I'm probably missing something obvious. Cluebats invited.
A few OpenBSD servers I look after have OpenVPN server installed (for
homeworkers' access), which means port 1194 is open. Recently they seem
to have appeared on some scumbag's "hack this" list, as they're
constantly deluged with brute-force hack attacks. A snippet from
openvpn.log:
>>
Wed Dec 19 18:28:53 2018 185.81.153.117:55881 TLS Error: TLS key
negotiation failed to occur within 60 seconds (check your network
connectivity)
Wed Dec 19 18:28:53 2018 185.81.153.117:55881 TLS Error: TLS handshake
failed
Wed Dec 19 18:28:53 2018 185.81.153.117:64379 TLS Error: TLS key
negotiation failed to occur within 60 seconds (check your network
connectivity)
Wed Dec 19 18:28:53 2018 185.81.153.117:64379 TLS Error: TLS handshake
failed
Wed Dec 19 18:28:53 2018 185.81.153.117:27493 TLS Error: TLS key
negotiation failed to occur within 60 seconds (check your network
connectivity)
Wed Dec 19 18:28:53 2018 185.81.153.117:27493 TLS Error: TLS handshake
failed
<<
(IP addresses obscured to protect the sinner - no, wait...)(and logfile
filtered by "failed".)
For now, I manually log the above IPs and add them to a badhosts file -
no more access of any kind for you, mwahaha. But it's a lot of work, and
my logfile is just noise...
I already use pf.conf to protect my ssh port against such attacks
(rate-limiting). Can I do anything similar with pf for the openvpn port?
Don't want to block real users if they screw up once or twice...
although they are few enough that I can be super-aggressive in denying
access, and sort it out by phone...
Maybe I shouldn't even worry about it, but I'd really like to hit back.
(See above re "mwahaha".)
Steve
