Check my log

[shinjikenny]

Can someone tell me what this log mean... I'm getting 3 to 6 times of this on my logs and sometimes, 10 or more everyday...
I'm the only one using the server but I'm getting this from different IPs...

Code: Select all

Nov 28 10:43:07 bvm1 openvpn[9338]: MULTI: multi_create_instance called
Nov 28 10:43:07 bvm1 openvpn[9338]: Re-using SSL/TLS context
Nov 28 10:43:07 bvm1 openvpn[9338]: LZO compression initialized
Nov 28 10:43:07 bvm1 openvpn[9338]: Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Nov 28 10:43:07 bvm1 openvpn[9338]: Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Nov 28 10:43:07 bvm1 openvpn[9338]: Local Options hash (VER=V4): '77cf0943'
Nov 28 10:43:07 bvm1 openvpn[9338]: Expected Remote Options hash (VER=V4): '2547efd2'
Nov 28 10:43:07 bvm1 openvpn[9338]: TCP connection established with 69.64.84.80:49999
Nov 28 10:43:07 bvm1 openvpn[9338]: TCPv4_SERVER link local: [undef]
Nov 28 10:43:07 bvm1 openvpn[9338]: TCPv4_SERVER link remote: 69.64.84.80:49999
Nov 28 10:43:07 bvm1 openvpn[9338]: 69.64.84.80:49999 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1576 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Nov 28 10:43:07 bvm1 openvpn[9338]: 69.64.84.80:49999 Connection reset, restarting [0]
Nov 28 10:43:07 bvm1 openvpn[9338]: 69.64.84.80:49999 SIGUSR1[soft,connection-reset] received, client-instance restarting
Nov 28 10:43:07 bvm1 openvpn[9338]: TCP/UDP: Closing socket

[Mimiko]

this condition could also indicate a possible active attack on the TCP link

Block any access to TCP 49999 and leave only IP from which you will connect.

[shinjikenny]

What kind of attack is he trying to do?
I checked my logs for similar results and here's what i found:

