.

  1. Go to System Maintenance >> Management to set up Brute Force Protection.
    1. enable Brute Force Protection.
    2. select VPN server option.
    3. setup Maximum login failures from 1 to 255 times.
    4. setup Penalty period from 1 to 31536000 seconds.
  2. In the Syslog, we will see firewall logs that peer with the same IP will be denied by Brute Force Protection after it has exceeded maximum login failure time.

To learn how to use Syslog Utility to collect the syslog, please refer to the article Collecting router's Syslog

1. Go to Objects Setting >> IP Object page and add the unknown IP as an IP Address.

  1. Give a profile name.
  2. Select Single as Address Type.
  3. Enter the unknown peer IP as Start IP Address.
a screenshot of Vigor3900 IP Object

2. Go to Objects Setting >> Time Object page and add a Time Object.

  1. Give a profile name.
  2. Select Weekdays as Frequency.
  3. Enter Start Time, End Time and Weekdays.

Note: Please enter the Start Time which is later but closed to the current time, and the End Time is a little earlier than the Start Time. For example, if the current time is 15:55 and we can enter the start time as 16:00:00, and the end time as 15:59:59. After the firewall rule effects, this Time Object can be removed.


3. Go to Firewall >> Filter Setup page, create an IP Filter Group then click Add to create an IP Filter Rule for blocking the unknown peer IP.

  1. Check Enable.
  2. Select Block as Action.
  3. In Time Schedule >> Time Object, select the Time object created in the previous step.
  4. In Time Schedule >> Advanced Setting, select Clear Session when Scheduler is on.
  5. In Source IP, select the IP object created in the previous step.
  6. Apply the setting.
a screenshot of Vigor3900 Firewall Rule setup another screenshot of Vigor3900 Firewall Rule setup

After that, we will see such kind of Firewall log instead of the VPN log:

<13>Dec 27 17:13:02 Vigor: [Clear Session] Delete conntrack by ip_filter_set_rule : unknown
<135>Dec 27 17:13:07 Vigor: [IPF-unknown] BLOCK src ip 1.2.3.4 mac 00:1d:aa:xx:xx:xx dst ip 172.17.5.92 proto udp DPT=500, skbmark=10000002/0

Published On: 2019-07-08 

Was this helpful?     


Related Articles