Add signature: OpenVPN

Create issue
Issue #99 open
Former user created an issue

reporting this here because your captcha on https://www.sshguard.net/support/attacks/submit/ is broken

pattern:

openvpn reports failed connection attempts from @54.183.149.10:34791@

connection attempts originate from different source ports for each source ip addres

Sep 04 00:00:06 hostname openvpn[23718]: 54.183.149.10:34791 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 04 00:00:06 hostname openvpn[23718]: 54.183.149.10:34791 TLS Error: TLS handshake failed

description: this is a private openvpn server listening on udp port 1194 that i normally only use myself. i recently noticed high numbers of connection attempts; e.g. on september 4th alone i have seen 9432 of each of these log entries from 27 different ip adresses. someone is probably trying to exploit a bug or weak key in openvpn, tls or ssl.

Comments (7)

  1. Daniel Aleksandersen

    I believe that anyone who want to contribute a patch should be able to use commit d46780116a527394de3d9baa204586a4bea3e63d as a template for what changes needs to be done. Start by copying a sample of the line you want to match into attacks.txt so you can use test-sshg-parser to quickly test your work.

  2. Web User

    The current OpenVPN signature doesn’t really accomplish anything, below is what you should be looking for to detect possible malicious activity against an OpenVPN server.

    May 9 11:06:00 xxxxxx daemon.err openvpn[25962]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    May 9 11:06:00 xxxxxx daemon.err openvpn[25962]: TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx

  3. Web User

    Additionally you may also want to scan for…

    TLS Error: cannot locate HMAC in incoming packet from [AF_INET]115.236.33.146:23597

  4. Log in to comment