Block unauthorized OpenVPN logins using fail2ban

fail2ban.pngMonitoring a server can be a lot of work, but thankfully handy tools like fail2ban or logwatch make the task a lot easier. Fail2ban, for example, monitors the log files of services running on your system and blocks incoming connections when it detects a break-in attempt (using iptables or hosts.deny). These need to be defined using a regex filter, and while a great number of templates are already available for the most-used services (Apache, SSH, etc.), OpenVPN thus far has not been included. Setting this up isn’t too difficult, though.

Create a file openvpn.conf in /etc/fail2ban/filter.d/with the following content:

[Definition]
failregex = [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*
     [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*
     [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*

Set up a local configuration file for fail2ban by running cp -ivra /etc/fail2ban/jail.conf /etc/fail2ban/jail.local and open /etc/fail2ban/jail.local and add the following at the end of the file:

[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
logpath = /var/log/syslog
maxretry = 3

Finally, run /etc/init.d/fail2ban restart to restart fail2ban and make the changes take effect. Note that this set-up assumes that your OpenVPN server logs go to syslog. Also note that, in case you want to modify the filter rules, each failregex line must contain the <HOST> tag, otherwise even valid regex rules will not work, since fail2ban won’t know which address to block (use the fail2ban-regex tool to check if your detection rules are working: fail2ban-regex logfile.log /etc/fail2ban/filter.d/openvpn.conf).

You can set up fail2ban to email you each time there has been a break-in attempt by further editing the parameters in jail.local. Personally, however, I prefer a less intrusive solution based on logwatch. Logwatch is another programme that monitors log files on your system, but its job is to email you daily (or weekly, monthly, etc.) summaries of them. A simple way to make this set-up both convenient and secure is by setting up logwatch to monitor fail2ban logs, deliver summaries to a local inbox and run a little batch script via a cron-job to fetch these messages, encrypt them and send them to your actual email address.

Links

You may also want to check out refiddle to help you with those regular expressions.

8 comments to Block unauthorized OpenVPN logins using fail2ban

  • Niels S. Richthof

    Hi,

    I found a few issues with the failregex in your post.

    1) On our systems, OpenVPN logs into separate logfiles. The logfile format differs in that case.
    2) The above example will only work if the openvpn configuration file is called “server.conf”, if it was called “foobar.conf”, then the “ovpn-server” part will be “ovpn-foobar” in the syslog.
    3) It is important to use anchored failregex to avoid possible DoS, for example see CVE-2013-7176 and CVE-2013-7177

    Hence, this is what I changed your failregexes to:


    failregex = ^.*\s:[0-9]{4,5} TLS Auth Error:.*
    ^.*\s:[0-9]{4,5} VERIFY ERROR:.*$
    ^.*\s:[0-9]{4,5} TLS Error: TLS handshake failed.*$

    Hope that helps, have a nice day and thank you very much for your post – I found it very helpful.

    Niels

    • stefan.a

      Thank you for the useful information, Niels!

    • SYN

      Loading this failregexpr, your openvpn jail won’t match anything. Checking at your logs restarting fail2ban service, you should read something like:fail2ban[XXX]: ERROR NOK: ("No 'host' group in [regexpr]",)Patch being:[Definition]failregex = ^.*\s :[0-9]{4,5} TLS Auth Error:.* ^.*\s :[0-9]{4,5} VERIFY ERROR:.*$ ^.*\s :[0-9]{4,5} TLS Error: TLS handshake failed.*$

      • stefan.a

        Thanks for the information, SYN. The expression works for me, but it’s possible that the way strings are parsed has changed between versions of fail2ban. Thanks for the correction!

  • Awesome, thank you both for this. A very nice addition to the cyber security arsenal.

  • I also found this useful but ended up using it only as an example for writing regex rules for strongswan. Working quite nicely!

    Thanks!!

    /etc/fail2ban/filter.d/strongswan.conf >

    # filter for strongswan VPN

    [Definition]

    failregex = [A-z]*.charon-custom:*.[0-9]{2}\[IKE\]*.*.is initiating an IKE_SA
    [A-z]*.charon-custom:*.[0-9]{2}\[IKE\]*.no EAP key found for hosts*
    [A-z]*.charon-custom:*.[0-9]{2}\[IKE\]*.[A-Z]*-[A-Z]*-[A-z,0-9]*.verification failed\,*.retry*.\([0-9]{1}\)

    ignoreregex =

    /etc/fail2ban/jail.local >

    [strongswan]
    enabled = true
    port = 500,4500
    protocol = udp
    filter = strongswan
    logpath = /var/log/messages
    maxretry = 3

  • Oh I should mention, you need to enable the specific logging in strongswan:

    /etc/strongswan/ipsec.conf >
    charondebug=”ike 2, knl 3, cfg 0″

    /etc/strongswan/strongswan.conf >

    syslog {
    # prefix for each log message
    identifier = charon-custom
    # use default settings to log to the LOG_DAEMON facility
    daemon {
    }
    # very minimalistic IKE auditing logs to LOG_AUTHPRIV
    auth {
    default = -1
    ike = 0
    }
    }

    Thanks

  • stefan.a

    Glad I could help! Thanks for the useful comment!

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>