Page 1 of 1
My server suddenly getting a lot of bogus connection attempts
Posted: Fri Oct 07, 2022 11:53 am
by nickh
I use Fail2ban to monitor failed (i.e bogus) connections to my OpenVPN server (v2.4.12) and ban them. Since Monday, my server has suddenly been getting 100+ different IP's trying and failing to connect to it, all resulting in a ban. Normally I get less than 1 fail a day. Is there a new vulnerability that has been discovered resulting in these probes?
Re: My server suddenly getting a lot of bogus connection attempts
Posted: Fri Oct 07, 2022 2:41 pm
by TinCanTech
nickh wrote: ↑Fri Oct 07, 2022 11:53 am
. Is there a new vulnerability
Not that I know of.
nickh wrote: ↑Fri Oct 07, 2022 11:53 am
my server has suddenly been getting 100+ different IP's trying and failing to connect
My
guess would be that your WAN IP changed to an IP that has previously been used for another VPN server.
Re: My server suddenly getting a lot of bogus connection attempts
Posted: Fri Oct 07, 2022 3:25 pm
by nickh
No, my WAN IP is static and has been the same for 18 months. I am in the UK and I have a friend in Holland who is experiencing the same. A huge amount of:
Code: Select all
Fri Oct 7 16:12:14 2022 191.97.74.142:443 TLS: Initial packet from [AF_INET]191.97.74.142:443 (via [AF_INET]11.22.33.44%enp1s0f0), sid=6a22eb44 5adb63fe
Fri Oct 7 16:13:14 2022 191.97.74.142:443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 7 16:13:14 2022 191.97.74.142:443 TLS Error: TLS handshake failed
Fri Oct 7 16:13:14 2022 191.97.74.142:443 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Oct 7 16:13:26 2022 191.97.74.142:443 TLS: Initial packet from [AF_INET]191.97.74.142:443 (via [AF_INET]11.22.33.44%enp1s0f0), sid=6a22eb44 5adb63fe
Fri Oct 7 16:14:26 2022 191.97.74.142:443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 7 16:14:26 2022 191.97.74.142:443 TLS Error: TLS handshake failed
Fri Oct 7 16:14:26 2022 191.97.74.142:443 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Oct 7 16:14:39 2022 191.97.74.142:443 TLS: Initial packet from [AF_INET]191.97.74.142:443 (via [AF_INET]11.22.33.44%enp1s0f0), sid=6a22eb44 5adb63fe
Fri Oct 7 16:15:39 2022 191.97.74.142:443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 7 16:15:39 2022 191.97.74.142:443 TLS Error: TLS handshake failed
Fri Oct 7 16:15:39 2022 191.97.74.142:443 SIGUSR1[soft,tls-error] received, client-instance restarting
for lots of different IPs and ports. My IP is munged.
Re: My server suddenly getting a lot of bogus connection attempts
Posted: Fri Oct 07, 2022 8:20 pm
by ordex
most likely just bot scanning the network for vulnerabilities. You are using port 443/TCP, i.e. where HTTPS is normally listening on.
Most likely these scanners are looking for buggy web servers.
When you use a "standard" port, I think it is expected to get lots of connection attempts.
Re: My server suddenly getting a lot of bogus connection attempts
Posted: Fri Oct 07, 2022 8:33 pm
by nickh
I think you've misread the logs. The attacker/scanner is using a source port of 443 in this case, but many other source ports are also being used in these probes. My server listens on the standard UDP:1194.
Yes it is probably botnet scanning but it has suddenly leapt from next to nothing to > 100 attempts per day and I am curious why.
Re: My server suddenly getting a lot of bogus connection attempts
Posted: Fri Oct 07, 2022 8:57 pm
by Pippin
Any other service(s) running exposed to WAN?
Re: My server suddenly getting a lot of bogus connection attempts
Posted: Fri Oct 07, 2022 9:07 pm
by nickh
Lots. Web server, IPsec, Bittorrent, e-mail (SMTP/IMAP), but that has not changed and has been running for years.
Re: My server suddenly getting a lot of bogus connection attempts
Posted: Fri Oct 07, 2022 9:21 pm
by Pippin
That's how they found out.
Scanning known ports then.
Re: My server suddenly getting a lot of bogus connection attempts
Posted: Fri Oct 07, 2022 9:34 pm
by nickh
But it has happened at an identical time to my friend in Holland. I have a feeling there is something more going on.
Re: My server suddenly getting a lot of bogus connection attempts
Posted: Fri Oct 07, 2022 9:40 pm
by Pippin
Good point.
Maybe IP/domain got exposed somehow?
Maybe also question your friend in NL.
Re: My server suddenly getting a lot of bogus connection attempts
Posted: Fri Oct 07, 2022 10:01 pm
by ordex
nickh wrote: ↑Fri Oct 07, 2022 8:33 pm
I think you've misread the logs. The attacker/scanner is using a source port of 443 in this case, but many other source ports are also being used in these probes. My server listens on the standard UDP:1194.
You're right - sorry