Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Bot is trying to force my VPN [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cybermc75
n00b
n00b


Joined: 19 Apr 2007
Posts: 74

PostPosted: Wed May 15, 2013 4:16 pm    Post subject: Bot is trying to force my VPN [SOLVED] Reply with quote

Hi all.

I have a small OpenVPN running through a DLINK DSL2640 router.
I have redirected the single port to my server.
This is a new thing for me, I'm not very experienced in network security.
Everything is working, my clients connecting without problems.

From the router log, these days I'm seeing:
Kernel: Intrusion->[SYN]IN=ppp_0_8_35_1 OUT=br0 SRC=<attacker-IP>
This message appears once every 5 minutes.
The IP is the same for hours, or days, then it changes ( but always with the same net prefix).
I was able to determine that this is a dynamic IP provided by one major companies here in Italy.

Today I wrote a rule to move the offending IP to a dedicated port.
After the modify in the router, the intrusion message disappeared.

So I'm able (via tcplisten on the dedicated port) to see that:

it connects.
sends some binary codes.
waits a bit
sends again the same codes.
same thing 5 times.
disconnects

Binary codes change on each new connection.

If I try to send something, it disconnects after a CR or after a prefixed amount of data.

What I can do to stop this bot?
Is this dangerous for my VPN?
Since I'm using RSA-keys, I'm quite confident that I'm safe, but what about DoS or other possible attack?

Any help appreciated.


Last edited by cybermc75 on Fri May 17, 2013 7:55 am; edited 1 time in total
Back to top
View user's profile Send private message
Christian99
l33t
l33t


Joined: 28 May 2009
Posts: 991

PostPosted: Wed May 15, 2013 5:29 pm    Post subject: Reply with quote

i had good experience with fail2ban against bruteforce attacks on my ssh.
it should help you out here, too. Unfortunately it doesn't provide any openvpn exampels, but you can probably find some online.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 31912
Location: 56N 3W

PostPosted: Wed May 15, 2013 5:57 pm    Post subject: Reply with quote

cybermc75,

Send a log fragment to the owner of the the IP range. They will probably take some action, like null routing their customer, unit its fixed.

Its likely to be a compromised Windows box that the owner doesn't even know is compromised.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
cybermc75
n00b
n00b


Joined: 19 Apr 2007
Posts: 74

PostPosted: Fri May 17, 2013 7:54 am    Post subject: Reply with quote

Thanks Christian. I checked fail2ban. Intersting principle. Probably I can write directly some script to ban IPs logged by my router as attackers.

Neddy: yeah, probably I could, but even if I can stop that bot, others will follow.

Happy gentooing.
Back to top
View user's profile Send private message
cybermc75
n00b
n00b


Joined: 19 Apr 2007
Posts: 74

PostPosted: Fri May 17, 2013 9:15 am    Post subject: Reply with quote

If it can help others:

I setup rsyslogd to receive log information from my router in "/var/log/dlinkrouter/yyyymmdd.log" files.

Intersting lines are:
Code:
May 17 09:20:43 192.168.0.1  kernel: Intrusion->[SYN]IN=ppp_0_8_35_1 OUT=br0 SRC=37.182.157.35 DST=192.168.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=49 ID=24365 DF PROTO=TCP SPT=40577 DPT=8100 WINDOW=5840 RES=0x00 SYN URGP=0


I wrote /usr/local/bin/ban:
Code:

#!/bin/bash

if [ "$1" == "" ] ; then
  echo "USO:"
  echo " $0 <IP>"
  exit -1
fi

if iptables -L | grep "$1"; then
  echo "already banned."
else
  iptables -A INPUT -s $1 -j DROP
  echo "$1 has been banned."
fi

And then:
Code:
tail -F /var/log/dlinkrouter/`date +%Y%m%d`.log | awk -Winteractive '/kernel: Intrusion/ { for( i=1; i<= NF; i=i+1) if (substr($i,1,4)=="SRC=") system("/usr/local/bin/ban "substr($i,5)) }'


does what I want.
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2244

PostPosted: Fri May 17, 2013 2:23 pm    Post subject: Reply with quote

cybermc75 wrote:
Code:
if iptables -L | grep "$1"; then

cybermc75 ... you might want to add '-n' here so that reverse dns lookups aren't performed, also '-L' can accept a chain (eg, INPUT) as an argument, and so you could limit the list.

best ... khay
Back to top
View user's profile Send private message
cybermc75
n00b
n00b


Joined: 19 Apr 2007
Posts: 74

PostPosted: Fri May 17, 2013 5:10 pm    Post subject: Reply with quote

Thanks Khay, much faster with iptables -nL INPUT.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum