Block unauthorized OpenVPN logins using fail2ban

This post has moved to https://read.stefanangrick.net/block-unauthorized-openvpn-logins-using-fail2ban. Please update your bookmarks.

8 comments to Block unauthorized OpenVPN logins using fail2ban

  • Niels S. Richthof

    Hi,

    I found a few issues with the failregex in your post.

    1) On our systems, OpenVPN logs into separate logfiles. The logfile format differs in that case.
    2) The above example will only work if the openvpn configuration file is called “server.conf”, if it was called “foobar.conf”, then the “ovpn-server” part will be “ovpn-foobar” in the syslog.
    3) It is important to use anchored failregex to avoid possible DoS, for example see CVE-2013-7176 and CVE-2013-7177

    Hence, this is what I changed your failregexes to:


    failregex = ^.*\s:[0-9]{4,5} TLS Auth Error:.*
    ^.*\s:[0-9]{4,5} VERIFY ERROR:.*$
    ^.*\s:[0-9]{4,5} TLS Error: TLS handshake failed.*$

    Hope that helps, have a nice day and thank you very much for your post – I found it very helpful.

    Niels

    • stefan.a

      Thank you for the useful information, Niels!

    • SYN

      Loading this failregexpr, your openvpn jail won’t match anything. Checking at your logs restarting fail2ban service, you should read something like:fail2ban[XXX]: ERROR NOK: ("No 'host' group in [regexpr]",)Patch being:[Definition]failregex = ^.*\s :[0-9]{4,5} TLS Auth Error:.* ^.*\s :[0-9]{4,5} VERIFY ERROR:.*$ ^.*\s :[0-9]{4,5} TLS Error: TLS handshake failed.*$

      • stefan.a

        Thanks for the information, SYN. The expression works for me, but it’s possible that the way strings are parsed has changed between versions of fail2ban. Thanks for the correction!

  • Awesome, thank you both for this. A very nice addition to the cyber security arsenal.

  • I also found this useful but ended up using it only as an example for writing regex rules for strongswan. Working quite nicely!

    Thanks!!

    /etc/fail2ban/filter.d/strongswan.conf >

    # filter for strongswan VPN

    [Definition]

    failregex = [A-z]*.charon-custom:*.[0-9]{2}\[IKE\]*.*.is initiating an IKE_SA
    [A-z]*.charon-custom:*.[0-9]{2}\[IKE\]*.no EAP key found for hosts*
    [A-z]*.charon-custom:*.[0-9]{2}\[IKE\]*.[A-Z]*-[A-Z]*-[A-z,0-9]*.verification failed\,*.retry*.\([0-9]{1}\)

    ignoreregex =

    /etc/fail2ban/jail.local >

    [strongswan]
    enabled = true
    port = 500,4500
    protocol = udp
    filter = strongswan
    logpath = /var/log/messages
    maxretry = 3

  • Oh I should mention, you need to enable the specific logging in strongswan:

    /etc/strongswan/ipsec.conf >
    charondebug=”ike 2, knl 3, cfg 0″

    /etc/strongswan/strongswan.conf >

    syslog {
    # prefix for each log message
    identifier = charon-custom
    # use default settings to log to the LOG_DAEMON facility
    daemon {
    }
    # very minimalistic IKE auditing logs to LOG_AUTHPRIV
    auth {
    default = -1
    ike = 0
    }
    }

    Thanks

  • stefan.a

    Glad I could help! Thanks for the useful comment!

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>