Openvpn jail for fail2ban

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-fail2ban/nethserver-fail2ban-0.1.8-1.ns7.sdl.noarch.rpm

for NS7, please try to ban yourself. I enforced the maxretry @phonon112358, but I don’t know if it will be enough to solve your issue.

you can test if the jail is good by

fail2ban-regex /var/log/openvpn/openvpn.log /etc/fail2ban/filter.d/openvpn.conf

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-fail2ban/nethserver-fail2ban-0.0.10-1.ns6.sdl.noarch.rpm

for ns6, same for the regex above

Ola

Do some people here have logs to share for openvpn, or could test themselves the jail, thank in advance

While my test server has some custom-template on openvpn server and some changes on client config, the openvpn-jail is working great :slight_smile: :heart_eyes:
i don’t know if it’s the normal behavior, but after submitted the Unban IP, i must do also a refresh of the page to see update the Currently Banned status to 0
tnx again, great work

2 Likes

released thank to @dz00te and @phonon112358

sorry for the delay… I had been busy with other projects…

@stephdl great implementation of the jail…! :wink: thanks!

unfortunately, the jail doesn’t ban me if I use wrong tls settings in order to connect… [quote=“stephdl, post:4, topic:6207”]
fail2ban-regex /var/log/openvpn/openvpn.log /etc/fail2ban/filter.d/openvpn.conf
[/quote]`]# fail2ban-regex /var/log/openvpn/openvpn.log /etc/fail2ban/filter.d/openvpn.conf

Running tests

Use failregex filter file : openvpn, basedir: /etc/fail2ban
Use log file : /var/log/openvpn/openvpn.log
Use encoding : UTF-8

Results

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [4810] (?:DAY )?MON Day 24hour:Minute:Second(?:.Microseconds)?(?: Year)?
`-

Lines: 4840 lines, 0 ignored, 0 matched, 4840 missed
[processed in 0.32 sec]

Missed line(s): too many to print. Use --print-all-missed to print all 4840 lines`

some of the missed lines are:SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) | WWWSun Mar 19 18:24:49 2017 us=9638 192.168.2.103:62562 SIGTERM[soft,delayed-exit] received, client-instance exiting | Sun Mar 19 18:24:58 2017 us=844525 MULTI: multi_create_instance called | Sun Mar 19 18:24:58 2017 us=844578 192.168.2.103:60462 Re-using SSL/TLS context | Sun Mar 19 18:24:58 2017 us=844591 192.168.2.103:60462 LZO compression initialized | Sun Mar 19 18:24:58 2017 us=844653 192.168.2.103:60462 Control Channel MTU parms [ L:1602 D:1212 EF:38 EB:0 ET:0 EL:3 ] | Sun Mar 19 18:24:58 2017 us=844662 192.168.2.103:60462 Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:143 ET:0 EL:3 AF:3/1 ] | Sun Mar 19 18:24:58 2017 us=844676 192.168.2.103:60462 Local Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server' | Sun Mar 19 18:24:58 2017 us=844681 192.168.2.103:60462 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client' | Sun Mar 19 18:24:58 2017 us=844690 192.168.2.103:60462 Local Options hash (VER=V4): 'aaa173e3' | Sun Mar 19 18:24:58 2017 us=844700 192.168.2.103:60462 Expected Remote Options hash (VER=V4): '9c102b00' | RSun Mar 19 18:24:58 2017 us=844731 192.168.2.103:60462 TLS: Initial packet from [AF_INET]192.168.2.103:60462 (via [AF_INET]192.168.2.99%em1), sid=c97f1cc4 a7197df0 | WRRWWWRRRWRFailed to open the accounts database | Sun Mar 19 18:24:59 2017 us=963178 192.168.2.103:60462 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1 | Sun Mar 19 18:24:59 2017 us=963202 192.168.2.103:60462 TLS Auth Error: Auth Username/Password verification failed for peer | Sun Mar 19 18:24:59 2017 us=963218 192.168.2.103:60462 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1542' | Sun Mar 19 18:24:59 2017 us=963228 192.168.2.103:60462 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC' | Sun Mar 19 18:24:59 2017 us=963235 192.168.2.103:60462 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth SHA1' | Sun Mar 19 18:24:59 2017 us=963242 192.168.2.103:60462 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128' | WRSun Mar 19 18:24:59 2017 us=964154 192.168.2.103:60462 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 | Sun Mar 19 18:24:59 2017 us=964181 192.168.2.103:60462 Peer Connection Initiated with [AF_INET]192.168.2.103:60462 (via [AF_INET]192.168.2.99%em1) | RSun Mar 19 18:25:01 2017 us=36034 192.168.2.103:60462 PUSH: Received control message: 'PUSH_REQUEST' | Sun Mar 19 18:25:01 2017 us=36056 192.168.2.103:60462 Delayed exit in 5 seconds | Sun Mar 19 18:25:01 2017 us=36064 192.168.2.103:60462 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) | WWWSun Mar 19 18:25:06 2017 us=393799 192.168.2.103:60462 SIGTERM[soft,delayed-exit] received, client-instance exiting

similarly with the other authentication methods (certificate only, certificate + user + password)…

I don’t know why it doesn’t work in such situations…

@phonon112358 can you send me your log file by email please, on which version of ns are you ?.. @dz00te can you do the same please, which version and please your log file, what is the authentication you use ?

