Re: [Openvpn-users] need some form of anti-DOS in openvpn?
Hi Am 12.08.2015 um 04:12 schrieb Jason Haar: Hi there ... Not much to go on I know, but could there be some way for openvpn server to keep track of something like "timestamp:externalIP:cert" and basically start ignoring new sessions if it sees more than one every XX seconds? That would reduce the damage such events cause (note I don't include ports in my suggestion because an openvpn server may have multiple ports available to all clients - so they're not unique) The script might do this just the same. This would avoid having to wait for an implementation in openvpn, which might break behaviour too. cheers ET smime.p7s Description: S/MIME Cryptographic Signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] need some form of anti-DOS in openvpn?
On 12/08/15 20:20, Erich Titl wrote: > > The script might do this just the same. This would avoid having to > wait for an implementation in openvpn, which might break behaviour too. > Well yeah - but it's the calling hundreds of scripts per minute that are causing the load :-) ...but you are correct, I'm already looking into changing the scripts to try to pick up earlier that there's a problem with the new session, and ditch -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] need some form of anti-DOS in openvpn?
Hi Am 12.08.2015 um 11:18 schrieb Jason Haar: On 12/08/15 20:20, Erich Titl wrote: The script might do this just the same. This would avoid having to wait for an implementation in openvpn, which might break behaviour too. Well yeah - but it's the calling hundreds of scripts per minute that are causing the load :-) ...but you are correct, I'm already looking into changing the scripts to try to pick up earlier that there's a problem with the new session, and ditch You may want to mess around with the sticky bit on those scripts. cheers ET smime.p7s Description: S/MIME Cryptographic Signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] need some form of anti-DOS in openvpn?
Hi, On Wed, Aug 12, 2015 at 01:20:38PM +0200, Erich Titl wrote: > You may want to mess around with the sticky bit on those scripts. I have my doubts that this would be doing anything at all on a recent unix or linux - and even then, it won't stop recompilation of the script on each call, which is way more expensive than "read from buffer cache" (where it will be unless you're extremely memory starved) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpzWch7_nt9E.pgp Description: PGP signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Inserting hmac/tls-auth onto a production OpenVPN Server
Hi all, I'm now hardening our OpenVPN Production Server. I've managed to hardened all required aspects, except the HMAC/TLS-AUTH option. AFAICT, activating the HMAC extra security mechanism, will force me to reconfigure all clients, with the risk of failure and a lot of downtime. The only way a client/remote network can connect is through a specific CCD file. Is there any way I can have this feature, but optional ? Something like activating tls-auth on a ccd file only. This way it would be a smooth transition. Otherwise I would have to schedule a maintenance window, which would be be cumbersome. Thanks a lot for all your help, Rui -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Inserting hmac/tls-auth onto a production OpenVPN Server
Hi Rui, On 12/08/15 16:49, Rui Santos wrote: > Hi all, > > I'm now hardening our OpenVPN Production Server. > I've managed to hardened all required aspects, except the HMAC/TLS-AUTH > option. > > AFAICT, activating the HMAC extra security mechanism, will force me to > reconfigure all clients, with the risk of failure and a lot of downtime. > The only way a client/remote network can connect is through a specific > CCD file. > > Is there any way I can have this feature, but optional ? Something like > activating tls-auth on a ccd file only. This way it would be a smooth > transition. Otherwise I would have to schedule a maintenance window, > which would be be cumbersome. > nope, that is not possible - the tls-auth handshake is done at a very early stage and a ccd-file does not come into play yet. your only option is downtime, or to set up a second instance on a different port, and migrate the clients slowly to the second instance. HTH, JJK -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
