Tonight, I noticed numerous attempts from a variety of sources to log in to my OpenVPN server that I run on my EdgeRouter (ER-X-SFP) at home. Unfortunately EdgeRouter doesn’t support any sort of blacklisting for OpenVPN natively, but it does allow the installation of Debian packages.
After playing a bit with Fail2Ban configuration, I’ve configured my router to block these repeated attempts automatically.
Step 1: Install Fail2Ban
Configure Debian repositories on EdgeRouter:
set system package repository jessie components 'main contrib non-free' set system package repository jessie distribution jessie set system package repository jessie url 'http://http.us.debian.org/debian'
Update the package information and install Fail2Ban:
sudo apt-get update sudo apt-get install fail2ban
Note: Do not ever use “apt-get update” on an EdgeRouter.
Add the following files using sudo vi:
# Fail2Ban filter for selected OpenVPN rejections # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] # Example messages (other matched messages not seen in the testing server's logs): # Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]18.104.22.168:51223 # Thu Aug 25 09:36:02 2016 22.214.171.124:58922 TLS Error: TLS handshake failed failregex = ^%(__prefix_line)sTLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$ ^%(__prefix_line)s<HOST>:\d+ Connection reset, restarting ^%(__prefix_line)s<HOST>:\d+ TLS Auth Error ^%(__prefix_line)s<HOST>:\d+ TLS Error: TLS handshake failed$ ^%(__prefix_line)s<HOST>:\d+ VERIFY ERROR ignoreregex =
# Fail2Ban configuration fragment for OpenVPN [openvpn] enabled = true port = 1194 protocol = udp filter = openvpn logpath = /var/log/messages maxretry = 3
Restart Fail2Ban and Observe Log
sudo service fail2ban restart sudo cat /var/log/fail2ban.log
You should see that the openvpn jail was started. Since I’m under attack currently, I also see messages such as:
2018-09-09 23:18:13,481 fail2ban.actions: WARNING [openvpn] Ban 126.96.36.199 2018-09-09 23:18:15,749 fail2ban.actions: INFO [openvpn] 188.8.131.52 already banned
I was able to pull this together with just some slight modification and compilation of materials that are already available: