OpenVPN Brute Force

edricksmith · September 9, 2022, 7:54pm

So out of nowhere it seems one of our systems is being singled out for OpenVPN brute force attacks. This has never happened before but since this morning about every 30 min to an hour another new IP is attempting to break it. The system over all is locked down to only allow traffic from known IPs however naturally OpenVPN is how we’re connecting in for a few things.

Is there anything to mitigate this or ideas on why now after all this time specifically OpenVPN is being targeted?

Edit: now I’ve had 5 in the past hour

My concern on this is that it’s never been brute force attempted in the 8 months or so this one’s been live now all of the sudden in the past day it’s been getting hit by multiple IPs with any luck eventually they’ll stop. There’s no signs of a compromise so far

edricksmith · September 10, 2022, 7:52pm

It’s really odd almost as if an individual person is manually doing it vs a bot, the activity stopped over night then picked back up at 7am and there’s been another 20 attempts since then from different IPs since then and it’s basically one IP tries 8 times then gets banned, a little bit after that a new IP goes at it.

It’s insanely annoying getting non stop fail2ban emails and I feel like I’m just sitting here waiting for them to possibly “succeed” but I don’t see what I can do to stop it as openvpn is the only open public side and is needed?

mahbell · September 12, 2022, 7:39am

It’s open to the internet, this is bound to happen, it’s an inevitability vs. possibility. There are things you can do besides sit around.

As @dicko often mentions, use non-standard ports for as much as you can.

Also read through these and see if you’re missing anything from your approach.

https://wiki.freepbx.org/plugins/servlet/mobile?contentId=165806206#content/view/165806206

If you know where the VPN traffic should be coming from, you can try locking it down to the necessary regional IPs.

edricksmith · September 12, 2022, 7:55am

Yeah I’ve followed / done the instructions as outlined there the only thing being attacked is OpenVPN, but it seems that someone specifically could be doing it as it always stops at night, where as if it was just random bots I’d assume it would go all the time. For now I’ve just disabled open VPN as the majority of the devices are actually just at a static site anyways. I’ll have to look into locking down the IPs more regionally I suppose.

I guess my question is more so are there any additional things to be done to better secure OpenVPN? I believe freepbx uses certificate based authentication vs user / password?

mahbell · September 12, 2022, 8:03am

If it is a person vs a bot, it’s much less likely they will successfully brute force anything.

edricksmith · September 12, 2022, 8:20am

Thanks I’ll give those a go

lgaetz · September 12, 2022, 1:41pm

It’s not really a security step, but one thing you can do to cut down to cut down on the notificatoins is to configure the vpn server with a non-standard port. Choosing a random port north of 40k is my go to. Feature in sysadmin 15+

thetelcoguy · September 15, 2022, 1:39am

Also if your firewall has an IPS system, like FortiGuard etc. then it will normally recognize these types of attacks and block them.

system · October 15, 2022, 1:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.