On 12/12/2018 18:23, Per Jessen wrote:
Antonio Ojea wrote:
Botnets like mariposa [1] are scanning for hosts with the OpenVPN port used by default (UDP/1149) [2]. They use to target these kind of services (SSH, OpenVPN, PPTP Vpns, ...) to get access using dictionary and brute force attacks.
You can change the port used by OpenVPN or some tool like fail2ban [3] to block these attacks. Right - I was more interested in what the point is? The vpn is secured by a pair of keys, so what is there to attack ?
I'm not sure if this is the answer that you are looking for, but I'd try. There can be several reasons that the botnets creators don't want to complicate too much the attack: they have a lot of bots, the bots run in small devices or in different platforms [1], ... so they try to keep the bot and the attack simple. These attacks target weak installations, and they don't care about spending some bots on impossible victims like yours, at the end of the day the bot is running in someone else infected PC or device :) The M.O use to be simple, scan the whole internet for an open port and once they found it, start to brute force it, you can see a great analysis of a bot scanner here [2] [1] https://en.wikipedia.org/wiki/Mirai_(malware) [2] http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org