My server suddenly getting a lot of bogus connection attempts

[nickh]

I use Fail2ban to monitor failed (i.e bogus) connections to my OpenVPN server (v2.4.12) and ban them. Since Monday, my server has suddenly been getting 100+ different IP's trying and failing to connect to it, all resulting in a ban. Normally I get less than 1 fail a day. Is there a new vulnerability that has been discovered resulting in these probes?

[TinCanTech]

. Is there a new vulnerability

Not that I know of.

my server has suddenly been getting 100+ different IP's trying and failing to connect

My guess would be that your WAN IP changed to an IP that has previously been used for another VPN server.

[nickh]

No, my WAN IP is static and has been the same for 18 months. I am in the UK and I have a friend in Holland who is experiencing the same. A huge amount of:

Code: Select all

Fri Oct  7 16:12:14 2022 191.97.74.142:443 TLS: Initial packet from [AF_INET]191.97.74.142:443 (via [AF_INET]11.22.33.44%enp1s0f0), sid=6a22eb44 5adb63fe
Fri Oct  7 16:13:14 2022 191.97.74.142:443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct  7 16:13:14 2022 191.97.74.142:443 TLS Error: TLS handshake failed
Fri Oct  7 16:13:14 2022 191.97.74.142:443 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Oct  7 16:13:26 2022 191.97.74.142:443 TLS: Initial packet from [AF_INET]191.97.74.142:443 (via [AF_INET]11.22.33.44%enp1s0f0), sid=6a22eb44 5adb63fe
Fri Oct  7 16:14:26 2022 191.97.74.142:443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct  7 16:14:26 2022 191.97.74.142:443 TLS Error: TLS handshake failed
Fri Oct  7 16:14:26 2022 191.97.74.142:443 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Oct  7 16:14:39 2022 191.97.74.142:443 TLS: Initial packet from [AF_INET]191.97.74.142:443 (via [AF_INET]11.22.33.44%enp1s0f0), sid=6a22eb44 5adb63fe
Fri Oct  7 16:15:39 2022 191.97.74.142:443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct  7 16:15:39 2022 191.97.74.142:443 TLS Error: TLS handshake failed
Fri Oct  7 16:15:39 2022 191.97.74.142:443 SIGUSR1[soft,tls-error] received, client-instance restarting

for lots of different IPs and ports. My IP is munged.

[ordex]

most likely just bot scanning the network for vulnerabilities. You are using port 443/TCP, i.e. where HTTPS is normally listening on.
Most likely these scanners are looking for buggy web servers.

When you use a "standard" port, I think it is expected to get lots of connection attempts.

[nickh]

I think you've misread the logs. The attacker/scanner is using a source port of 443 in this case, but many other source ports are also being used in these probes. My server listens on the standard UDP:1194.

Yes it is probably botnet scanning but it has suddenly leapt from next to nothing to > 100 attempts per day and I am curious why.

[Pippin]

Any other service(s) running exposed to WAN?

[nickh]

Lots. Web server, IPsec, Bittorrent, e-mail (SMTP/IMAP), but that has not changed and has been running for years.

[Pippin]

That's how they found out.
Scanning known ports then.

[nickh]

But it has happened at an identical time to my friend in Holland. I have a feeling there is something more going on.

[Pippin]

Good point.
Maybe IP/domain got exposed somehow?
Maybe also question your friend in NL.

[ordex]

I think you've misread the logs. The attacker/scanner is using a source port of 443 in this case, but many other source ports are also being used in these probes. My server listens on the standard UDP:1194.

You're right - sorry