diff --git a/config/filter.d/openvpn.conf b/config/filter.d/openvpn.conf new file mode 100644 index 00000000..71b80de2 --- /dev/null +++ b/config/filter.d/openvpn.conf @@ -0,0 +1,14 @@ +# Fail2Ban filter for openvpn server +# Detecting wrong TLS handshakes +# typically logged in /var/log/syslog +# Author: Philipp Burndorfer + +[INCLUDES] +before = common.conf + +[Definition] +failregex =%(__hostname)s ovpn-server\[[0-9]{2,5}\]:.:[0-9]{3,5} TLS Auth Error:.* + %(__hostname)s ovpn-server\[[0-9]{2,5}\]:.:[0-9]{3,5} VERIFY ERROR:.* + %(__hostname)s ovpn-server\[[0-9]{2,5}\]:.:[0-9]{3,5} TLS Error: TLS handshake failed.* + %(__hostname)s ovpn-server\[[0-9]{2,5}\]:.:[0-9]{3,5} SIGUSR1\[soft,connection-reset\] received.* + %(__hostname)s ovpn-server\[[0-9]{2,5}\]: TLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]:[0-9]{3,5} diff --git a/config/jail.conf b/config/jail.conf index edf3e676..fe89733c 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -978,6 +978,13 @@ logpath = %(apache_error_log)s port = http,https logpath = /var/log/traefik/access.log +[openvpn] +port = 443 # port of your openvpn server +protocol = tcp # protocol of your openvpn server +filter = openvpn +logpath = /var/log/syslog +maxretry = 5 + [scanlogd] logpath = %(syslog_local0)s banaction = %(banaction_allports)s diff --git a/fail2ban/tests/files/logs/openvpn b/fail2ban/tests/files/logs/openvpn new file mode 100644 index 00000000..04aa63dc --- /dev/null +++ b/fail2ban/tests/files/logs/openvpn @@ -0,0 +1,22 @@ +# should match + +Apr 25 10:57:30 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:10107 +Apr 25 10:57:36 hostname ovpn-server[901]: 83.97.20.30:10107 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] +Apr 25 10:57:36 hostname ovpn-server[901]: 83.97.20.30:10107 Connection reset, restarting [0] +# failJSON: { "time": "2005-04-25T10:57:36", "match": true , "host": "83.97.20.30" } +Apr 25 10:57:36 hostname ovpn-server[901]: 83.97.20.30:10107 SIGUSR1[soft,connection-reset] received, client-instance restarting +Apr 25 10:57:43 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:29148 +Apr 25 10:57:49 hostname ovpn-server[901]: 83.97.20.30:29148 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] +Apr 25 10:57:49 hostname ovpn-server[901]: 83.97.20.30:29148 Connection reset, restarting [0] +# failJSON: { "time": "2005-04-25T10:57:49", "match": true , "host": "83.97.20.30" } +Apr 25 10:57:49 hostname ovpn-server[901]: 83.97.20.30:29148 SIGUSR1[soft,connection-reset] received, client-instance restarting +Apr 25 10:57:56 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:2495 +Apr 25 10:58:03 hostname ovpn-server[901]: 83.97.20.30:2495 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] +Apr 25 10:58:03 hostname ovpn-server[901]: 83.97.20.30:2495 Connection reset, restarting [0] +# failJSON: { "time": "2005-04-25T10:58:03", "match": true , "host": "83.97.20.30" } +Apr 25 10:58:03 hostname ovpn-server[901]: 83.97.20.30:2495 SIGUSR1[soft,connection-reset] received, client-instance restarting +Apr 25 10:58:09 hostname ovpn-server[901]: TCP connection established with [AF_INET]83.97.20.30:30968 +Apr 25 10:58:15 hostname ovpn-server[901]: 83.97.20.30:30968 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] +Apr 25 10:58:15 hostname ovpn-server[901]: 83.97.20.30:30968 Connection reset, restarting [0] +# failJSON: { "time": "2005-04-25T10:58:15", "match": true , "host": "83.97.20.30" } +Apr 25 10:58:15 hostname ovpn-server[901]: 83.97.20.30:30968 SIGUSR1[soft,connection-reset] received, client-instance restarting