[opensuse] brute force attack on vpn ?
I see in our logs that one of our VPNs is being attacked, brute force style. Every second or so: 2018-12-12T16:24:26+01:00 calcium openvpn[1843]: 185.29.120.59:3518 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 2018-12-12T16:24:26+01:00 calcium openvpn[1843]: 185.29.120.59:3518 TLS Error: TLS handshake failed A wide range of IP addresses. Is there any point to this? -- Per Jessen, Zürich (1.4°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Botnets like mariposa [1] are scanning for hosts with the OpenVPN port used by default (UDP/1149) [2]. They use to target these kind of services (SSH, OpenVPN, PPTP Vpns, ...) to get access using dictionary and brute force attacks. You can change the port used by OpenVPN or some tool like fail2ban [3] to block these attacks. [1] https://www.mcafee.com/enterprise/en-us/threat-intelligence.intc.html?vid=bo... [2] https://twitter.com/bad_packets/status/1004660329085726721 [3] https://peaksandprotocols.com/mitigating-an-openvpn-brute-force-attack-with-... On 12/12/2018 16:29, Per Jessen wrote:
I see in our logs that one of our VPNs is being attacked, brute force style. Every second or so:
2018-12-12T16:24:26+01:00 calcium openvpn[1843]: 185.29.120.59:3518 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 2018-12-12T16:24:26+01:00 calcium openvpn[1843]: 185.29.120.59:3518 TLS Error: TLS handshake failed
A wide range of IP addresses.
Is there any point to this?
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Antonio Ojea wrote:
Botnets like mariposa [1] are scanning for hosts with the OpenVPN port used by default (UDP/1149) [2]. They use to target these kind of services (SSH, OpenVPN, PPTP Vpns, ...) to get access using dictionary and brute force attacks.
You can change the port used by OpenVPN or some tool like fail2ban [3] to block these attacks.
Right - I was more interested in what the point is? The vpn is secured by a pair of keys, so what is there to attack ? -- Per Jessen, Zürich (0.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/12/2018 18:23, Per Jessen wrote:
Antonio Ojea wrote:
Botnets like mariposa [1] are scanning for hosts with the OpenVPN port used by default (UDP/1149) [2]. They use to target these kind of services (SSH, OpenVPN, PPTP Vpns, ...) to get access using dictionary and brute force attacks.
You can change the port used by OpenVPN or some tool like fail2ban [3] to block these attacks. Right - I was more interested in what the point is? The vpn is secured by a pair of keys, so what is there to attack ?
I'm not sure if this is the answer that you are looking for, but I'd try. There can be several reasons that the botnets creators don't want to complicate too much the attack: they have a lot of bots, the bots run in small devices or in different platforms [1], ... so they try to keep the bot and the attack simple. These attacks target weak installations, and they don't care about spending some bots on impossible victims like yours, at the end of the day the bot is running in someone else infected PC or device :) The M.O use to be simple, scan the whole internet for an open port and once they found it, start to brute force it, you can see a great analysis of a bot scanner here [2] [1] https://en.wikipedia.org/wiki/Mirai_(malware) [2] http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Antonio Ojea -
Per Jessen