github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

New openvpn jail.

pull/2702/head
Philipp Burndorfer 2020-04-25 13:54:44 +02:00 committed by sebres
parent 7a5e2c8419
commit 88385eb6c1
3 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
config/filter.d/openvpn.conf Normal file
View File

@ -0,0 +1,14 @@
# Fail2Ban filter for openvpn server
# Detecting wrong TLS handshakes
# typically logged in /var/log/syslog
# Author: Philipp Burndorfer
[INCLUDES]
before = common.conf
[Definition]
failregex =%(__hostname)s ovpn-server\[[0-9]{2,5}\]:.<HOST>:[0-9]{3,5} TLS Auth Error:.*
%(__hostname)s ovpn-server\[[0-9]{2,5}\]:.<HOST>:[0-9]{3,5} VERIFY ERROR:.*
%(__hostname)s ovpn-server\[[0-9]{2,5}\]:.<HOST>:[0-9]{3,5} TLS Error: TLS handshake failed.*
%(__hostname)s ovpn-server\[[0-9]{2,5}\]:.<HOST>:[0-9]{3,5} SIGUSR1\[soft,connection-reset\] received.*
%(__hostname)s ovpn-server\[[0-9]{2,5}\]: TLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{3,5}

7
config/jail.conf
View File

@ -978,6 +978,13 @@ logpath = %(apache_error_log)s
port = http,https
logpath = /var/log/traefik/access.log
[openvpn]
port = 443 # port of your openvpn server
protocol = tcp # protocol of your openvpn server
filter = openvpn
logpath = /var/log/syslog
maxretry = 5
[scanlogd]
logpath = %(syslog_local0)s
banaction = %(banaction_allports)s

22
fail2ban/tests/files/logs/openvpn Normal file
View File

@ -0,0 +1,22 @@
# should match
Apr 25 10:57:30 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:10107
Apr 25 10:57:36 hostname ovpn-server[901]: 83.97.20.30:10107 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Apr 25 10:57:36 hostname ovpn-server[901]: 83.97.20.30:10107 Connection reset, restarting [0]
# failJSON: { "time": "2005-04-25T10:57:36", "match": true , "host": "83.97.20.30" }
Apr 25 10:57:36 hostname ovpn-server[901]: 83.97.20.30:10107 SIGUSR1[soft,connection-reset] received, client-instance restarting
Apr 25 10:57:43 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:29148
Apr 25 10:57:49 hostname ovpn-server[901]: 83.97.20.30:29148 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Apr 25 10:57:49 hostname ovpn-server[901]: 83.97.20.30:29148 Connection reset, restarting [0]
# failJSON: { "time": "2005-04-25T10:57:49", "match": true , "host": "83.97.20.30" }
Apr 25 10:57:49 hostname ovpn-server[901]: 83.97.20.30:29148 SIGUSR1[soft,connection-reset] received, client-instance restarting
Apr 25 10:57:56 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:2495
Apr 25 10:58:03 hostname ovpn-server[901]: 83.97.20.30:2495 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Apr 25 10:58:03 hostname ovpn-server[901]: 83.97.20.30:2495 Connection reset, restarting [0]
# failJSON: { "time": "2005-04-25T10:58:03", "match": true , "host": "83.97.20.30" }
Apr 25 10:58:03 hostname ovpn-server[901]: 83.97.20.30:2495 SIGUSR1[soft,connection-reset] received, client-instance restarting
Apr 25 10:58:09 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:30968
Apr 25 10:58:15 hostname ovpn-server[901]: 83.97.20.30:30968 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Apr 25 10:58:15 hostname ovpn-server[901]: 83.97.20.30:30968 Connection reset, restarting [0]
# failJSON: { "time": "2005-04-25T10:58:15", "match": true , "host": "83.97.20.30" }
Apr 25 10:58:15 hostname ovpn-server[901]: 83.97.20.30:30968 SIGUSR1[soft,connection-reset] received, client-instance restarting