Page 1 of 1
Check my log
Posted: Tue Nov 29, 2011 2:37 pm
by shinjikenny
Can someone tell me what this log mean... I'm getting 3 to 6 times of this on my logs and sometimes, 10 or more everyday...
I'm the only one using the server but I'm getting this from different IPs...
Code: Select all
Nov 28 10:43:07 bvm1 openvpn[9338]: MULTI: multi_create_instance called
Nov 28 10:43:07 bvm1 openvpn[9338]: Re-using SSL/TLS context
Nov 28 10:43:07 bvm1 openvpn[9338]: LZO compression initialized
Nov 28 10:43:07 bvm1 openvpn[9338]: Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Nov 28 10:43:07 bvm1 openvpn[9338]: Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Nov 28 10:43:07 bvm1 openvpn[9338]: Local Options hash (VER=V4): '77cf0943'
Nov 28 10:43:07 bvm1 openvpn[9338]: Expected Remote Options hash (VER=V4): '2547efd2'
Nov 28 10:43:07 bvm1 openvpn[9338]: TCP connection established with 69.64.84.80:49999
Nov 28 10:43:07 bvm1 openvpn[9338]: TCPv4_SERVER link local: [undef]
Nov 28 10:43:07 bvm1 openvpn[9338]: TCPv4_SERVER link remote: 69.64.84.80:49999
Nov 28 10:43:07 bvm1 openvpn[9338]: 69.64.84.80:49999 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1576 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Nov 28 10:43:07 bvm1 openvpn[9338]: 69.64.84.80:49999 Connection reset, restarting [0]
Nov 28 10:43:07 bvm1 openvpn[9338]: 69.64.84.80:49999 SIGUSR1[soft,connection-reset] received, client-instance restarting
Nov 28 10:43:07 bvm1 openvpn[9338]: TCP/UDP: Closing socket
Re: Check my log
Posted: Tue Nov 29, 2011 3:07 pm
by Mimiko
this condition could also indicate a possible active attack on the TCP link
Block any access to TCP 49999 and leave only IP from which you will connect.
Re: Check my log
Posted: Tue Nov 29, 2011 3:26 pm
by shinjikenny
What kind of attack is he trying to do?
I checked my logs for similar results and here's what i found:
Code: Select all
Line 9: Oct 30 00:34:39 bvm1 openvpn[28320]: TCP connection established with 201.20.3.226:61672
Line 23: Oct 30 05:30:26 bvm1 openvpn[28320]: TCP connection established with 200.130.34.100:29718
Line 37: Oct 30 07:43:22 bvm1 openvpn[28320]: TCP connection established with 130.226.229.27:35214
Line 51: Oct 30 10:13:25 bvm1 openvpn[28320]: TCP connection established with 60.217.226.12:46191
Line 65: Oct 30 11:57:00 bvm1 openvpn[28320]: TCP connection established with 97.66.135.204:41950
Line 79: Oct 30 18:41:21 bvm1 openvpn[28320]: TCP connection established with 118.98.31.136:50596
Line 93: Oct 30 23:36:10 bvm1 openvpn[28320]: TCP connection established with 122.160.168.20:53007
Line 107: Oct 31 02:30:04 bvm1 openvpn[28320]: TCP connection established with 211.144.125.66:55960
Line 121: Oct 31 06:24:45 bvm1 openvpn[28320]: TCP connection established with 84.14.219.253:53187
Line 135: Oct 31 08:37:22 bvm1 openvpn[28320]: TCP connection established with 196.2.12.22:40715
Line 149: Oct 31 10:17:44 bvm1 openvpn[28320]: TCP connection established with 92.62.39.8:46815
Line 163: Oct 31 20:42:28 bvm1 openvpn[28320]: TCP connection established with 58.185.207.157:55167
Line 177: Oct 31 21:07:10 bvm1 openvpn[28320]: TCP connection established with 64.85.58.2:7437
Line 191: Nov 1 06:40:50 bvm1 openvpn[28320]: TCP connection established with 63.247.149.226:63103
Line 204: Nov 1 15:09:12 bvm1 openvpn[28320]: TCP connection established with 98.129.78.230:57281
Line 218: Nov 1 16:48:20 bvm1 openvpn[28320]: TCP connection established with 91.200.170.210:1783
Line 232: Nov 1 20:59:40 bvm1 openvpn[28320]: TCP connection established with 82.94.217.126:10899
Line 246: Nov 2 07:09:49 bvm1 openvpn[28320]: TCP connection established with 115.168.33.141:9498
Line 260: Nov 2 13:30:41 bvm1 openvpn[28320]: TCP connection established with 38.111.244.170:53116
Line 274: Nov 2 14:06:21 bvm1 openvpn[28320]: TCP connection established with 134.128.87.6:2368
Line 288: Nov 3 11:15:38 bvm1 openvpn[28320]: TCP connection established with 221.226.40.43:46886
Line 302: Nov 3 23:23:57 bvm1 openvpn[28320]: TCP connection established with 200.20.10.250:51551
Line 316: Nov 4 01:00:10 bvm1 openvpn[28320]: TCP connection established with 87.128.224.125:48221