Code: Select all

	Line 9: Oct 30 00:34:39 bvm1 openvpn[28320]: TCP connection established with 201.20.3.226:61672
	Line 23: Oct 30 05:30:26 bvm1 openvpn[28320]: TCP connection established with 200.130.34.100:29718
	Line 37: Oct 30 07:43:22 bvm1 openvpn[28320]: TCP connection established with 130.226.229.27:35214
	Line 51: Oct 30 10:13:25 bvm1 openvpn[28320]: TCP connection established with 60.217.226.12:46191
	Line 65: Oct 30 11:57:00 bvm1 openvpn[28320]: TCP connection established with 97.66.135.204:41950
	Line 79: Oct 30 18:41:21 bvm1 openvpn[28320]: TCP connection established with 118.98.31.136:50596
	Line 93: Oct 30 23:36:10 bvm1 openvpn[28320]: TCP connection established with 122.160.168.20:53007
	Line 107: Oct 31 02:30:04 bvm1 openvpn[28320]: TCP connection established with 211.144.125.66:55960
	Line 121: Oct 31 06:24:45 bvm1 openvpn[28320]: TCP connection established with 84.14.219.253:53187
	Line 135: Oct 31 08:37:22 bvm1 openvpn[28320]: TCP connection established with 196.2.12.22:40715
	Line 149: Oct 31 10:17:44 bvm1 openvpn[28320]: TCP connection established with 92.62.39.8:46815
	Line 163: Oct 31 20:42:28 bvm1 openvpn[28320]: TCP connection established with 58.185.207.157:55167
	Line 177: Oct 31 21:07:10 bvm1 openvpn[28320]: TCP connection established with 64.85.58.2:7437
	Line 191: Nov  1 06:40:50 bvm1 openvpn[28320]: TCP connection established with 63.247.149.226:63103
	Line 204: Nov  1 15:09:12 bvm1 openvpn[28320]: TCP connection established with 98.129.78.230:57281
	Line 218: Nov  1 16:48:20 bvm1 openvpn[28320]: TCP connection established with 91.200.170.210:1783
	Line 232: Nov  1 20:59:40 bvm1 openvpn[28320]: TCP connection established with 82.94.217.126:10899
	Line 246: Nov  2 07:09:49 bvm1 openvpn[28320]: TCP connection established with 115.168.33.141:9498
	Line 260: Nov  2 13:30:41 bvm1 openvpn[28320]: TCP connection established with 38.111.244.170:53116
	Line 274: Nov  2 14:06:21 bvm1 openvpn[28320]: TCP connection established with 134.128.87.6:2368
	Line 288: Nov  3 11:15:38 bvm1 openvpn[28320]: TCP connection established with 221.226.40.43:46886
	Line 302: Nov  3 23:23:57 bvm1 openvpn[28320]: TCP connection established with 200.20.10.250:51551
	Line 316: Nov  4 01:00:10 bvm1 openvpn[28320]: TCP connection established with 87.128.224.125:48221
	Line 330: Nov  4 01:25:22 bvm1 openvpn[28320]: TCP connection established with 97.88.245.166:54623
	Line 496: Nov  4 13:09:47 bvm1 openvpn[28320]: TCP connection established with 216.240.136.95:45762
	Line 2265: Nov  5 03:23:03 bvm1 openvpn[28320]: TCP connection established with 222.73.52.6:36124
	Line 233: Nov  6 17:04:33 bvm1 openvpn[28320]: TCP connection established with 60.217.226.165:47731
	Line 747: Nov  6 23:10:17 bvm1 openvpn[28320]: TCP connection established with 218.29.126.61:5407
	Line 997: Nov  7 04:59:13 bvm1 openvpn[28320]: TCP connection established with 125.88.105.82:48632
	Line 1466: Nov  7 21:49:58 bvm1 openvpn[28320]: TCP connection established with 202.102.108.11:27366
	Line 1547: Nov  8 00:45:16 bvm1 openvpn[28320]: TCP connection established with 94.176.167.251:38288
	Line 1703: Nov  8 03:11:26 bvm1 openvpn[28320]: TCP connection established with 123.49.44.18:9874
	Line 2166: Nov  8 09:20:18 bvm1 openvpn[28320]: TCP connection established with 88.80.10.1:48398
	Line 2887: Nov  9 10:55:36 bvm1 openvpn[28320]: TCP connection established with 91.200.170.210:62874
	Line 3079: Nov  9 12:31:47 bvm1 openvpn[28320]: TCP connection established with 113.105.67.65:2054
	Line 3691: Nov  9 20:45:33 bvm1 openvpn[28320]: TCP connection established with 98.158.22.199:45917
	Line 3881: Nov  9 22:57:20 bvm1 openvpn[28320]: TCP connection established with 218.29.126.61:64338
	Line 5333: Nov 10 08:54:02 bvm1 openvpn[28320]: TCP connection established with 115.168.33.141:48227
	Line 5731: Nov 10 16:32:03 bvm1 openvpn[28320]: TCP connection established with 120.70.62.170:1599
	Line 6216: Nov 11 01:40:48 bvm1 openvpn[28320]: TCP connection established with 218.29.126.61:16311
	Line 6729: Nov 11 07:04:15 bvm1 openvpn[28320]: TCP connection established with 64.115.130.9:51288
	Line 8536: Nov 12 07:27:43 bvm1 openvpn[28320]: TCP connection established with 200.201.201.71:51215
	Line 8550: Nov 12 09:38:50 bvm1 openvpn[28320]: TCP connection established with 199.71.212.195:50603
	Line 8564: Nov 12 09:43:30 bvm1 openvpn[28320]: TCP connection established with 64.115.130.9:51824
	Line 9105: Nov 12 15:56:49 bvm1 openvpn[28320]: TCP connection established with 201.67.198.5:44618
	Line 9891: Nov 12 22:42:34 bvm1 openvpn[3795]: TCP connection established with 50.56.31.172:41186
	Line 66: Nov 13 03:07:03 bvm1 openvpn[3795]: TCP connection established with 31.44.184.50:36608
	Line 271: Nov 13 06:13:40 bvm1 openvpn[3795]: TCP connection established with 66.77.14.167:55425
	Line 685: Nov 13 10:02:29 bvm1 openvpn[3795]: TCP connection established with 122.193.16.18:37501
	Line 699: Nov 13 10:38:42 bvm1 openvpn[3795]: TCP connection established with 202.101.92.17:16724
	Line 721: Nov 13 11:42:47 bvm1 openvpn[3795]: TCP connection established with 200.189.112.8:39019
	Line 2930: Nov 14 00:11:51 bvm1 openvpn[9338]: TCP connection established with 119.97.246.126:35009
	Line 4098: Nov 14 11:40:38 bvm1 openvpn[9338]: TCP connection established with 163.247.52.14:51675
	Line 4192: Nov 14 16:15:46 bvm1 openvpn[9338]: TCP connection established with 120.70.62.170:1920
	Line 4932: Nov 15 19:08:41 bvm1 openvpn[9338]: TCP connection established with 50.57.43.51:36773
	Line 6377: Nov 16 20:55:18 bvm1 openvpn[9338]: TCP connection established with 77.239.154.98:39779
	Line 6742: Nov 17 10:31:10 bvm1 openvpn[9338]: TCP connection established with 188.132.163.130:37516
	Line 7262: Nov 18 05:21:18 bvm1 openvpn[9338]: TCP connection established with 24.7.97.92:53947
	Line 7276: Nov 18 05:21:31 bvm1 openvpn[9338]: TCP connection established with 24.7.97.92:56240
	Line 7290: Nov 18 05:23:03 bvm1 openvpn[9338]: TCP connection established with 24.7.97.92:57141
	Line 7304: Nov 18 05:24:40 bvm1 openvpn[9338]: TCP connection established with 24.7.97.92:58945
	Line 7789: Nov 18 16:40:26 bvm1 openvpn[9338]: TCP connection established with 219.143.8.143:60676
	Line 8717: Nov 19 06:19:13 bvm1 openvpn[9338]: TCP connection established with 61.135.24.99:46337
	Line 9242: Nov 19 21:12:46 bvm1 openvpn[9338]: TCP connection established with 110.76.47.90:36688
	Line 9256: Nov 19 21:36:30 bvm1 openvpn[9338]: TCP connection established with 60.2.76.50:36824
	Line 193: Nov 20 03:12:25 bvm1 openvpn[9338]: TCP connection established with 190.144.126.12:20057
	Line 439: Nov 20 12:42:39 bvm1 openvpn[9338]: TCP connection established with 200.61.189.153:42648
	Line 1750: Nov 21 17:50:17 bvm1 openvpn[9338]: TCP connection established with 88.191.127.72:40177
	Line 1921: Nov 22 01:21:02 bvm1 openvpn[9338]: TCP connection established with 203.100.72.16:59206
	Line 3599: Nov 23 04:49:42 bvm1 openvpn[9338]: TCP connection established with 204.232.192.66:35007
	Line 4721: Nov 23 13:00:44 bvm1 openvpn[9338]: TCP connection established with 218.6.16.37:19566
	Line 4974: Nov 23 18:05:39 bvm1 openvpn[9338]: TCP connection established with 187.115.68.232:40004
	Line 5038: Nov 23 21:32:07 bvm1 openvpn[9338]: TCP connection established with 66.77.14.167:46062
	Line 5197: Nov 24 05:31:49 bvm1 openvpn[9338]: TCP connection established with 203.198.53.168:53160
	Line 7786: Nov 26 09:11:27 bvm1 openvpn[9338]: TCP connection established with 211.140.23.144:44207
	Line 8071: Nov 26 16:43:09 bvm1 openvpn[9338]: TCP connection established with 203.69.85.52:58956
	Line 8105: Nov 26 19:10:00 bvm1 openvpn[9338]: TCP connection established with 65.164.53.18:58681
	Line 110: Nov 27 02:55:53 bvm1 openvpn[9338]: TCP connection established with 72.191.213.60:53172
	Line 197: Nov 27 08:47:04 bvm1 openvpn[9338]: TCP connection established with 61.185.74.214:44032
	Line 328: Nov 27 11:11:27 bvm1 openvpn[9338]: TCP connection established with 219.143.8.143:50202
	Line 573: Nov 27 16:32:07 bvm1 openvpn[9338]: TCP connection established with 201.24.213.88:36826
	Line 4916: Nov 28 10:43:07 bvm1 openvpn[9338]: TCP connection established with 69.64.84.80:49999
	Line 4947: Nov 28 12:43:25 bvm1 openvpn[9338]: TCP connection established with 125.76.227.14:52365

