help with fail2ban filter for openvpn server on port 1194

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI

PostPosted: Thu Jan 19, 2023 5:58    Post subject: help with fail2ban filter for openvpn server on port 1194 Reply with quote
I just installed Entware, on a ddwrt router running openvpn server. I am trying to install a proper openvpn
Code:
/opt/etc/fail2ban/filter.d/openvpn.conf
filter for fail2ban, but am having problems modifying the regex filter posted at: https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN
so that it's tailored towards the ddwrt version of system logs.

First I'm not sure what the proper log path would be to set in
Code:
/opt/etc/fail2ban/jail.local
. It looks like the proper log path is different than a typical debian logpath of
Code:
/var/log/syslog
. Am I correct in thinking the proper ddwrt log path is
Code:
/tmp/var/log/messages
?

Second, in the fail2ban wiki, they say a debian named
Code:
openvpn.conf
should look like this:

Code:
# Fail2Ban filter for selected OpenVPN rejections
#
#

[Definition]

# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^ <HOST>:\d+ Connection reset, restarting
            ^ <HOST>:\d+ TLS Auth Error
            ^ <HOST>:\d+ TLS Error: TLS handshake failed$
            ^ <HOST>:\d+ VERIFY ERROR

ignoreregex =


and it's corresponding jail.d/openvpn.conf file should look like this:

Code:
# Fail2Ban configuration fragment for OpenVPN
[openvpn]
enabled  = true
port     = 1194
protocol = udp
filter   = openvpn
logpath  = /var/log/openvpn.log
maxretry = 3


I'm assuming I first need to change the log path in the
Code:
jail.d/openvpn.conf
file to
Code:
/tmp/var/log/messages
correct?

Secondly, If this is true, I don't think the regex they are using matches up with how my logs look in DDWRT version of system logs (i.e. /tmp/var/log/messages). I do not understand regex at all and really need some help tailoring the fail2ban wiki filter.conf file to meet the requirements of ddwrt logs.

Here is what my
Code:
/tmp/var/log/messages
file looks like after an unauthorized user tries to log into my openvpn server:

Code:

root@ddwrt:/ cat /tmp/var/log/messages

Jan 18 20:33:08 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 TLS: Initial packet from [AF_INET]24.50.232.25:80, sid=6a22eb44 5adb63fe
Jan 18 20:33:26 DD-WRT-HOST daemon.err openvpn[32361]: 95.90.233.246:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:33:26 DD-WRT-HOST daemon.err openvpn[32361]: 95.90.233.246:80 TLS Error: TLS handshake failed
Jan 18 20:33:26 DD-WRT-HOST daemon.notice openvpn[32361]: 95.90.233.246:80 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 18 20:34:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:34:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS handshake failed
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: MULTI: multi_create_instance called
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Re-using SSL/TLS context
Jan 18 20:34:05 DD-WRT-HOST daemon.warn openvpn[32361]: 24.50.232.200:80 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Control Channel MTU parms [ L:1521 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Data Channel MTU parms [ L:1521 D:1450 EF:121 EB:389 ET:0 EL:3 ]
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-server'
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-client'
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 TLS: Initial packet from [AF_INET]24.50.232.200:80, sid=6a22eb44 5adb63fe
Jan 18 20:34:08 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.25:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:34:08 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.25:80 TLS Error: TLS handshake failed
Jan 18 20:34:08 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: MULTI: multi_create_instance called
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Re-using SSL/TLS context
Jan 18 20:34:09 DD-WRT-HOST daemon.warn openvpn[32361]: 24.50.232.25:80 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Control Channel MTU parms [ L:1521 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Data Channel MTU parms [ L:1521 D:1450 EF:121 EB:389 ET:0 EL:3 ]
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-server'
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-client'
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 TLS: Initial packet from [AF_INET]24.50.232.25:80, sid=6a22eb44 5adb63fe
Jan 18 20:34:20 DD-WRT-HOST kern.warn kernel: [374190.672266] DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:78:6a:1f:b9:14:20:08:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=36756 DF OPT (94040000) PROTO=2 MARK=0x100000
Jan 18 20:35:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:35:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS handshake failed


How can I modify/tailor THIS filter:
Code:
# Fail2Ban filter for selected OpenVPN rejections
#
#

[Definition]

# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^ <HOST>:\d+ Connection reset, restarting
            ^ <HOST>:\d+ TLS Auth Error
            ^ <HOST>:\d+ TLS Error: TLS handshake failed$
            ^ <HOST>:\d+ VERIFY ERROR

ignoreregex =


To match and express itself cohesively with my ddwrt logs, so it works with openvpn server on DDWRT? Thanks for any help!

