Fail2Ban 0.8.x and OpenVPN 2.4.x – correctly detecting OpenVPN brute force attempts in FreePBX 14

Date: February 10, 2019
Categories: FreePBX, OpenVPN

Issue:

On an install of FreePBX 14 with responsive firewall and OpenVPN server enabled there is no mitigation against brute force attacks against the OpenVPN server. /var/log/messages is getting spammed with failed handshakes:

Feb 3 16:17:19 voipserver234 openvpn: Sun Feb 3 16:17:19 2019 103.37.x.x:49060 TLS: Initial packet from [AF_INET]103.37.x.x:49060, sid=6a22eb44 5adb63fe
Feb 3 16:17:19 voipserver234 openvpn: Sun Feb 3 16:17:19 2019 103.37.x.x:25678 TLS: Initial packet from [AF_INET]103.37.x.x:25678, sid=6a22eb44 5adb63fe
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40132 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40132 TLS Error: TLS handshake failed
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40132 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:23377 TLS: Initial packet from [AF_INET]103.37.x.x:23377, sid=6a22eb44 5adb63fe
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:28711 TLS: Initial packet from [AF_INET]103.37.x.x:28711, sid=6a22eb44 5adb63fe
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40014 TLS: Initial packet from [AF_INET]103.37.x.x:40014, sid=6a22eb44 5adb63fe
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:11702 TLS: Initial packet from [AF_INET]103.37.x.x:11702, sid=6a22eb44 5adb63fe
Feb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:35570 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:35570 TLS Error: TLS handshake failed
Feb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:35570 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:15027 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:15027 TLS Error: TLS handshake failed

Solution:

1) Edit the OpenVPN server config to redirect logging away from /var/log/messages to keep things tidy.

Look for a log line in /etc/openvpn/sysadmin_server1.conf

There is none by default. Let’s add it

vi /etc/openvpn/sysadmin_server1.conf

append:

log /var/log/openvpn.log

2) Create a filter

vi /etc/fail2ban/filter.d/openvpn.conf

3) Paste the following:

[Definition]

failregex = <HOST>:\d+ (Connection reset, restarting|TLS Error: TLS handshake failed|Fatal TLS error|VERIFY ERROR|WARNING: Bad encapsulated packet length)

ignoreregex =

4) Modify /etc/fail2ban/jail.d/openvpn.local

vi /etc/fail2ban/jail.d/openvpn.local

Paste the following:

[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
action = iptables-multiport[name=openvpn, protocol=udp, port=1194]
logpath = /var/log/openvpn.log
maxretry = 2

5) We do not write this into the existing /etc/fail2ban/jail.local because the FreePBX SysAdmin module will overwrite /etc/fail2ban/jail.local

fail2ban parses jail configs in this order:

/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/*.conf, alphabetically
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.local, alphabetically

Hence using /etc/fail2ban/jail.d/openvpn.local should work without being overwritten by GUI actions in the SysAdmin module.

6) Restart openvpn server to make the new log destination take effect and restart fail2ban

systemctl restart openvpn@sysadmin_server1;systemctl restart fail2ban

7) Wait for some failed handshakes to occur and you will see fail2ban log and FreePBX SysAdmin GUI (Intrustion Detection) correctly detect and block the attacker’s IP address.

Notes:

The fail2ban wiki has an example for /etc/fail2ban/filter.d/openvpn.conf that suggests:

[Definition]

failregex = ^ TLS Error: incoming packet authentication failed from [AF_INET]:\d+$
^ :\d+ Connection reset, restarting
^ :\d+ TLS Auth Error
^ :\d+ TLS Error: TLS handshake failed$
^ :\d+ VERIFY ERROR

ignoreregex =

This Regex does not work with Fail2Ban v0.8.x and OpenVPN v2.4.x.

A feature request for FreePBX to do all of this natively exists.

TheĀ  failregex line in step 3 should be on one line

"failregex = <HOST>:\d+ (Connection reset,
restarting|TLS Error: TLS handshake failed|Fatal TLS error|VERIFY
ERROR|WARNING: Bad encapsulated packet length)"

«
»

  • Thank you for this. Definitely would be nice to have this as a standard feature of Freepbx.

    Note for anyone copying and pasting – make sure the openvpn.local file looks like this, or Fail2ban will not start. Basically, the enabled and logpath entries need to be moved to their own lines:

    [openvpn]
    enabled = true
    port = 1194
    protocol = udp
    filter = openvpn
    action = iptables-multiport[name=openvpn, protocol=udp, port=1194]
    logpath = /var/log/openvpn.log
    maxretry = 2

    Reply

Leave a Reply to Joe Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.