My server suddenly getting a lot of bogus connection attempts
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN User
- Posts: 29
- Joined: Sun Mar 02, 2014 1:25 pm
My server suddenly getting a lot of bogus connection attempts
I use Fail2ban to monitor failed (i.e bogus) connections to my OpenVPN server (v2.4.12) and ban them. Since Monday, my server has suddenly been getting 100+ different IP's trying and failing to connect to it, all resulting in a ban. Normally I get less than 1 fail a day. Is there a new vulnerability that has been discovered resulting in these probes?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: My server suddenly getting a lot of bogus connection attempts
Not that I know of.
My guess would be that your WAN IP changed to an IP that has previously been used for another VPN server.
-
- OpenVPN User
- Posts: 29
- Joined: Sun Mar 02, 2014 1:25 pm
Re: My server suddenly getting a lot of bogus connection attempts
No, my WAN IP is static and has been the same for 18 months. I am in the UK and I have a friend in Holland who is experiencing the same. A huge amount of:for lots of different IPs and ports. My IP is munged.
Code: Select all
Fri Oct 7 16:12:14 2022 191.97.74.142:443 TLS: Initial packet from [AF_INET]191.97.74.142:443 (via [AF_INET]11.22.33.44%enp1s0f0), sid=6a22eb44 5adb63fe
Fri Oct 7 16:13:14 2022 191.97.74.142:443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 7 16:13:14 2022 191.97.74.142:443 TLS Error: TLS handshake failed
Fri Oct 7 16:13:14 2022 191.97.74.142:443 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Oct 7 16:13:26 2022 191.97.74.142:443 TLS: Initial packet from [AF_INET]191.97.74.142:443 (via [AF_INET]11.22.33.44%enp1s0f0), sid=6a22eb44 5adb63fe
Fri Oct 7 16:14:26 2022 191.97.74.142:443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 7 16:14:26 2022 191.97.74.142:443 TLS Error: TLS handshake failed
Fri Oct 7 16:14:26 2022 191.97.74.142:443 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Oct 7 16:14:39 2022 191.97.74.142:443 TLS: Initial packet from [AF_INET]191.97.74.142:443 (via [AF_INET]11.22.33.44%enp1s0f0), sid=6a22eb44 5adb63fe
Fri Oct 7 16:15:39 2022 191.97.74.142:443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 7 16:15:39 2022 191.97.74.142:443 TLS Error: TLS handshake failed
Fri Oct 7 16:15:39 2022 191.97.74.142:443 SIGUSR1[soft,tls-error] received, client-instance restarting
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Re: My server suddenly getting a lot of bogus connection attempts
most likely just bot scanning the network for vulnerabilities. You are using port 443/TCP, i.e. where HTTPS is normally listening on.
Most likely these scanners are looking for buggy web servers.
When you use a "standard" port, I think it is expected to get lots of connection attempts.
Most likely these scanners are looking for buggy web servers.
When you use a "standard" port, I think it is expected to get lots of connection attempts.
-
- OpenVPN User
- Posts: 29
- Joined: Sun Mar 02, 2014 1:25 pm
Re: My server suddenly getting a lot of bogus connection attempts
I think you've misread the logs. The attacker/scanner is using a source port of 443 in this case, but many other source ports are also being used in these probes. My server listens on the standard UDP:1194.
Yes it is probably botnet scanning but it has suddenly leapt from next to nothing to > 100 attempts per day and I am curious why.
Yes it is probably botnet scanning but it has suddenly leapt from next to nothing to > 100 attempts per day and I am curious why.
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: My server suddenly getting a lot of bogus connection attempts
Any other service(s) running exposed to WAN?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
-
- OpenVPN User
- Posts: 29
- Joined: Sun Mar 02, 2014 1:25 pm
Re: My server suddenly getting a lot of bogus connection attempts
Lots. Web server, IPsec, Bittorrent, e-mail (SMTP/IMAP), but that has not changed and has been running for years.
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: My server suddenly getting a lot of bogus connection attempts
That's how they found out.
Scanning known ports then.
Scanning known ports then.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
-
- OpenVPN User
- Posts: 29
- Joined: Sun Mar 02, 2014 1:25 pm
Re: My server suddenly getting a lot of bogus connection attempts
But it has happened at an identical time to my friend in Holland. I have a feeling there is something more going on.
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: My server suddenly getting a lot of bogus connection attempts
Good point.
Maybe IP/domain got exposed somehow?
Maybe also question your friend in NL.
Maybe IP/domain got exposed somehow?
Maybe also question your friend in NL.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat