So out of nowhere it seems one of our systems is being singled out for OpenVPN brute force attacks. This has never happened before but since this morning about every 30 min to an hour another new IP is attempting to break it. The system over all is locked down to only allow traffic from known IPs however naturally OpenVPN is how we’re connecting in for a few things.
Is there anything to mitigate this or ideas on why now after all this time specifically OpenVPN is being targeted?
Edit: now I’ve had 5 in the past hour
My concern on this is that it’s never been brute force attempted in the 8 months or so this one’s been live now all of the sudden in the past day it’s been getting hit by multiple IPs with any luck eventually they’ll stop. There’s no signs of a compromise so far
It’s really odd almost as if an individual person is manually doing it vs a bot, the activity stopped over night then picked back up at 7am and there’s been another 20 attempts since then from different IPs since then and it’s basically one IP tries 8 times then gets banned, a little bit after that a new IP goes at it.
It’s insanely annoying getting non stop fail2ban emails and I feel like I’m just sitting here waiting for them to possibly “succeed” but I don’t see what I can do to stop it as openvpn is the only open public side and is needed?
Yeah I’ve followed / done the instructions as outlined there the only thing being attacked is OpenVPN, but it seems that someone specifically could be doing it as it always stops at night, where as if it was just random bots I’d assume it would go all the time. For now I’ve just disabled open VPN as the majority of the devices are actually just at a static site anyways. I’ll have to look into locking down the IPs more regionally I suppose.
I guess my question is more so are there any additional things to be done to better secure OpenVPN? I believe freepbx uses certificate based authentication vs user / password?
It’s not really a security step, but one thing you can do to cut down to cut down on the notificatoins is to configure the vpn server with a non-standard port. Choosing a random port north of 40k is my go to. Feature in sysadmin 15+