Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Bot is trying to force my VPN [SOLVED]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cybermc75
n00b
n00b


Joined: 19 Apr 2007
Posts: 74
PostPosted: Wed May 15, 2013 4:16 pm    Post subject: Bot is trying to force my VPN [SOLVED] Reply with quote
Hi all.

I have a small OpenVPN running through a DLINK DSL2640 router.
I have redirected the single port to my server.
This is a new thing for me, I'm not very experienced in network security.
Everything is working, my clients connecting without problems.

From the router log, these days I'm seeing:
Kernel: Intrusion->[SYN]IN=ppp_0_8_35_1 OUT=br0 SRC=<attacker-IP>
This message appears once every 5 minutes.
The IP is the same for hours, or days, then it changes ( but always with the same net prefix).
I was able to determine that this is a dynamic IP provided by one major companies here in Italy.

Today I wrote a rule to move the offending IP to a dedicated port.
After the modify in the router, the intrusion message disappeared.

So I'm able (via tcplisten on the dedicated port) to see that:

it connects.
sends some binary codes.
waits a bit
sends again the same codes.
same thing 5 times.
disconnects

Binary codes change on each new connection.

If I try to send something, it disconnects after a CR or after a prefixed amount of data.

What I can do to stop this bot?
Is this dangerous for my VPN?
Since I'm using RSA-keys, I'm quite confident that I'm safe, but what about DoS or other possible attack?

Any help appreciated.

Last edited by cybermc75 on Fri May 17, 2013 7:55 am; edited 1 time in total
Back to top
View user's profile Send private message
Christian99
Veteran
Veteran


Joined: 28 May 2009
Posts: 1668
PostPosted: Wed May 15, 2013 5:29 pm    Post subject: Reply with quote
i had good experience with fail2ban against bruteforce attacks on my ssh.
it should help you out here, too. Unfortunately it doesn't provide any openvpn exampels, but you can probably find some online.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54220
Location: 56N 3W
PostPosted: Wed May 15, 2013 5:57 pm    Post subject: Reply with quote
cybermc75,

Send a log fragment to the owner of the the IP range. They will probably take some action, like null routing their customer, unit its fixed.

Its likely to be a compromised Windows box that the owner doesn't even know is compromised.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
cybermc75
n00b
n00b


Joined: 19 Apr 2007
Posts: 74
PostPosted: Fri May 17, 2013 7:54 am    Post subject: Reply with quote
Thanks Christian. I checked fail2ban. Intersting principle. Probably I can write directly some script to ban IPs logged by my router as attackers.

Neddy: yeah, probably I could, but even if I can stop that bot, others will follow.

Happy gentooing.
Back to top
View user's profile Send private message
cybermc75
n00b
n00b


Joined: 19 Apr 2007
Posts: 74
PostPosted: Fri May 17, 2013 9:15 am    Post subject: Reply with quote
If it can help others:

I setup rsyslogd to receive log information from my router in "/var/log/dlinkrouter/yyyymmdd.log" files.

Intersting lines are:
Code:
May 17 09:20:43 192.168.0.1  kernel: Intrusion->[SYN]IN=ppp_0_8_35_1 OUT=br0 SRC=37.182.157.35 DST=192.168.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=49 ID=24365 DF PROTO=TCP SPT=40577 DPT=8100 WINDOW=5840 RES=0x00 SYN URGP=0


I wrote /usr/local/bin/ban:
Code:

#!/bin/bash

if [ "$1" == "" ] ; then
  echo "USO:"
  echo " $0 <IP>"
  exit -1
fi

if iptables -L | grep "$1"; then
  echo "already banned."
else
  iptables -A INPUT -s $1 -j DROP
  echo "$1 has been banned."
fi

And then:
Code:
tail -F /var/log/dlinkrouter/`date +%Y%m%d`.log | awk -Winteractive '/kernel: Intrusion/ { for( i=1; i<= NF; i=i+1) if (substr($i,1,4)=="SRC=") system("/usr/local/bin/ban "substr($i,5)) }'


does what I want.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
PostPosted: Fri May 17, 2013 2:23 pm    Post subject: Reply with quote
cybermc75 wrote:
Code:
if iptables -L | grep "$1"; then

cybermc75 ... you might want to add '-n' here so that reverse dns lookups aren't performed, also '-L' can accept a chain (eg, INPUT) as an argument, and so you could limit the list.

best ... khay
Back to top
View user's profile Send private message
cybermc75
n00b
n00b


Joined: 19 Apr 2007
Posts: 74
PostPosted: Fri May 17, 2013 5:10 pm    Post subject: Reply with quote
Thanks Khay, much faster with iptables -nL INPUT.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy