atomicamp DD-WRT User
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
|
Posted: Thu Jan 19, 2023 5:58 Post subject: help with fail2ban filter for openvpn server on port 1194 |
|
I just installed Entware, on a ddwrt router running openvpn server. I am trying to install a proper openvpn Code: | /opt/etc/fail2ban/filter.d/openvpn.conf | filter for fail2ban, but am having problems modifying the regex filter posted at: https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN
so that it's tailored towards the ddwrt version of system logs.
First I'm not sure what the proper log path would be to set in Code: | /opt/etc/fail2ban/jail.local | . It looks like the proper log path is different than a typical debian logpath of . Am I correct in thinking the proper ddwrt log path is Code: | /tmp/var/log/messages | ?
Second, in the fail2ban wiki, they say a debian named should look like this:
Code: | # Fail2Ban filter for selected OpenVPN rejections
#
#
[Definition]
# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed
failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
^ <HOST>:\d+ Connection reset, restarting
^ <HOST>:\d+ TLS Auth Error
^ <HOST>:\d+ TLS Error: TLS handshake failed$
^ <HOST>:\d+ VERIFY ERROR
ignoreregex = |
and it's corresponding jail.d/openvpn.conf file should look like this:
Code: | # Fail2Ban configuration fragment for OpenVPN
[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
logpath = /var/log/openvpn.log
maxretry = 3 |
I'm assuming I first need to change the log path in the Code: | jail.d/openvpn.conf | file to Code: | /tmp/var/log/messages | correct?
Secondly, If this is true, I don't think the regex they are using matches up with how my logs look in DDWRT version of system logs (i.e. /tmp/var/log/messages). I do not understand regex at all and really need some help tailoring the fail2ban wiki filter.conf file to meet the requirements of ddwrt logs.
Here is what my Code: | /tmp/var/log/messages | file looks like after an unauthorized user tries to log into my openvpn server:
Code: |
root@ddwrt:/ cat /tmp/var/log/messages
Jan 18 20:33:08 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 TLS: Initial packet from [AF_INET]24.50.232.25:80, sid=6a22eb44 5adb63fe
Jan 18 20:33:26 DD-WRT-HOST daemon.err openvpn[32361]: 95.90.233.246:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:33:26 DD-WRT-HOST daemon.err openvpn[32361]: 95.90.233.246:80 TLS Error: TLS handshake failed
Jan 18 20:33:26 DD-WRT-HOST daemon.notice openvpn[32361]: 95.90.233.246:80 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 18 20:34:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:34:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS handshake failed
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: MULTI: multi_create_instance called
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Re-using SSL/TLS context
Jan 18 20:34:05 DD-WRT-HOST daemon.warn openvpn[32361]: 24.50.232.200:80 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Control Channel MTU parms [ L:1521 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Data Channel MTU parms [ L:1521 D:1450 EF:121 EB:389 ET:0 EL:3 ]
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-server'
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-client'
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 TLS: Initial packet from [AF_INET]24.50.232.200:80, sid=6a22eb44 5adb63fe
Jan 18 20:34:08 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.25:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:34:08 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.25:80 TLS Error: TLS handshake failed
Jan 18 20:34:08 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: MULTI: multi_create_instance called
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Re-using SSL/TLS context
Jan 18 20:34:09 DD-WRT-HOST daemon.warn openvpn[32361]: 24.50.232.25:80 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Control Channel MTU parms [ L:1521 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Data Channel MTU parms [ L:1521 D:1450 EF:121 EB:389 ET:0 EL:3 ]
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-server'
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-client'
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 TLS: Initial packet from [AF_INET]24.50.232.25:80, sid=6a22eb44 5adb63fe
Jan 18 20:34:20 DD-WRT-HOST kern.warn kernel: [374190.672266] DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:78:6a:1f:b9:14:20:08:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=36756 DF OPT (94040000) PROTO=2 MARK=0x100000
Jan 18 20:35:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:35:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS handshake failed |
How can I modify/tailor THIS filter:
Code: | # Fail2Ban filter for selected OpenVPN rejections
#
#
[Definition]
# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed
failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
^ <HOST>:\d+ Connection reset, restarting
^ <HOST>:\d+ TLS Auth Error
^ <HOST>:\d+ TLS Error: TLS handshake failed$
^ <HOST>:\d+ VERIFY ERROR
ignoreregex = |
To match and express itself cohesively with my ddwrt logs, so it works with openvpn server on DDWRT? Thanks for any help! _________________ DanRanRocks - Tech Tutorials by Dan Ran
https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase
Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22) |
|
atomicamp DD-WRT User
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
|
Posted: Thu Jan 26, 2023 18:01 Post subject: |
|
ho1Aetoo wrote: | I don't use openvpn, but if dd-wrt doesn't create an extra openvpn.log then /tmp/var/log/messages is correct.
Just copy the jail.conf and save it as jail.local
then put the following in the jail.local
Code: | [openvpn]
port = 1194
protocol = udp
filter = openvpn
logpath = /tmp/var/log/messages |
other parameters like maxretry are already included in jail.conf/.local
then create the jail.d/openvpn.conf file
Code: | [openvpn]
enabled = true |
and then you have to create and adjust the filter rules (which obviously refer to an old openvpn version).
filter.d/openvpn.conf
[Definition]
# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed
failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
^ <HOST>:\d+ Connection reset, restarting
^ <HOST>:\d+ TLS Auth Error
^ <HOST>:\d+ TLS Error: TLS handshake failed$
^ <HOST>:\d+ VERIFY ERROR
ignoreregex =
the marked REGEX should be correct i see it in your logs
but no idea just have to test it yourself |
Thanks a ton! This was very helpful. I am glad you confirmed that the marked REGEX is correct and should be compatable with my logs. That was my primary concern as I found ddwrt ovpn logs to be and look different that ubuntu/debian ovpn logs. So the fact that after looking at my logs, you can confirm this REGEX should work and is compatible with my logs, is great to hear. I will be testing this configuration in the next few days and report back to you. Thanks again for such a thorough answer! _________________ DanRanRocks - Tech Tutorials by Dan Ran
https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase
Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22) |
|