Re: blocking openvpn port scanners

Wed, 19 Dec 2018 14:47:47 -0800 

Hi Steve


Try to add below to your pf.conf 

table <bruteforce> persist

 pass in on $ext_if inet proto tcp from any to $ext_if port 1194 \
        (max-src-conn 10, max-src-conn-rate 30/5, \
         overload <bruteforce> flush global)

T

-----Original Message-----
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Steve 
Fairhead
Sent: 19 December 2018 21:27
To: misc@openbsd.org
Subject: blocking openvpn port scanners

I'm probably missing something obvious. Cluebats invited.

A few OpenBSD servers I look after have OpenVPN server installed (for 
homeworkers' access), which means port 1194 is open. Recently they seem to have 
appeared on some scumbag's "hack this" list, as they're constantly deluged with 
brute-force hack attacks. A snippet from
openvpn.log:

 >>
Wed Dec 19 18:28:53 2018 185.81.153.117:55881 TLS Error: TLS key 
negotiation failed to occur within 60 seconds (check your network 
connectivity)
Wed Dec 19 18:28:53 2018 185.81.153.117:55881 TLS Error: TLS handshake 
failed
Wed Dec 19 18:28:53 2018 185.81.153.117:64379 TLS Error: TLS key 
negotiation failed to occur within 60 seconds (check your network 
connectivity)
Wed Dec 19 18:28:53 2018 185.81.153.117:64379 TLS Error: TLS handshake 
failed
Wed Dec 19 18:28:53 2018 185.81.153.117:27493 TLS Error: TLS key 
negotiation failed to occur within 60 seconds (check your network 
connectivity)
Wed Dec 19 18:28:53 2018 185.81.153.117:27493 TLS Error: TLS handshake 
failed
<<

(IP addresses obscured to protect the sinner - no, wait...)(and logfile 
filtered by "failed".)

For now, I manually log the above IPs and add them to a badhosts file - 
no more access of any kind for you, mwahaha. But it's a lot of work, and 
my logfile is just noise...

I already use pf.conf to protect my ssh port against such attacks 
(rate-limiting). Can I do anything similar with pf for the openvpn port? 
Don't want to block real users if they screw up once or twice... 
although they are few enough that I can be super-aggressive in denying 
access, and sort it out by phone...

Maybe I shouldn't even worry about it, but I'd really like to hit back. 
(See above re "mwahaha".)

Steve

Reply via email to