Because so far today, fail2ban has blocked over 25 IPs on my server, and prior to today I have never seen any block on OpenVPN.
Cheers.
there’s Voracle attack from this month:
Same here, no entries the last days, but I found entries in older logs too.
[root@server ~]# cat /var/log/fail2ban.log | grep "openvpn] Ban"
2018-08-29 17:01:03,200 fail2ban.actions [20448]: NOTICE [openvpn] Ban 54.38.54.99
2018-08-29 17:02:21,597 fail2ban.actions [20448]: NOTICE [openvpn] Ban 37.59.10.176
2018-08-29 17:06:22,147 fail2ban.actions [20448]: NOTICE [openvpn] Ban 198.23.252.109
2018-08-29 17:12:23,836 fail2ban.actions [20448]: NOTICE [openvpn] Ban 23.94.184.47
2018-08-29 17:34:43,172 fail2ban.actions [20448]: NOTICE [openvpn] Ban 37.59.10.176
2018-08-29 17:38:48,057 fail2ban.actions [20448]: NOTICE [openvpn] Ban 198.23.252.109
2018-08-29 17:39:31,408 fail2ban.actions [20448]: NOTICE [openvpn] Ban 143.202.36.18
2018-08-29 17:49:47,654 fail2ban.actions [20448]: NOTICE [openvpn] Ban 23.94.184.47
2018-08-29 18:07:12,364 fail2ban.actions [20448]: NOTICE [openvpn] Ban 37.59.10.176
2018-08-29 18:38:36,956 fail2ban.actions [20448]: NOTICE [openvpn] Ban 37.59.10.176
2018-08-29 19:09:59,499 fail2ban.actions [20448]: NOTICE [openvpn] Ban 37.59.10.176
2018-08-29 19:41:25,076 fail2ban.actions [20448]: NOTICE [openvpn] Ban 37.59.10.176
2018-08-29 20:05:14,950 fail2ban.actions [20448]: NOTICE [openvpn] Ban 147.135.199.41
2018-08-29 20:33:02,157 fail2ban.actions [20448]: NOTICE [openvpn] Ban 54.183.149.10
2018-08-29 20:58:29,444 fail2ban.actions [20448]: NOTICE [openvpn] Ban 178.217.186.86
2018-08-29 21:03:14,360 fail2ban.actions [20448]: NOTICE [openvpn] Ban 37.230.228.92
2018-08-29 21:28:34,663 fail2ban.actions [20448]: NOTICE [openvpn] Ban 103.206.192.227
2018-08-29 21:28:51,996 fail2ban.actions [20448]: NOTICE [openvpn] Ban 104.223.60.5
2018-08-29 21:29:32,353 fail2ban.actions [20448]: NOTICE [openvpn] Ban 66.82.204.116
2018-08-29 21:30:03,701 fail2ban.actions [20448]: NOTICE [openvpn] Ban 78.47.84.146
2018-08-29 21:30:32,043 fail2ban.actions [20448]: NOTICE [openvpn] Ban 66.82.204.215
2018-08-29 21:31:16,405 fail2ban.actions [20448]: NOTICE [openvpn] Ban 66.82.203.229
2018-08-29 21:31:42,747 fail2ban.actions [20448]: NOTICE [openvpn] Ban 109.190.166.182
2018-08-29 21:35:29,611 fail2ban.actions [20448]: NOTICE [openvpn] Ban 54.38.54.99
1 Like
Here’s mine:
[root@Nethserver ~]# grep "openvpn] Ban" /var/log/fail2ban.log*
/var/log/fail2ban.log:2018-08-29 08:04:24,156 fail2ban.actions [27683]: NOTICE [openvpn] Ban 37.59.10.176
/var/log/fail2ban.log:2018-08-29 08:08:28,630 fail2ban.actions [27683]: NOTICE [openvpn] Ban 198.23.252.109
/var/log/fail2ban.log:2018-08-29 08:14:27,638 fail2ban.actions [27683]: NOTICE [openvpn] Ban 23.94.184.47
/var/log/fail2ban.log:2018-08-29 08:36:49,984 fail2ban.actions [27683]: NOTICE [openvpn] Ban 37.59.10.176
/var/log/fail2ban.log:2018-08-29 08:39:38,187 fail2ban.actions [27683]: NOTICE [openvpn] Ban 143.202.36.18
/var/log/fail2ban.log:2018-08-29 08:40:56,396 fail2ban.actions [27683]: NOTICE [openvpn] Ban 198.23.252.109
/var/log/fail2ban.log:2018-08-29 08:51:53,010 fail2ban.actions [27683]: NOTICE [openvpn] Ban 23.94.184.47
/var/log/fail2ban.log:2018-08-29 09:09:14,134 fail2ban.actions [27683]: NOTICE [openvpn] Ban 37.59.10.176
/var/log/fail2ban.log:2018-08-29 09:40:39,057 fail2ban.actions [27683]: NOTICE [openvpn] Ban 37.59.10.176
