Mikrotik 2 Factor Authentication

[Milton Beaty]

miniOrange accomplishes this by acting as a RADIUS server that accepts the username/password of the user entered as a RADIUS request and validates the user against the user store as Active Directory (AD). After the first level of authentication, miniOrange prompts the user with 2-factor authentication and either grants/revokes access based on the input by the user.

(The Active Directory Group Provisioning (Sync) setup is done. Now, whenever a user is created or modified in LDAP server and if the Assign Users to groups is enabled, then user group attribute from the LDAP server will be automatically synced and the user group will be assigned or changed accordingly in miniOrange.)

Multi-Factor Authentication (MFA) is an authentication method that requires the user to authenticate themselves for two or more factors, in order to gain access to company resources, applications, or a VPN (MikroTik in this case). Enabling Multi-Factor Authentication (MFA) means that users need to provide additional verification factors apart from their username and passwords thus increasing the security of the organization's resources. Checkout more about Multi-Factor Authentication (MFA) here.

This guide describes how to enable Protectimus Two-Factor Authentication (2FA) for users connecting to MikroTik VPN.

The Protectimus two-factor authentication system can be integrated with MikroTik VPN via RADIUS authentication protocol. For this purpose, you need to install an on-premise Protectimus RADIUS Server component and configure the MikroTik VPN to refer to the Protectimus RADIUS Server for user authentication.

See how Protectimus two-factor authentication solution works for MikroTik VPN in the scheme below.

I e-mailed MikroTik support (support at mikrotik.com) to double check my info and got a reply from @Sergejs. The answer is definitely no. The Socks proxy still exists, but this also does not support authentication.

If your appliance can handle the VPN, then it should be done at the appliance level (router or firewall) as they are dedicated devices built for these functions. Furthermore with a harden OS, there is less to worry in terms of security. But do note to update the appliances firmware (or definitions) regularly.

I am a larger sized business, but not too much remote access. I have never worried about remote access interfering with other duties of my firewalls. I do authenticate against AD using RADIUS. Be sure you have account lockouts enabled to prevent brute force. I also employ 2 factor authentication.

I currently do it on my routers, but I specifically chose my routers to handle that task, so performance is a none issue. I much prefer doing it on the router as it prevents any attack from sneaking past the firewall prior to authentication.

Not sure what the problem is here. My firewall uses AD Authentication and those lockout rules apply, as do additional rules put in place on the firewall. Additionally, the firewall does an excellent job of logging all attempts,. All I am saying is that the VPN authentication (via AD and other methods), encryption / decryption and logging is handled by the firewall. The firewall will block most all brute force attacks faster since it is the only device that knows about all traffic originating from (and going to) a given IP.

Actually I was only saying that VPN Services were handled by the firewall (not sure why I typed router, I guess that was because it was what the OP used in his list of options), not sure how that implies any type of authentication especially since the OP stated in option 1 " 1) Configure L2TP/IPSec on my router and authenticate users over RADIUS from my AD".

Today, Asus released a product security advisory listing their products affected by Cyclops Blink. While the investigation is currently ongoing, this advisory provides guidance on taking necessary precautions via a checklist for the affected product versions.

In our ongoing research into activity surrounding Ukraine and in cooperation with Cisco Duo data scientists Talos discovered compromised MikroTik routers inside of Ukraine being leveraged to conduct brute force attacks on devices protected by multi-factor authentication. This continues a pattern we have seen since our investigation into VPNFilter involving actors using MikroTik routers. While it may not be Cyclops Blink specifically -- we can't know without a forensic investigation -- it was yet another MikroTik router passing malicious traffic, a vendor widely abused by VPNFilter in the past.

Cisco Talos is aware of the recent reporting around a new modular malware family, Cyclops Blink, that targets small and home office (SOHO) devices, similar to previously observed threats like VPNFilter. This malware is designed to run on Linux systems and is compiled specifically for 32-bit PowerPC architecture. The modular nature of this malware allows it to be used in a variety of ways, including typical reconnaissance and espionage activity. It leverages modules to facilitate various operations such as establishment of C2, file upload/download and information extraction capabilities.

Cyclops Blink is a Linux ELF executable compiled for 32-bit PowerPC architecture that has targeted SOHO network devices since at least June 2019. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the command and control (C2) server.

The core component has a variety of functionality. Initially, it confirms that it's running as a process named 'kworker[0:1]' which allows it to masquerade as a kernel process. If that is not the case, it will reload itself as that process name and kill the parent process. The core component then adjusts the iptables to allow additional access via a set of hard-coded ports that are used for C2 communication. The C2 communication is conducted through multiple layers of encryption including a TLS tunnel with individual commands encrypted using AES-256-CBC.

The four known modules perform a variety of functions and tasks associated with initial access and reconnaissance. This could be the basis to deploy additional modules, but at this point, we cannot confirm any additional modules.

The file upload/download module (ID 0xf) is designed to upload and download files. These instructions are sent by the core component and can include downloads from URLs or uploads of files to C2 servers.

The C2 server list module (ID 0x39) is used to store and/or update the list of IP addresses used for C2 activity. The list is loaded and passed to the core component and when updates are received from the core component it is passed into this module to be updated.

The Update/Persistence module (ID 0x51) installs updates to Cyclops Blink or ensures its persistence on the system. The update process leverages the firmware update process on the device. The persistence is handled via a subprocess to this module and involves overwriting legitimate executables with modified versions allowing the firmware update process to be manipulated to update Cyclops Blink.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Firepower Threat Defense (FTD), Firepower Device Manager (FDM), Threat Defense Virtual, Adaptive Security Appliance can detect malicious activity associated with this threat.

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

3a8082e126