Hi,
I've set up an OpenVPN server that has 5-7 connected clients, each with its own certificate.
Today I've noticed that in the last couple of days, there's been multiple connections attempts from very diferent IPs... I don't know any of these IPs...
Fri Sep 07 13:59:34 2018 120.149.170.194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 13:59:34 2018 120.149.170.194 TLS Error: TLS handshake failed
Fri Sep 07 14:00:57 2018 114.77.238.245 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:00:57 2018 114.77.238.245 TLS Error: TLS handshake failed
Fri Sep 07 14:09:41 2018 31.167.81.193 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:09:41 2018 31.167.81.193 TLS Error: TLS handshake failed
Fri Sep 07 14:19:23 2018 91.109.251.1 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:19:23 2018 91.109.251.1 TLS Error: TLS handshake failed
Fri Sep 07 14:20:11 2018 212.24.52.254 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:20:11 2018 212.24.52.254 TLS Error: TLS handshake failed
I have hundreds and hundreds of these messages in the server log...
Should I be worried?
Thanks!
Multiple connection attempts from multiple IPs
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Fri Sep 07, 2018 1:47 pm
-
- OpenVpn Newbie
- Posts: 16
- Joined: Mon Jan 28, 2013 1:57 pm
Re: Multiple connection attempts from multiple IPs
I'm seeing hundreds, thousands of these every morning in my firewall log report. These messages were virtually non-existent a month ago. Now, its nightly. The addresses are all over the map. I think somebody has written some kind of exploit script and all the bad guys are using it now.
Any idea what exploit they are looking for?
Bobby
Any idea what exploit they are looking for?
Bobby
-
- OpenVpn Newbie
- Posts: 16
- Joined: Mon Jan 28, 2013 1:57 pm
Re: Multiple connection attempts from multiple IPs
Hi!
I googled around and created a fail2ban rule to deal with these bad guys. I'd still love to know what happened to warrant these attempts.
Bobby
I googled around and created a fail2ban rule to deal with these bad guys. I'd still love to know what happened to warrant these attempts.
Bobby
-
- OpenVpn Newbie
- Posts: 2
- Joined: Fri Sep 07, 2018 1:47 pm
Re: Multiple connection attempts from multiple IPs
Hey Bobby,
I don't really know how to use fail2ban on windows but I've added '--tls-auth' and the connections attempts reduced a lot.
See https://community.openvpn.net/openvpn/w ... --tls-auth
HMP
I don't really know how to use fail2ban on windows but I've added '--tls-auth' and the connections attempts reduced a lot.
See https://community.openvpn.net/openvpn/w ... --tls-auth
HMP
-
- OpenVpn Newbie
- Posts: 16
- Joined: Mon Jan 28, 2013 1:57 pm
Re: Multiple connection attempts from multiple IPs
Hi!
Thanks for the suggestion.
I'll look into tls-auth.
This is on top of the normal ssl certificates?
Bobby
Thanks for the suggestion.
I'll look into tls-auth.
This is on top of the normal ssl certificates?
Bobby
-
- OpenVpn Newbie
- Posts: 16
- Joined: Mon Jan 28, 2013 1:57 pm
Re: Multiple connection attempts from multiple IPs
Hi!
Another bit of info. I reported the openvpn probes to several ISPs and one responded.
He said the openvpn traffic was not originating in their network. What is happening is a openvpn DDOS amplification attack. A bad guy sends an openvpn packet to me, using a false source address, and my openvpn server sends an error message back to the forged source address. Thus, I was unwittingly participating in an DDOS amplification attacked.
I enabled tls-auth and that seems to have greatly reduced the amount of erroneous tls handshake failure messages I'm sending.
Thanks,
Bobby
Another bit of info. I reported the openvpn probes to several ISPs and one responded.
He said the openvpn traffic was not originating in their network. What is happening is a openvpn DDOS amplification attack. A bad guy sends an openvpn packet to me, using a false source address, and my openvpn server sends an error message back to the forged source address. Thus, I was unwittingly participating in an DDOS amplification attacked.
I enabled tls-auth and that seems to have greatly reduced the amount of erroneous tls handshake failure messages I'm sending.
Thanks,
Bobby
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Sep 25, 2018 7:58 am
Re: Multiple connection attempts from multiple IPs
im using iptables rules to block countries ....