[janjust]

which port is your openvpn server running on? sounds like you are simply being portscanned from all over the internet. This is "normal" , I'm afraid. You can use 'tls-auth' keys to minimize the impact of these port scans (the connection will be dropped sooner).

[shinjikenny]

i have UDP port 443, 444, 1194, 137 and TCP port 80, 153

[janjust]

you mean openvpn is listening on all of those ports? then I'm not surprised about the port scans...

[shinjikenny]

umm.. yes.. is there something wrong?
I realize that opening more ports on my server is putting me at risk.
Is there a way to temporarily close all those ports and just make a port open automatically when a client tries to connect to any of the ports?

[janjust]

nope there's nothing wrong, but those ports are ALWAYS scanned by script kiddies . This explains the connection attempts in your openvpn log.

There's no real way of opening a port when the client connects: the port needs to be open if a client wants to connect on UDP port 137 (etc etc).

[shinjikenny]

ah I see, that makes sense

But if I opened that port for openvpn, openvpn will bind on that port right?
And even if hackers found that port opened, they won't be able to do much about it, unless openvpn has security issues or they were able to steal one of my client's configs? Am I right?

[janjust]

But if I opened that port for openvpn, openvpn will bind on that port right?

yep

And even if hackers found that port opened, they won't be able to do much about it, unless openvpn has security issues or they were able to steal one of my client's configs? Am I right?

if there's a security flaw in openvpn, or in your openvpn setup then a hacker might be able to gain access to your local network via the VPN; but in that case ALL ports would be bad. There are currently no security issues known in OpenVPN itself.

[shinjikenny]

ok thanks for the help