/var/log/fail2ban.log:2018-08-29 10:12:02,958 fail2ban.actions [27683]: NOTICE [openvpn] Ban 37.59.10.176
/var/log/fail2ban.log:2018-08-29 10:43:28,014 fail2ban.actions [27683]: NOTICE [openvpn] Ban 37.59.10.176
/var/log/fail2ban.log:2018-08-29 11:33:29,190 fail2ban.actions [27683]: NOTICE [openvpn] Ban 54.183.149.10
/var/log/fail2ban.log:2018-08-29 11:58:39,389 fail2ban.actions [27683]: NOTICE [openvpn] Ban 178.217.186.86
/var/log/fail2ban.log:2018-08-29 12:03:23,407 fail2ban.actions [27683]: NOTICE [openvpn] Ban 37.230.228.92
/var/log/fail2ban.log:2018-08-29 12:28:41,348 fail2ban.actions [27683]: NOTICE [openvpn] Ban 103.206.192.227
/var/log/fail2ban.log:2018-08-29 12:28:58,784 fail2ban.actions [27683]: NOTICE [openvpn] Ban 104.223.60.5
/var/log/fail2ban.log:2018-08-29 12:29:37,549 fail2ban.actions [27683]: NOTICE [openvpn] Ban 66.82.204.116
/var/log/fail2ban.log:2018-08-29 12:30:09,094 fail2ban.actions [27683]: NOTICE [openvpn] Ban 78.47.84.146
/var/log/fail2ban.log:2018-08-29 12:30:38,847 fail2ban.actions [27683]: NOTICE [openvpn] Ban 66.82.204.215
/var/log/fail2ban.log:2018-08-29 12:31:23,416 fail2ban.actions [27683]: NOTICE [openvpn] Ban 66.82.203.229
/var/log/fail2ban.log:2018-08-29 12:31:48,962 fail2ban.actions [27683]: NOTICE [openvpn] Ban 109.190.166.182
[root@Nethserver ~]#
Notice that I’m searching through the current AND 4 previous weeks logs and today is the first time any IPs have been banned. Hence my question about a possible new attack vector.
Hmmmmmm. There’s quite a few IPs there from both of us. 
Cheers.
1 Like
Do you host a nethserver mirror? Maybe they parse the mirror list?
Nope. Just a small home network. Apart from the usual web/mail/ftp/openvpn ports open, the only other inbounds allowed are Plex and tor relay.
But it sure looks like the same bot-swarm checking us both out. 
Cheers.
I guess it’s the same time, my timezone is UTC + 2 (CEST)? I am excited if other users notice similar attacks…
EDIT:
I found similar attacks/IPs on another Nethserver (VPS) too.
Looks that way. I’m UTC - 7 (PDT).
Cheers.
Here’s mine:
[root@motodo ~]# cat /var/log/fail2ban.log | grep “openvpn] Ban”
2018-08-27 18:04:12,532 fail2ban.actions [2626]: NOTICE [openvpn] Ban 190.148.78.188
2018-08-27 18:05:43,542 fail2ban.actions [2626]: NOTICE [openvpn] Ban 190.148.78.22
2018-08-29 09:02:47,868 fail2ban.actions [2626]: NOTICE [openvpn] Ban 37.59.10.176
2018-08-29 09:06:48,929 fail2ban.actions [2626]: NOTICE [openvpn] Ban 198.23.252.109
2018-08-29 09:12:48,921 fail2ban.actions [2626]: NOTICE [openvpn] Ban 23.94.184.47
2018-08-29 09:39:32,350 fail2ban.actions [2626]: NOTICE [openvpn] Ban 143.202.36.18
2018-08-29 10:04:57,315 fail2ban.actions [2626]: NOTICE [openvpn] Ban 37.59.10.176
2018-08-29 11:10:26,417 fail2ban.actions [2626]: NOTICE [openvpn] Ban 37.59.10.176
2018-08-29 12:33:25,599 fail2ban.actions [2626]: NOTICE [openvpn] Ban 54.183.149.10
2018-08-29 12:58:31,731 fail2ban.actions [2626]: NOTICE [openvpn] Ban 178.217.186.86
2018-08-29 13:03:16,834 fail2ban.actions [2626]: NOTICE [openvpn] Ban 37.230.228.92
2018-08-29 13:10:51,694 fail2ban.actions [6683]: NOTICE [openvpn] Ban 178.217.186.86
2018-08-29 13:10:53,058 fail2ban.actions [6683]: NOTICE [openvpn] Ban 37.230.228.92
2018-08-29 13:10:53,675 fail2ban.actions [6683]: NOTICE [openvpn] Ban 54.183.149.10
2018-08-29 13:13:14,259 fail2ban.actions [9168]: NOTICE [openvpn] Ban 178.217.186.86
