Applies to Platform: UTM 5.0
Last Update: 15 May 2023
Applies to Platform: UTM 6.0
Last Update: 15 May 2023
In this tutorial, we will set up Fail2Ban mechanism to monitor OpenVPN logs for the specified message, including bruteforce attacks and block the IP after three attempts.
Configuring fail2ban for OpenVPN service
Create a new Fail2Ban filter for OpenVPN by editing the following file:
root@endian:~# nano /etc/fail2ban/filter.d/endian-openvpn.conf
Add the following content to the file:
[Definition]
failregex = ^ (.*) TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
^ (.*) <HOST>:\d+ Connection reset, restarting
^ (.*) <HOST>:\d+ TLS Auth Error
^ (.*) <HOST>:\d+ TLS Error: TLS handshake failed$
^ (.*) <HOST>:\d+ VERIFY ERROR
^ (.*) <HOST>:\d+ TLS Error: TLS key negotiation failed to occur within 60 seconds.*$
ignoreregex =
Save the file and exit the editor (Ctrl+X, then Y, then Enter).
Create a new Fail2Ban jail configuration by editing the following file:
root@endian:~# nano /etc/fail2ban/jail.d/endian-openvpn.local
Add the following content to the file:
[endian-openvpn]
enabled = true
port = 1194
protocol = udp
filter = endian-openvpn
logpath = /var/log/openvpn/openvpn.log
maxretry = 3
bantime = 3600
chain = CUSTOMINPUT
Save the file and exit the editor (Ctrl+X, then Y, then Enter).
Note
Adjust the values in the jail configuration as needed:
port: The port on which OpenVPN is running.Fail2Ban is now set up to monitor the specified OpenVPN log file for the given message and block IPs after three failed attempts. The IP addresses will be banned for the duration specified in the bantime setting.
Change actionban command by editing the following file:
root@endian:~# nano /etc/fail2ban/action.d/iptables-multiport.conf
Add conntrack command to actionban in the file:
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>; /usr/sbin/conntrack -D -d <ip>; /usr/sbin/conntrack -D -s <ip>;/usr/sbin/conntrack -D -d <ip>;exit 0
Configuring for Endian 5.x version
Edit the following file:
root@endian:~# nano /etc/fail2ban/action.d/iptables-common.conf
Find the following line:
iptables = iptables <lockingopt>
Remove the <lockingopt> part, the new line should look like this:
iptables = iptables
Starting the fail2ban service:
root@endian:~# /etc/init.d/fail2ban start
In Endian version 5.x fail2ban does not start with the system, so in order to have it up and running after a reboot, you will need to create the following file:
root@endian:~# nano /etc/rc.d/event_startup_done.d/fail2ban
And add the following content to the file:
#!/bin/bash
/etc/init.d/fail2ban start
Make the file executable using this command:
root@endian:~# chmod +x /etc/rc.d/event_startup_done.d/fail2ban
Configuring for Endian 6.x version
In Endian version 6.x fail2ban does not start with the system, so in order to have it up and running after a reboot, you will need to enable the service using the following command:
root@endian:~# systemctl enable fail2ban
Starting the fail2ban service:
root@endian:~# systemctl start fail2ban
Check if it works
To check if it works, use the following command:
root@endian:~# fail2ban-client status endian-openvpn
Additionally, you can check some logs using this command:
root@endian:~# tail -f /var/log/fail2ban/fail2ban.log
Comments