{"id":160,"date":"2019-02-10T00:19:23","date_gmt":"2019-02-10T00:19:23","guid":{"rendered":"https:\/\/7dc.org\/?p=160"},"modified":"2019-02-10T00:52:02","modified_gmt":"2019-02-10T00:52:02","slug":"fail2ban-v0-8-x-and-openvpn-2-4-x-and-correctly-detecting-openvpn-brute-force-attempts-in-freepbx-14","status":"publish","type":"post","link":"https:\/\/7dc.org\/index.php\/2019\/02\/10\/fail2ban-v0-8-x-and-openvpn-2-4-x-and-correctly-detecting-openvpn-brute-force-attempts-in-freepbx-14\/","title":{"rendered":"Fail2Ban 0.8.x and OpenVPN 2.4.x – correctly detecting OpenVPN brute force attempts in FreePBX 14"},"content":{"rendered":"

Issue:<\/strong><\/h3>\n

On an install of FreePBX 14 with responsive firewall and OpenVPN server enabled there is no mitigation against brute force attacks against the OpenVPN server. \/var\/log\/messages is getting spammed with failed handshakes:<\/h4>\n

Feb 3 16:17:19 voipserver234 openvpn: Sun Feb 3 16:17:19 2019 103.37.x.x:49060 TLS: Initial packet from [AF_INET]103.37.x.x:49060, sid=6a22eb44 5adb63fe
\nFeb 3 16:17:19 voipserver234 openvpn: Sun Feb 3 16:17:19 2019 103.37.x.x:25678 TLS: Initial packet from [AF_INET]103.37.x.x:25678, sid=6a22eb44 5adb63fe
\nFeb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40132 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
\nFeb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40132 TLS Error: TLS handshake failed
\nFeb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40132 SIGUSR1[soft,tls-error] received, client-instance restarting
\nFeb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:23377 TLS: Initial packet from [AF_INET]103.37.x.x:23377, sid=6a22eb44 5adb63fe
\nFeb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:28711 TLS: Initial packet from [AF_INET]103.37.x.x:28711, sid=6a22eb44 5adb63fe
\nFeb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40014 TLS: Initial packet from [AF_INET]103.37.x.x:40014, sid=6a22eb44 5adb63fe
\nFeb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:11702 TLS: Initial packet from [AF_INET]103.37.x.x:11702, sid=6a22eb44 5adb63fe
\nFeb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:35570 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
\nFeb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:35570 TLS Error: TLS handshake failed
\nFeb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:35570 SIGUSR1[soft,tls-error] received, client-instance restarting
\nFeb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:15027 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
\nFeb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:15027 TLS Error: TLS handshake failed<\/em><\/p>\n

Solution:<\/strong><\/h3>\n

1) Edit the OpenVPN server config to redirect logging away from \/var\/log\/messages to keep things tidy.<\/h4>\n

Look for a log line in \/etc\/openvpn\/sysadmin_server1.conf<\/h4>\n

There is none by default. Let’s add it<\/h4>\n

vi \/etc\/openvpn\/sysadmin_server1.conf<\/code><\/strong><\/p>\n

append:<\/h4>\n

log \/var\/log\/openvpn.log<\/code><\/strong><\/p>\n

2) Create a filter<\/h4>\n

vi \/etc\/fail2ban\/filter.d\/openvpn.conf<\/code><\/strong><\/p>\n

3) Paste the following:<\/h4>\n

[Definition]<\/code><\/strong><\/p>\n

failregex = <HOST>:\\d+ (Connection reset, restarting|TLS Error: TLS handshake failed|Fatal TLS error|VERIFY ERROR|WARNING: Bad encapsulated packet length)<\/code><\/strong>
\n<\/code><\/p>\n

ignoreregex =<\/strong><\/code><\/p>\n

4) Modify \/etc\/fail2ban\/jail.d\/openvpn.local<\/h4>\n

vi \/etc\/fail2ban\/jail.d\/openvpn.local<\/code><\/strong><\/p>\n

Paste the following:<\/h4>\n

[openvpn]
\nenabled = true
\nport = 1194
\nprotocol = udp
\nfilter = openvpn
\naction = iptables-multiport[name=openvpn, protocol=udp, port=1194]
\nlogpath = \/var\/log\/openvpn.log
\nmaxretry = 2<\/code><\/strong><\/p>\n

5) We do not write this into the existing \/etc\/fail2ban\/jail.local because the FreePBX SysAdmin module will overwrite \/etc\/fail2ban\/jail.local<\/h4>\n

fail2ban parses jail configs in this order:<\/h4>\n

\/etc\/fail2ban\/jail.conf
\n\/etc\/fail2ban\/jail.d\/*.conf, alphabetically
\n\/etc\/fail2ban\/jail.local
\n\/etc\/fail2ban\/jail.d\/*.local, alphabetically<\/em><\/p>\n

Hence using \/etc\/fail2ban\/jail.d\/openvpn.local should work without being overwritten by GUI actions in the SysAdmin module.<\/h4>\n

6) Restart openvpn server to make the new log destination take effect and restart fail2ban<\/h4>\n

systemctl restart openvpn@sysadmin_server1;systemctl restart fail2ban<\/code><\/strong><\/p>\n

7) Wait for some failed handshakes to occur and you will see fail2ban log and FreePBX SysAdmin GUI (Intrustion Detection) correctly detect and block the attacker’s IP address.<\/h4>\n

Notes:<\/strong><\/h3>\n

The fail2ban wiki<\/a> has an example for \/etc\/fail2ban\/filter.d\/openvpn.conf that suggests:<\/h4>\n

[Definition]<\/em><\/p>\n

failregex = ^ TLS Error: incoming packet authentication failed from [AF_INET]:\\d+$
\n^ :\\d+ Connection reset, restarting
\n^ :\\d+ TLS Auth Error
\n^ :\\d+ TLS Error: TLS handshake failed$
\n^ :\\d+ VERIFY ERROR<\/p>\n

ignoreregex =<\/p>\n

This Regex does not work<\/a> with Fail2Ban v0.8.x and OpenVPN v2.4.x.<\/h4>\n

A feature request for FreePBX to do all of this natively exists<\/a>.<\/h4>\n

The\u00a0 failregex line in step 3 should be on one line
\n<\/strong><\/h4>\n

\"failregex = <HOST>:\\d+ (Connection reset,
\nrestarting|TLS Error: TLS handshake failed|Fatal TLS error|VERIFY
\nERROR|WARNING: Bad encapsulated packet length)\"<\/code><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Issue: On an install of FreePBX 14 with responsive firewall and OpenVPN server enabled there is no mitigation against brute force attacks against the OpenVPN server. \/var\/log\/messages is getting spammed with failed handshakes: Feb 3 16:17:19 voipserver234 openvpn: Sun Feb 3 16:17:19 2019 103.37.x.x:49060 TLS: Initial packet from [AF_INET]103.37.x.x:49060, sid=6a22eb44 5adb63fe Feb 3 16:17:19 voipserver234 … Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,9],"tags":[],"class_list":["post-160","post","type-post","status-publish","format-standard","hentry","category-freepbx","category-openvpn"],"_links":{"self":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts\/160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/comments?post=160"}],"version-history":[{"count":16,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts\/160\/revisions"}],"predecessor-version":[{"id":181,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts\/160\/revisions\/181"}],"wp:attachment":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/media?parent=160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/categories?post=160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/tags?post=160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}