Follow

Using fail2ban to block VPN bruteforce attempts

Versions 5.0 Version 6.0

Applies to Platform: UTM 5.0
Last Update: 15 May 2023

Applies to Platform: UTM 6.0
Last Update: 15 May 2023

In this tutorial, we will set up Fail2Ban mechanism to monitor OpenVPN logs for the specified message, including bruteforce attacks and block the IP after three attempts. 

Configuring fail2ban for OpenVPN service

Create a new Fail2Ban filter for OpenVPN by editing the following file:

 root@endian:~# nano /etc/fail2ban/filter.d/endian-openvpn.conf

Add the following content to the file:

[Definition]
failregex = ^ (.*) TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
^ (.*) <HOST>:\d+ Connection reset, restarting
^ (.*) <HOST>:\d+ TLS Auth Error
^ (.*) <HOST>:\d+ TLS Error: TLS handshake failed$
^ (.*) <HOST>:\d+ VERIFY ERROR
^ (.*) <HOST>:\d+ TLS Error: TLS key negotiation failed to occur within 60 seconds.*$
ignoreregex =

Save the file and exit the editor (Ctrl+X, then Y, then Enter).

Create a new Fail2Ban jail configuration by editing the following file:

 root@endian:~# nano /etc/fail2ban/jail.d/endian-openvpn.local

Add the following content to the file:

[endian-openvpn]
enabled = true
port = 1194
protocol = udp
filter = endian-openvpn
logpath = /var/log/openvpn/openvpn.log
maxretry = 3
bantime = 3600
chain = CUSTOMINPUT

Save the file and exit the editor (Ctrl+X, then Y, then Enter).

Note

Adjust the values in the jail configuration as needed:

port: The port on which OpenVPN is running.
protocol: The protocol used by OpenVPN (usually udp or tcp).
maxretry: The number of failed attempts before an IP is banned (3 in this example).
bantime: The duration (in seconds) for which an IP will be banned (3600 seconds, or 1 hour, in this example).

Fail2Ban is now set up to monitor the specified OpenVPN log file for the given message and block IPs after three failed attempts. The IP addresses will be banned for the duration specified in the bantime setting.

Change actionban command by editing the following file:

 root@endian:~# nano /etc/fail2ban/action.d/iptables-multiport.conf

Add conntrack command to actionban in the file:

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>; /usr/sbin/conntrack -D -d <ip>; /usr/sbin/conntrack -D -s <ip>;/usr/sbin/conntrack -D -d <ip>;exit 0

Configuring for Endian 5.x version

Edit the following file:

 root@endian:~# nano /etc/fail2ban/action.d/iptables-common.conf

Find the following line:

iptables = iptables <lockingopt>

Remove the <lockingopt> part, the new line should look like this:

iptables = iptables

Starting the fail2ban service:

 root@endian:~# /etc/init.d/fail2ban start

In Endian version 5.x fail2ban does not start with the system, so in order to have it up and running after a reboot, you will need to create the following file:

 root@endian:~# nano /etc/rc.d/event_startup_done.d/fail2ban

And add the following content to the file:

#!/bin/bash
/etc/init.d/fail2ban start

Make the file executable using this command:

 root@endian:~# chmod +x /etc/rc.d/event_startup_done.d/fail2ban

Configuring for Endian 6.x version

In Endian version 6.x fail2ban does not start with the system, so in order to have it up and running after a reboot, you will need to enable the service using the following command:

 root@endian:~# systemctl enable fail2ban

Starting the fail2ban service:

 root@endian:~# systemctl start fail2ban

Check if it works

To check if it works, use the following command:

 root@endian:~# fail2ban-client status endian-openvpn

Additionally, you can check some logs using this command:

 root@endian:~# tail -f /var/log/fail2ban/fail2ban.log
Have more questions? Submit a request

Comments