Join Log in
Score:0
DanRan avatar Server

How to modify fail2ban filter for openvpn to fit the DD-WRT logs in /tmp/var/log/messages?

mx flag
DanRan

I just installed Entware, on a DD-WRT router running openvpn server. I am trying to install a proper openvpn /opt/etc/fail2ban/filter.d/openvpn.conf filter for fail2ban, but am having problems modifying the regex filter posted at: https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN so that it's tailored towards the ddwrt version of system logs.

In the fail2ban wiki, they say a debian named openvpn.conf should look like this:

# Fail2Ban filter for selected OpenVPN rejections
#
#

[Definition]

# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^ <HOST>:\d+ Connection reset, restarting
            ^ <HOST>:\d+ TLS Auth Error
            ^ <HOST>:\d+ TLS Error: TLS handshake failed$
            ^ <HOST>:\d+ VERIFY ERROR

ignoreregex =

I don't think the regex that the fail2ban wiki is using matches up with how my logs look in DDWRT version of system logs (i.e. /tmp/var/log/messages). I do not understand regex at all and really need some help tailoring the fail2ban wiki filter.conf file to meet the requirements of the DD-WRT logs.

Here is what my /tmp/var/log/messages file looks like after an unauthorized user tries to log into my openvpn server:

root@ddwrt:/ cat /tmp/var/log/messages

Jan 18 20:33:08 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 TLS: Initial packet from [AF_INET]24.50.232.25:80, sid=6a22eb44 5adb63fe
Jan 18 20:33:26 DD-WRT-HOST daemon.err openvpn[32361]: 95.90.233.246:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:33:26 DD-WRT-HOST daemon.err openvpn[32361]: 95.90.233.246:80 TLS Error: TLS handshake failed
Jan 18 20:33:26 DD-WRT-HOST daemon.notice openvpn[32361]: 95.90.233.246:80 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 18 20:34:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:34:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS handshake failed
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: MULTI: multi_create_instance called
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Re-using SSL/TLS context
Jan 18 20:34:05 DD-WRT-HOST daemon.warn openvpn[32361]: 24.50.232.200:80 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Control Channel MTU parms [ L:1521 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Data Channel MTU parms [ L:1521 D:1450 EF:121 EB:389 ET:0 EL:3 ]
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-server'
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-client'
Jan 18 20:34:05 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.200:80 TLS: Initial packet from [AF_INET]24.50.232.200:80, sid=6a22eb44 5adb63fe
Jan 18 20:34:08 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.25:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:34:08 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.25:80 TLS Error: TLS handshake failed
Jan 18 20:34:08 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: MULTI: multi_create_instance called
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Re-using SSL/TLS context
Jan 18 20:34:09 DD-WRT-HOST daemon.warn openvpn[32361]: 24.50.232.25:80 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Control Channel MTU parms [ L:1521 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Data Channel MTU parms [ L:1521 D:1450 EF:121 EB:389 ET:0 EL:3 ]
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-server'
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1421,tun-mtu 1400,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-client'
Jan 18 20:34:09 DD-WRT-HOST daemon.notice openvpn[32361]: 24.50.232.25:80 TLS: Initial packet from [AF_INET]24.50.232.25:80, sid=6a22eb44 5adb63fe
Jan 18 20:34:20 DD-WRT-HOST kern.warn kernel: [374190.672266] DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:78:6a:1f:b9:14:20:08:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=36756 DF OPT (94040000) PROTO=2 MARK=0x100000
Jan 18 20:35:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 18 20:35:05 DD-WRT-HOST daemon.err openvpn[32361]: 24.50.232.200:80 TLS Error: TLS handshake failed

How can I modify/tailor THIS filter definition:

failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^ <HOST>:\d+ Connection reset, restarting
            ^ <HOST>:\d+ TLS Auth Error
            ^ <HOST>:\d+ TLS Error: TLS handshake failed$
            ^ <HOST>:\d+ VERIFY ERROR

ignoreregex =

so that the filter works with fail2ban on ddwrt using the DD-WRT openvpn system logs?

191
0 + 0
vpn
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.