2018-08-29 13:13:15,632 fail2ban.actions [9168]: NOTICE [openvpn] Ban 37.230.228.92
2018-08-29 13:13:16,253 fail2ban.actions [9168]: NOTICE [openvpn] Ban 54.183.149.10
2018-08-29 13:28:36,906 fail2ban.actions [9168]: NOTICE [openvpn] Ban 103.206.192.227
2018-08-29 13:28:54,642 fail2ban.actions [9168]: NOTICE [openvpn] Ban 104.223.60.5
2018-08-29 13:29:33,002 fail2ban.actions [9168]: NOTICE [openvpn] Ban 66.82.204.116
2018-08-29 13:30:03,752 fail2ban.actions [9168]: NOTICE [openvpn] Ban 78.47.84.146
2018-08-29 13:30:34,603 fail2ban.actions [9168]: NOTICE [openvpn] Ban 66.82.204.215
2018-08-29 13:31:18,165 fail2ban.actions [9168]: NOTICE [openvpn] Ban 66.82.203.229
2018-08-29 13:31:44,011 fail2ban.actions [9168]: NOTICE [openvpn] Ban 109.190.166.182
[root@motodo ~]#
Thanks for this hint. It began yesterday evening and lasted the hole night.
Tons of TLS key negotiation failed in openvpn.log from outside IP’s.
Installed fail2ban now.
@dnutan So if we uncheck the compression here
all should be save, but loosing performance, right?
I also noticed a LOT of fail2ban blocks for OpenVPN… (I do love fail2ban knowing this makes my server a lot safer)
It seems so, IIUC. Bear in mind the attack has to meet some conditions. The reported scans can be unrelated to this attack.
1 Like
Same here:
2018-08-29 17:04:49,486 fail2ban.actions [2301]: NOTICE [openvpn] Ban 37.59.10.176
2018-08-29 17:08:55,235 fail2ban.actions [2301]: NOTICE [openvpn] Ban 198.23.252.109
2018-08-29 17:14:54,028 fail2ban.actions [2301]: NOTICE [openvpn] Ban 23.94.184.47
2018-08-29 17:39:40,979 fail2ban.actions [2301]: NOTICE [openvpn] Ban 143.202.36.18
2018-08-29 20:33:29,716 fail2ban.actions [2301]: NOTICE [openvpn] Ban 54.183.149.10
2018-08-29 20:58:43,179 fail2ban.actions [2301]: NOTICE [openvpn] Ban 178.217.186.86
2018-08-29 21:03:25,188 fail2ban.actions [2301]: NOTICE [openvpn] Ban 37.230.228.92
2018-08-29 21:28:43,146 fail2ban.actions [2301]: NOTICE [openvpn] Ban 103.206.192.227
2018-08-29 21:28:59,685 fail2ban.actions [2301]: NOTICE [openvpn] Ban 104.223.60.5
2018-08-29 21:29:40,451 fail2ban.actions [2301]: NOTICE [openvpn] Ban 66.82.204.116
2018-08-29 21:30:11,303 fail2ban.actions [2301]: NOTICE [openvpn] Ban 78.47.84.146
2018-08-29 21:30:40,347 fail2ban.actions [2301]: NOTICE [openvpn] Ban 66.82.204.215
2018-08-29 21:31:25,102 fail2ban.actions [2301]: NOTICE [openvpn] Ban 66.82.203.229
2018-08-29 21:31:50,141 fail2ban.actions [2301]: NOTICE [openvpn] Ban 109.190.166.182
Continuing with this topic, I has been check the fail2ban logs and I found this
The yellow mark log show Unban Ip, but i don’t unban any ip on this time, so what do you tinnk on this case.
Fail2ban sets a ban for a limited time. By default it’s 3? hours. After that set time an IP is removed (unbanned) from the blacklist.
1 Like
Is there a way to tweak the recidive ban on a per jail basis. Since I started getting these OpenVPN messages (almost 200 in the past month, 0 in the previous 6 months) I was looking at putting a more stringent rule for these.
Cheers.
2 Likes
You have probably some eastern eggs in the esmith template of jail.local, please hunt them
This is getting bizarre. last week I had 434 bans by fail2ban of which 412 on openvpn service…
1 Like
You are right. 577 bans in openvpn and counting… Love fail2ban
Edit: 578
1 Like
me too I can see a lot of ban in the openvpn Jail