Line 330: Nov 4 01:25:22 bvm1 openvpn[28320]: TCP connection established with 97.88.245.166:54623
Line 496: Nov 4 13:09:47 bvm1 openvpn[28320]: TCP connection established with 216.240.136.95:45762
Line 2265: Nov 5 03:23:03 bvm1 openvpn[28320]: TCP connection established with 222.73.52.6:36124
Line 233: Nov 6 17:04:33 bvm1 openvpn[28320]: TCP connection established with 60.217.226.165:47731
Line 747: Nov 6 23:10:17 bvm1 openvpn[28320]: TCP connection established with 218.29.126.61:5407
Line 997: Nov 7 04:59:13 bvm1 openvpn[28320]: TCP connection established with 125.88.105.82:48632
Line 1466: Nov 7 21:49:58 bvm1 openvpn[28320]: TCP connection established with 202.102.108.11:27366
Line 1547: Nov 8 00:45:16 bvm1 openvpn[28320]: TCP connection established with 94.176.167.251:38288
Line 1703: Nov 8 03:11:26 bvm1 openvpn[28320]: TCP connection established with 123.49.44.18:9874
Line 2166: Nov 8 09:20:18 bvm1 openvpn[28320]: TCP connection established with 88.80.10.1:48398
Line 2887: Nov 9 10:55:36 bvm1 openvpn[28320]: TCP connection established with 91.200.170.210:62874
Line 3079: Nov 9 12:31:47 bvm1 openvpn[28320]: TCP connection established with 113.105.67.65:2054
Line 3691: Nov 9 20:45:33 bvm1 openvpn[28320]: TCP connection established with 98.158.22.199:45917
Line 3881: Nov 9 22:57:20 bvm1 openvpn[28320]: TCP connection established with 218.29.126.61:64338
Line 5333: Nov 10 08:54:02 bvm1 openvpn[28320]: TCP connection established with 115.168.33.141:48227
Line 5731: Nov 10 16:32:03 bvm1 openvpn[28320]: TCP connection established with 120.70.62.170:1599
Line 6216: Nov 11 01:40:48 bvm1 openvpn[28320]: TCP connection established with 218.29.126.61:16311
Line 6729: Nov 11 07:04:15 bvm1 openvpn[28320]: TCP connection established with 64.115.130.9:51288
Line 8536: Nov 12 07:27:43 bvm1 openvpn[28320]: TCP connection established with 200.201.201.71:51215
Line 8550: Nov 12 09:38:50 bvm1 openvpn[28320]: TCP connection established with 199.71.212.195:50603
Line 8564: Nov 12 09:43:30 bvm1 openvpn[28320]: TCP connection established with 64.115.130.9:51824
Line 9105: Nov 12 15:56:49 bvm1 openvpn[28320]: TCP connection established with 201.67.198.5:44618
Line 9891: Nov 12 22:42:34 bvm1 openvpn[3795]: TCP connection established with 50.56.31.172:41186
Line 66: Nov 13 03:07:03 bvm1 openvpn[3795]: TCP connection established with 31.44.184.50:36608
Line 271: Nov 13 06:13:40 bvm1 openvpn[3795]: TCP connection established with 66.77.14.167:55425
Line 685: Nov 13 10:02:29 bvm1 openvpn[3795]: TCP connection established with 122.193.16.18:37501
Line 699: Nov 13 10:38:42 bvm1 openvpn[3795]: TCP connection established with 202.101.92.17:16724
Line 721: Nov 13 11:42:47 bvm1 openvpn[3795]: TCP connection established with 200.189.112.8:39019
Line 2930: Nov 14 00:11:51 bvm1 openvpn[9338]: TCP connection established with 119.97.246.126:35009
Line 4098: Nov 14 11:40:38 bvm1 openvpn[9338]: TCP connection established with 163.247.52.14:51675
Line 4192: Nov 14 16:15:46 bvm1 openvpn[9338]: TCP connection established with 120.70.62.170:1920
Line 4932: Nov 15 19:08:41 bvm1 openvpn[9338]: TCP connection established with 50.57.43.51:36773
Line 6377: Nov 16 20:55:18 bvm1 openvpn[9338]: TCP connection established with 77.239.154.98:39779
Line 6742: Nov 17 10:31:10 bvm1 openvpn[9338]: TCP connection established with 188.132.163.130:37516
Line 7262: Nov 18 05:21:18 bvm1 openvpn[9338]: TCP connection established with 24.7.97.92:53947
Line 7276: Nov 18 05:21:31 bvm1 openvpn[9338]: TCP connection established with 24.7.97.92:56240
Line 7290: Nov 18 05:23:03 bvm1 openvpn[9338]: TCP connection established with 24.7.97.92:57141
Line 7304: Nov 18 05:24:40 bvm1 openvpn[9338]: TCP connection established with 24.7.97.92:58945
Line 7789: Nov 18 16:40:26 bvm1 openvpn[9338]: TCP connection established with 219.143.8.143:60676
Line 8717: Nov 19 06:19:13 bvm1 openvpn[9338]: TCP connection established with 61.135.24.99:46337
Line 9242: Nov 19 21:12:46 bvm1 openvpn[9338]: TCP connection established with 110.76.47.90:36688
