read.stefanangrick

Block unauthorized OpenVPN logins using fail2ban

Monitoring a server can be a lot of work, but thankfully handy tools like fail2ban or logwatch make the task a lot easier. Fail2ban, for example, monitors the log files of services running on your system and blocks incoming connections when it detects a break-in attempt (using iptables or hosts.deny). These need to be defined using a regex filter, and while a great number of templates are already available for the most-used services (Apache, SSH, etc.), OpenVPN thus far has not been included. Setting this up isn't too difficult, though.px.gif

Create a file openvpn.conf in /etc/fail2ban/filter.d/with the following content:

[Definition] failregex = [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*      [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*      [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*

Set up a local configuration file for fail2ban by running cp -ivra /etc/fail2ban/jail.conf /etc/fail2ban/jail.local and open /etc/fail2ban/jail.local and add the following at the end of the file:

[openvpn] enabled = true port = 1194 protocol = udp filter = openvpn logpath = /var/log/syslog maxretry = 3

Finally, run /etc/init.d/fail2ban restart to restart fail2ban and make the changes take effect. Note that this set-up assumes that your OpenVPN server logs go to syslog. Also note that, in case you want to modify the filter rules, each failregex line must contain the <HOST> tag, otherwise even valid regex rules will not work, since fail2ban won't know which address to block (use the fail2ban-regex tool to check if your detection rules are working: fail2ban-regex logfile.log /etc/fail2ban/filter.d/openvpn.conf).

You can set up fail2ban to email you each time there has been a break-in attempt by further editing the parameters in jail.local. Personally, however, I prefer a less intrusive solution based on logwatch. Logwatch is another programme that monitors log files on your system, but its job is to email you daily (or weekly, monthly, etc.) summaries of them. A simple way to make this set-up both convenient and secure is by configuring logwatch to monitor fail2ban logs, deliver summaries to a local inbox and run a batch script via a cron to fetch these messages, encrypt them and send them to your actual email address.

Links

You may also want to check out refiddle to help you with those regular expressions.

Originally published 30 March 2014.