github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #2702 from pburndorfer/master 

New openvpn jail
master
Sergey G. Brester 2025-01-30 13:16:44 +01:00 committed by GitHub
parent 7a5e2c8419 d2c60a168f
commit 6d3308ecb4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -42,6 +42,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
* `action.d/firewallcmd-rich-*.conf` - fixed incorrect quoting, disabling port variable expansion
by substitution of rich rule (gh-3815)
* `filter.d/proxmox.conf` - add support to Proxmox Web GUI (gh-2966)
* `filter.d/openvpn.conf` - new filter and jail for openvpn recognizing failed TLS handshakes (gh-2702)
ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km
-----------

13
config/filter.d/openvpn.conf Normal file
View File

@ -0,0 +1,13 @@
# Fail2Ban filter for openvpn server
# Detecting wrong TLS handshakes
# typically logged in /var/log/syslog
# Author: Philipp Burndorfer
[INCLUDES]
before = common.conf
[Definition]
_daemon = ovpn-server\d*
failregex = ^%(__prefix_line)s<HOST>:\d{4,5} (?:TLS Auth Error:|VERIFY ERROR:|TLS Error: TLS handshake failed\b|SIGUSR1\[soft,connection-reset\] received\b)
^%(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]\s*<HOST>:\d{4,5}

4
config/jail.conf
View File

@ -978,6 +978,10 @@ logpath = %(apache_error_log)s
port = http,https
logpath = /var/log/traefik/access.log
[openvpn]
port = 443
logpath = /var/log/syslog
[scanlogd]
logpath = %(syslog_local0)s
banaction = %(banaction_allports)s

28
fail2ban/tests/files/logs/openvpn Normal file
View File

@ -0,0 +1,28 @@
Apr 25 10:57:30 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:10107
Apr 25 10:57:36 hostname ovpn-server[901]: 83.97.20.30:10107 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Apr 25 10:57:36 hostname ovpn-server[901]: 83.97.20.30:10107 Connection reset, restarting [0]
# failJSON: { "time": "2005-04-25T10:57:36", "match": true , "host": "83.97.20.30" }
Apr 25 10:57:36 hostname ovpn-server[901]: 83.97.20.30:10107 SIGUSR1[soft,connection-reset] received, client-instance restarting
Apr 25 10:57:43 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:29148
Apr 25 10:57:49 hostname ovpn-server[901]: 83.97.20.30:29148 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Apr 25 10:57:49 hostname ovpn-server[901]: 83.97.20.30:29148 Connection reset, restarting [0]
# failJSON: { "time": "2005-04-25T10:57:49", "match": true , "host": "83.97.20.30" }
Apr 25 10:57:49 hostname ovpn-server[901]: 83.97.20.30:29148 SIGUSR1[soft,connection-reset] received, client-instance restarting
Apr 25 10:57:56 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:2495
Apr 25 10:58:03 hostname ovpn-server[901]: 83.97.20.30:2495 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Apr 25 10:58:03 hostname ovpn-server[901]: 83.97.20.30:2495 Connection reset, restarting [0]
# failJSON: { "time": "2005-04-25T10:58:03", "match": true , "host": "83.97.20.30" }
Apr 25 10:58:03 hostname ovpn-server[901]: 83.97.20.30:2495 SIGUSR1[soft,connection-reset] received, client-instance restarting
Apr 25 10:58:09 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:30968
Apr 25 10:58:15 hostname ovpn-server[901]: 83.97.20.30:30968 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Apr 25 10:58:15 hostname ovpn-server[901]: 83.97.20.30:30968 Connection reset, restarting [0]
# failJSON: { "time": "2005-04-25T10:58:15", "match": true , "host": "83.97.20.30" }
Apr 25 10:58:15 hostname ovpn-server[901]: 83.97.20.30:30968 SIGUSR1[soft,connection-reset] received, client-instance restarting
# failJSON: { "time": "2005-04-25T11:19:00", "match": true , "host": "192.0.2.251" }
Apr 25 11:19:00 ovpn-server[13818]: 192.0.2.251:55329 VERIFY ERROR: depth=2, error=unable to get issuer certificate: <ROOT CA>
# failJSON: { "time": "2005-04-25T11:19:00", "match": true , "host": "192.0.2.252" }
Apr 25 11:19:00 ovpn-server[13819]: 192.0.2.252:55330 TLS Error: TLS handshake failed
# failJSON: { "time": "2005-04-25T11:19:00", "match": true , "host": "192.0.2.253" }
Apr 25 11:19:00 ovpn-server[13820]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.0.2.253:55340
# failJSON: { "time": "2005-04-25T11:19:22", "match": true , "host": "192.0.2.254" }
Apr 25 11:19:22 ovpn-server[13821]: 192.0.2.254:64480 TLS Auth Error: Auth Username/Password verification failed for peer