- edited description
- changed title to Add signature: OpenVPN
Add signature: OpenVPN
reporting this here because your captcha on https://www.sshguard.net/support/attacks/submit/ is broken
pattern:
openvpn reports failed connection attempts from @54.183.149.10:34791@
connection attempts originate from different source ports for each source ip addres
Sep 04 00:00:06 hostname openvpn[23718]: 54.183.149.10:34791 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 04 00:00:06 hostname openvpn[23718]: 54.183.149.10:34791 TLS Error: TLS handshake failed
description: this is a private openvpn server listening on udp port 1194 that i normally only use myself. i recently noticed high numbers of connection attempts; e.g. on september 4th alone i have seen 9432 of each of these log entries from 27 different ip adresses. someone is probably trying to exploit a bug or weak key in openvpn, tls or ssl.
Comments (7)
-
-
- changed status to open
-
I believe that anyone who want to contribute a patch should be able to use commit d46780116a527394de3d9baa204586a4bea3e63d as a template for what changes needs to be done. Start by copying a sample of the line you want to match into attacks.txt so you can use test-sshg-parser to quickly test your work.
-
- marked as minor
- marked as enhancement
-
The current OpenVPN signature doesn’t really accomplish anything, below is what you should be looking for to detect possible malicious activity against an OpenVPN server.
May 9 11:06:00 xxxxxx daemon.err openvpn[25962]: Authenticate/Decrypt packet error: packet HMAC authentication failed
May 9 11:06:00 xxxxxx daemon.err openvpn[25962]: TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx -
Additionally you may also want to scan for…
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]115.236.33.146:23597
-
- attached attack_scanner.l
- attached attack_parser.y
These files contain the modified lines needed to add better OpenVPN monitoring
- Log in to comment