_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
Sponsor
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Thu Jan 19, 2023 10:50    Post subject: Reply with quote
I don't use openvpn, but if dd-wrt doesn't create an extra openvpn.log then /tmp/var/log/messages is correct.

Just copy the jail.conf and save it as jail.local
then put the following in the jail.local

Code:
[openvpn]
port     = 1194
protocol = udp
filter   = openvpn
logpath  = /tmp/var/log/messages


other parameters like maxretry are already included in jail.conf/.local

then create the jail.d/openvpn.conf file

Code:
[openvpn]
enabled  = true


and then you have to create and adjust the filter rules (which obviously refer to an old openvpn version).

filter.d/openvpn.conf

    [Definition]

    # Example messages (other matched messages not seen in the testing server's logs):
    # Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
    # Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

    failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
    ^ <HOST>:\d+ Connection reset, restarting
    ^ <HOST>:\d+ TLS Auth Error
    ^ <HOST>:\d+ TLS Error: TLS handshake failed$
    ^ <HOST>:\d+ VERIFY ERROR

    ignoreregex =


the marked REGEX should be correct i see it in your logs
but no idea just have to test it yourself
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI

PostPosted: Thu Jan 26, 2023 18:01    Post subject: Reply with quote
ho1Aetoo wrote:
I don't use openvpn, but if dd-wrt doesn't create an extra openvpn.log then /tmp/var/log/messages is correct.

Just copy the jail.conf and save it as jail.local
then put the following in the jail.local

Code:
[openvpn]
port     = 1194
protocol = udp
filter   = openvpn
logpath  = /tmp/var/log/messages


other parameters like maxretry are already included in jail.conf/.local

then create the jail.d/openvpn.conf file

Code:
[openvpn]
enabled  = true


and then you have to create and adjust the filter rules (which obviously refer to an old openvpn version).

filter.d/openvpn.conf

    [Definition]

    # Example messages (other matched messages not seen in the testing server's logs):
    # Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
    # Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

    failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
    ^ <HOST>:\d+ Connection reset, restarting
    ^ <HOST>:\d+ TLS Auth Error
    ^ <HOST>:\d+ TLS Error: TLS handshake failed$
    ^ <HOST>:\d+ VERIFY ERROR

    ignoreregex =


the marked REGEX should be correct i see it in your logs
but no idea just have to test it yourself


Thanks a ton! This was very helpful. I am glad you confirmed that the marked REGEX is correct and should be compatable with my logs. That was my primary concern as I found ddwrt ovpn logs to be and look different that ubuntu/debian ovpn logs. So the fact that after looking at my logs, you can confirm this REGEX should work and is compatible with my logs, is great to hear. I will be testing this configuration in the next few days and report back to you. Thanks again for such a thorough answer!

_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI

PostPosted: Sat Feb 04, 2023 19:21    Post subject: Reply with quote
ho1Aetoo wrote:
I don't use openvpn, but if dd-wrt doesn't create an extra openvpn.log then /tmp/var/log/messages is correct.

Just copy the jail.conf and save it as jail.local
then put the following in the jail.local

Code:
[openvpn]
port     = 1194
protocol = udp
filter   = openvpn
logpath  = /tmp/var/log/messages


other parameters like maxretry are already included in jail.conf/.local

then create the jail.d/openvpn.conf file

Code:
[openvpn]
enabled  = true


and then you have to create and adjust the filter rules (which obviously refer to an old openvpn version).

filter.d/openvpn.conf

    [Definition]

    # Example messages (other matched messages not seen in the testing server's logs):
    # Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
    # Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

    failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
    ^ <HOST>:\d+ Connection reset, restarting
    ^ <HOST>:\d+ TLS Auth Error
    ^ <HOST>:\d+ TLS Error: TLS handshake failed$
    ^ <HOST>:\d+ VERIFY ERROR

    ignoreregex =


the marked REGEX should be correct i see it in your logs
but no idea just have to test it yourself


I tried this configuration, but I'm pretty sure fail2ban is not running because there is no file in /opt/var/log/fail2ban.log. I'm not exactly sure how to start fail2ban even though I have
Code:
sleep 10
/opt/etc/init.d/rc.unslung start

in my startup configuration. It doesn't seem like fail2ban is starting or running. Any tips?

_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat Feb 04, 2023 19:23    Post subject: Reply with quote
maybe you should read your other thread?

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1279743#1279743

and saving the script in the "startup" is surely wrong
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum