This post has moved to https://read.stefanangrick.net/block-unauthorized-openvpn-logins-using-fail2ban. Please update your bookmarks.
|
|||||
Block unauthorized OpenVPN logins using fail2ban8 comments to Block unauthorized OpenVPN logins using fail2banLeave a Reply |
Please be aware that the information provided here cannot be guaranteed to be free of errors, so use at your own risk. Enjoy browsing around!
 Contact me at
stefan.a FSFE [dot] ORG |
||||
|
|
|||||
Hi,
I found a few issues with the failregex in your post.
1) On our systems, OpenVPN logs into separate logfiles. The logfile format differs in that case.
2) The above example will only work if the openvpn configuration file is called “server.conf”, if it was called “foobar.conf”, then the “ovpn-server” part will be “ovpn-foobar” in the syslog.
3) It is important to use anchored failregex to avoid possible DoS, for example see CVE-2013-7176 and CVE-2013-7177
Hence, this is what I changed your failregexes to:
failregex = ^.*\s:[0-9]{4,5} TLS Auth Error:.*
^.*\s:[0-9]{4,5} VERIFY ERROR:.*$
^.*\s:[0-9]{4,5} TLS Error: TLS handshake failed.*$
Hope that helps, have a nice day and thank you very much for your post – I found it very helpful.
Niels
Thank you for the useful information, Niels!
Loading this failregexpr, your openvpn jail won’t match anything. Checking at your logs restarting fail2ban service, you should read something like:
fail2ban[XXX]: ERROR NOK: ("No 'host' group in [regexpr]",)Patch being:[Definition]failregex = ^.*\s :[0-9]{4,5} TLS Auth Error:.* ^.*\s :[0-9]{4,5} VERIFY ERROR:.*$ ^.*\s :[0-9]{4,5} TLS Error: TLS handshake failed.*$Thanks for the information, SYN. The expression works for me, but it’s possible that the way strings are parsed has changed between versions of fail2ban. Thanks for the correction!
Awesome, thank you both for this. A very nice addition to the cyber security arsenal.
I also found this useful but ended up using it only as an example for writing regex rules for strongswan. Working quite nicely!
Thanks!!
/etc/fail2ban/filter.d/strongswan.conf >
# filter for strongswan VPN
[Definition]
failregex = [A-z]*.charon-custom:*.[0-9]{2}\[IKE\]*.*.is initiating an IKE_SA
[A-z]*.charon-custom:*.[0-9]{2}\[IKE\]*.no EAP key found for hosts*
[A-z]*.charon-custom:*.[0-9]{2}\[IKE\]*.[A-Z]*-[A-Z]*-[A-z,0-9]*.verification failed\,*.retry*.\([0-9]{1}\)
ignoreregex =
/etc/fail2ban/jail.local >
[strongswan]
enabled = true
port = 500,4500
protocol = udp
filter = strongswan
logpath = /var/log/messages
maxretry = 3
Oh I should mention, you need to enable the specific logging in strongswan:
/etc/strongswan/ipsec.conf >
charondebug=”ike 2, knl 3, cfg 0″
/etc/strongswan/strongswan.conf >
syslog {
# prefix for each log message
identifier = charon-custom
# use default settings to log to the LOG_DAEMON facility
daemon {
}
# very minimalistic IKE auditing logs to LOG_AUTHPRIV
auth {
default = -1
ike = 0
}
}
Thanks
Glad I could help! Thanks for the useful comment!