Line 9256: Nov 19 21:36:30 bvm1 openvpn[9338]: TCP connection established with 60.2.76.50:36824
Line 193: Nov 20 03:12:25 bvm1 openvpn[9338]: TCP connection established with 190.144.126.12:20057
Line 439: Nov 20 12:42:39 bvm1 openvpn[9338]: TCP connection established with 200.61.189.153:42648
Line 1750: Nov 21 17:50:17 bvm1 openvpn[9338]: TCP connection established with 88.191.127.72:40177
Line 1921: Nov 22 01:21:02 bvm1 openvpn[9338]: TCP connection established with 203.100.72.16:59206
Line 3599: Nov 23 04:49:42 bvm1 openvpn[9338]: TCP connection established with 204.232.192.66:35007
Line 4721: Nov 23 13:00:44 bvm1 openvpn[9338]: TCP connection established with 218.6.16.37:19566
Line 4974: Nov 23 18:05:39 bvm1 openvpn[9338]: TCP connection established with 187.115.68.232:40004
Line 5038: Nov 23 21:32:07 bvm1 openvpn[9338]: TCP connection established with 66.77.14.167:46062
Line 5197: Nov 24 05:31:49 bvm1 openvpn[9338]: TCP connection established with 203.198.53.168:53160
Line 7786: Nov 26 09:11:27 bvm1 openvpn[9338]: TCP connection established with 211.140.23.144:44207
Line 8071: Nov 26 16:43:09 bvm1 openvpn[9338]: TCP connection established with 203.69.85.52:58956
Line 8105: Nov 26 19:10:00 bvm1 openvpn[9338]: TCP connection established with 65.164.53.18:58681
Line 110: Nov 27 02:55:53 bvm1 openvpn[9338]: TCP connection established with 72.191.213.60:53172
Line 197: Nov 27 08:47:04 bvm1 openvpn[9338]: TCP connection established with 61.185.74.214:44032
Line 328: Nov 27 11:11:27 bvm1 openvpn[9338]: TCP connection established with 219.143.8.143:50202
Line 573: Nov 27 16:32:07 bvm1 openvpn[9338]: TCP connection established with 201.24.213.88:36826
Line 4916: Nov 28 10:43:07 bvm1 openvpn[9338]: TCP connection established with 69.64.84.80:49999
Line 4947: Nov 28 12:43:25 bvm1 openvpn[9338]: TCP connection established with 125.76.227.14:52365
Re: Check my log
Posted: Tue Nov 29, 2011 3:46 pm
by janjust
which port is your openvpn server running on? sounds like you are simply being portscanned from all over the internet. This is "normal" , I'm afraid. You can use 'tls-auth' keys to minimize the impact of these port scans (the connection will be dropped sooner).
Re: Check my log
Posted: Tue Nov 29, 2011 4:07 pm
by shinjikenny
i have UDP port 443, 444, 1194, 137 and TCP port 80, 153
Re: Check my log
Posted: Tue Nov 29, 2011 4:12 pm
by janjust
you mean openvpn is listening on all of those ports? then I'm not surprised about the port scans...
Re: Check my log
Posted: Tue Nov 29, 2011 4:35 pm
by shinjikenny
umm.. yes.. is there something wrong?
I realize that opening more ports on my server is putting me at risk.
Is there a way to temporarily close all those ports and just make a port open automatically when a client tries to connect to any of the ports?
Re: Check my log
Posted: Wed Nov 30, 2011 8:33 am
by janjust
nope there's nothing wrong, but those ports are ALWAYS scanned by script kiddies . This explains the connection attempts in your openvpn log.
There's no real way of opening a port when the client connects: the port needs to be open if a client wants to connect on UDP port 137 (etc etc).
Re: Check my log
Posted: Wed Nov 30, 2011 5:35 pm
by shinjikenny
ah I see, that makes sense
But if I opened that port for openvpn, openvpn will bind on that port right?
And even if hackers found that port opened, they won't be able to do much about it, unless openvpn has security issues or they were able to steal one of my client's configs? Am I right?
Re: Check my log
Posted: Thu Dec 01, 2011 7:41 am
by janjust
But if I opened that port for openvpn, openvpn will bind on that port right?
yep
And even if hackers found that port opened, they won't be able to do much about it, unless openvpn has security issues or they were able to steal one of my client's configs? Am I right?
if there's a security flaw in openvpn, or in your openvpn setup then a hacker might be able to gain access to your local network via the VPN; but in that case ALL ports would be bad. There are currently no security issues known in OpenVPN itself.
Re: Check my log
Posted: Thu Dec 01, 2011 11:48 am
by shinjikenny
ok thanks for the help