@phonon112358 I recall that you have some Issues also with the phpmyadmin jail, I worry that your fail2ban installation is broken somehow

I use NS7…
but I have tried the jail on a virtual box with NS6 too… same behavior when using a misconfigured client… (however sending the logs of NS6 is a bit difficult for me since I have no ssh on it - due to a misconfiguration of the network adapters…).

the apache-auth jail (and other jails) are working perfectly and also the new jail for openVPN works if I configure the client rightly and only use wrong authentication data (e. g. wrong passwords)…!

# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^ <HOST>:\d+ Connection reset, restarting
            ^ <HOST>:\d+ TLS Auth Error
            ^ <HOST>:\d+ TLS Error: TLS handshake failed$
            ^ <HOST>:\d+ VERIFY ERROR

this is what we are looking for, it probably makes sense that the jail doesn’t work if the client is badly configured.
I suppose that you are talking of bad certificates ?

yes and also about inconsistent ciphers etc. see my example in the post above…there fail2ban didn’t work, for example…

I saw that the jail had to be adapted, now workable for ns7, thank to @phonon112358.

I need openvpn log for NS6, please could you email me the openvpn.logs

1 Like

The new versions (for NS6 and NS7) solved indeed the problems and ban me whenever I use a misconfigured client for openVPN…!!! :wink:
thanks a lot!! :wink: @stephdl

1 Like

So what? Is it working correctly?

yes :slight_smile:

yes - as far as it was tested…! :wink:

1 Like

mhhh… i think i am a little bit late :slight_smile:
great work @stephdl and @phonon112358
tnx

1 Like

I have now the following problem:
The jail for openVPN is somehow a bit too strong, i.e., it bans a client even if the network connection is not entirely stable for some reason…

the important lines of the openvpn.log file of the server (NS7) are:Sat Apr 22 16:17:09 2017 user/188.99.117.25:60704 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Sat Apr 22 16:17:09 2017 user/188.99.117.25:60704 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Sat Apr 22 16:17:09 2017 user/188.99.117.25:60704 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384 Sat Apr 22 16:18:09 2017 user/188.99.117.25:60704 TLS: soft reset sec=0 bytes=6226/-1 pkts=19/0 Sat Apr 22 16:19:09 2017 user/188.99.117.25:60704 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sat Apr 22 16:19:09 2017 user/188.99.117.25:60704 TLS Error: TLS handshake failed Sat Apr 22 16:19:09 2017 user/188.99.117.25:60704 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1 Sat Apr 22 16:20:25 2017 user/188.99.117.25:60704 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sat Apr 22 16:20:25 2017 user/188.99.117.25:60704 TLS Error: TLS handshake failed Sat Apr 22 16:21:40 2017 user/188.99.117.25:60704 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sat Apr 22 16:21:40 2017 user/188.99.117.25:60704 TLS Error: TLS handshake failed Sat Apr 22 16:22:08 2017 user/188.99.117.25:60704 [UNDEF] Inactivity timeout (--ping-restart), restarting Sat Apr 22 16:22:08 2017 user/188.99.117.25:60704 SIGUSR1[soft,ping-restart] received, client-instance restarting

The connection was successfully established, then some network error occurs (I don’t know why…) and then the client is banned by the openvpn jail…

I have had this problem several times now, also with different clients…
Any idea how to circumvent the falsely banning? perhaps adding something in the ignoreregex command of the filter? I did already some googling about that but couldn’t find anything helpful…

Could you please send me the full log by email

Looking to your issue…fail2ban is doing is job. If you look to https://github.com/stephdl/nethserver-fail2ban/blob/ns7/root/etc/fail2ban/filter.d/openvpn.conf you can see that the regex caught several time ‘TLS Error: TLS handshake failed’

Two options

Either we remove this regex or you solve your network issue.

Some clues https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html

Google seems to get a lot of answers

what about if you add ‘:\d+ TLS Error: TLS handshake failed’ to the ignoreregex

it won’t solve your issue, it is just a workaround.

1 Like