Dictionary Attack; openvpn and openssh no longer work

[MMegaTron]

Hi guys,

I work for a small company setting up their IT services. I have been trying to setup OpenVPN for the past month. The previous IT support person had set the server up, and had installed winSCP for users to connect. Unfortunatley we had permissions issues so I tried setting up OpenVPn to solve it. He did not setup secure passwords for the root/admin accounts or certificatesd for the SSH.

I had got OpenVPN completely almost 100% working until now, but over the last couple of days openvpn AND ssh which both previously wokrked have stopped working for all users working from home. I came in and tried investigating today and found the auth.log in /etc/logs filled with messages about root attempting to connect and being rejected and other users who do not exist, all of this being repeatedly a couple of hundred times since early last Sunday morning. It is obvious this a dictionary attack from some malicious user somewhere. Anyway, the point is that neither openvpn nor ssh are working now and I am pretty stumped because I don't know what has caused this, whether the user actually got into the system and changed some settings or whether it is simply sending so many requests that legitimate users cant connect (i'm guiessing it's the former as the logs arent showing any attempts now, but haven't seen on the logs that the user has successfully been able to break in).

Does anyone have any ideas which might help? I can post the log file if necessary.

Thanks,

Jack

[janjust]

Hi Jack,

if you cannot be sure that somebody gained access then in principle you can no longer trust the box at all . if the box is "mission critical" then you would have to re-install from scratch to be secure.

I don't understand why ssh+openvpn would stop working when somebody unsuccessfully attempts to log on. I'd look at free disk space on the box and I would also add some 'iptables' rules to limit the number of connections per second for both ssh and openvpn ; openvpn has built-in protection against DOS attacks if you use the 'tls-auth' option - this does not block all DOS attacks but it's definitely a good idea.

[MMegaTron]

Hi Janjust,

Thankyou very much for your advice. I found that openVPN and SSH were no longer working because our ip address changed. I read that sometimes in cases of these attacks the isp can change the ip which might be the case. I cant guarantee this was the reason as it hasn't been working all week, I suspect previously it was being blocked by the hackers requests, but can't be sure.

Anyway as you mentioned I cannot be sure the computer has not been compromised, we're currently having a local IT company (who are linux/security specialists) give it the once over and hopefully they'll bge able to tell if there are problems, as we suspect. I found earlier when trying to delete accounts (to improve the security) that the administrator account is effectively locked out of modifying the user accounts control panel, which seems a bit suspicious to me. What do you think?

Also thanks for your advice on the iptables/'tls-auth'; I've looked into iptables and think this would be a good idea, and 'tls-auth' is new to me so I'm probably going to do that asap!

Best Regards
Jack

[maikcat]

you can also use fail2ban to protect your ssh...

michael.