Mitigating an OpenVPN Brute Force Attack with Fail2Ban on EdgeRouter

Tonight, I noticed numerous attempts from a variety of sources to log in to my OpenVPN server that I run on my EdgeRouter (ER-X-SFP) at home. Unfortunately EdgeRouter doesn’t support any sort of blacklisting for OpenVPN natively, but it does allow the installation of Debian packages.

After playing a bit with Fail2Ban configuration, I’ve configured my router to block these repeated attempts automatically.

Step 1: Install Fail2Ban

Configure Debian repositories on EdgeRouter:

set system package repository jessie components 'main contrib non-free'
set system package repository jessie distribution jessie
set system package repository jessie url 'http://archive.debian.org/debian'

Update the package information and install Fail2Ban:

sudo apt-get update
sudo apt-get install fail2ban

Note: Do not ever use “apt-get upgrade” on an EdgeRouter.

Configure Fail2Ban

Add the following files using sudo vi:

/etc/fail2ban/filter.d/openvpn.local

# Fail2Ban filter for selected OpenVPN rejections
#
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed
failregex = ^%(__prefix_line)sTLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^%(__prefix_line)s<HOST>:\d+ Connection reset, restarting
            ^%(__prefix_line)s<HOST>:\d+ TLS Auth Error
            ^%(__prefix_line)s<HOST>:\d+ TLS Error: TLS handshake failed$
            ^%(__prefix_line)s<HOST>:\d+ VERIFY ERROR
ignoreregex = 

/etc/fail2ban/jail.local

# Fail2Ban configuration fragment for OpenVPN
[openvpn]
enabled  = true
port     = 1194
protocol = udp
filter   = openvpn
logpath  = /var/log/messages
maxretry = 3

Restart Fail2Ban and Observe Log

sudo service fail2ban restart
sudo cat /var/log/fail2ban.log

You should see that the openvpn jail was started. Since I’m under attack currently, I also see messages such as:

2018-09-09 23:18:13,481 fail2ban.actions[27638]: WARNING [openvpn] Ban 186.202.10.75
2018-09-09 23:18:15,749 fail2ban.actions[26453]: INFO    [openvpn] 186.202.10.75 already banned

Update

I’ve posted a follow-up article on how to make this persist through firmware upgrades.


Resources Used

I was able to pull this together with just some slight modification and compilation of materials that are already available:

Updates

  • 7 May 2019 – Updated repository URL to reflect that jessie has been moved to Debian archives.

5 Replies to “Mitigating an OpenVPN Brute Force Attack with Fail2Ban on EdgeRouter”

  1. You should note that your repositories should be set to wheezy and not jessie as the EdgeOS subsystem is on wheezy.

    #> cat /etc/os-release
    PRETTY_NAME=”Debian GNU/Linux 7 (wheezy)”
    NAME=”Debian GNU/Linux”
    VERSION_ID=”7″
    VERSION=”7 (wheezy)”
    ID=debian
    ANSI_COLOR=”1;31″
    HOME_URL=”http://www.debian.org/”
    SUPPORT_URL=”http://www.debian.org/support/”
    BUG_REPORT_URL=”http://bugs.debian.org/”

    1. I’d agree for most purposes. However, the package needed for this was not available in wheezy, if I recall correctly. I did, however, update this to reflect the new URL for the jessie repository.

  2. Why do you say ‘Note: Do not ever use “apt-get update” on an EdgeRouter’ when two lines after you instruct readers to run the following command: ‘sudo apt-get update’?

Leave a Reply