Fail2Ban & OpenVPN brute forcing

I’ve added the Fail2Ban example here:

Changing the path from
logpath = /var/log/openvpn.log

into
logpath = /var/log/messages

As far as I can see the line
:\d+ TLS Error: TLS handshake failed$
Does match the FreePBX distro logging, but fail2ban does not block OpenVPN abusers yet…
Anybody has this working? Or any hints what I am overlooking?

Removing the ^ from the and leaving the $ does give matches using
fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/openvpn.local

JWR
PS Please add this default to the Fail2Ban configuration in FreePBX :slight_smile:

Created /etc/fail2ban/filter.d/openvpn.local containing:

# Fail2Ban filter for selected OpenVPN rejections
#
#

[Definition]

# Example messages (other matched messages not seen in the testing server’s logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

failregex = ^ TLS Error: incoming packet authentication failed from [AF_INET]:\d+$
^ <HOST>:\d+ Connection reset, restarting
^ <HOST>:\d+ TLS Auth Error
<HOST>:\d+ TLS Error: TLS handshake failed$
^ <HOST>:\d+ VERIFY ERROR

ignoreregex =

Create /etc/fail2ban/jail.d/openvpn containing:

# Fail2Ban configuration fragment for OpenVPN

[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
logpath = /var/log/messages
maxretry = 3

1 Like

Hi.
With sysadmin, this feature already exists.

I’m seeing this attack on a few of my systems and fail2ban says it’s blocking the IP’s but the list in sysadmin > intrusion detection never seems to grow and every day I’m getting dozens of notifications from fail2ban.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.