OpenVPN

From Fail2ban
Jump to: navigation, search

OpenVPN


OpenVPN version 2.0.9-8 (debian)

  • Sep 14 13:05:59 somehost ovpn-server[4421]: Re-using SSL/TLS context
  • Sep 14 13:05:59 somehost ovpn-server[4421]: TCP connection established with 192.0.2.1:63589
  • Sep 14 13:05:59 somehost ovpn-server[4421]: TCPv4_SERVER link local: [undef]
  • Sep 14 13:05:59 somehost ovpn-server[4421]: TCPv4_SERVER link remote: 192.0.2.1:63589
  • Sep 14 13:06:01 somehost ovpn-server[4421]: 192.0.2.1:63589 WARNING: Bad encapsulated packet length from peer (65524), which must be > 0 and <= 1575 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attemping restart...]
  • Sep 14 13:06:01 somehost ovpn-server[4421]: 192.0.2.1:63589 Connection reset, restarting [0]


Failregex

The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.

The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.

Please, before editing this section, propose your changes in the discussion page first.

* <HOST>:[0-9]{4,5} Connection reset, restarting \[[0-9]{1,2}\]

Detecting multiple connection resets seems to be a possible baseline...