Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-18596

Fail2Ban configuration of OpenVPN

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Fail2Ban
    • Labels:
      None
    • ToDo:
    • Distro Version:
      FreePBX 13.0.195.19 +
    • Distro:
      FreePBX Distro

      Description

      Is there any way we could get Fail2Ban to work with openVPN?
       
      My configuration to make it work is below however some of the following files get overwritten each time FreePBX is restarted.
       
      -----------------------------------------------------------------------------------------------------
       
      /etc/fail2ban/jail.local  Add:
      [openvpn]
      enabled  = true
      port     = 1194
      protocol = udp
      filter   = openvpn
      action =  iptables-multiport[name=openvpn, protocol=udp, port=1194]
              sendmail[name=OpenVPN, dest=[Replace with email address to notify], sender=[Replace with Senders Name]
      logpath  = /var/log/openvpn.log
      maxretry = 3
       
      -----------------------------------------------------------------------------------------------------
       
      /etc/fail2ban/filter.d
         Create file openvpn.conf (only needs to be done once)
         Contents:

      1. Fail2Ban filter for OpenVPN rejections
        #
        #
         
        [Definition]
         
        failregex = ^ TLS Error: incoming packet authentication failed from [AF_INET]<HOST>:\d+$
                    ^ <HOST>:\d+ Connection reset, restarting
                    ^ <HOST>:\d+ TLS Auth Error
                    ^ <HOST>:\d+ TLS Error: TLS handshake failed$
                    ^ <HOST>:\d+ VERIFY ERROR
         
        ignoreregex =
         
         
        -----------------------------------------------------------------------------------------------------
         
        /etc/openvpn/sysadmin_server1.conf
           Add line:
        log /var/log/openvpn.log
         
        -----------------------------------------------------------------------------------------------------
         
         
        /etc/sysconfig/iptables
          (I believe this only needs to be done once)
           Add lines:
        :fail2ban-openvpn - [0:0]
        -A INPUT -p udp -m multiport --dports 1194 -j fail2ban-openvpn
         
        -----------------------------------------------------------------------------------------------------
         
        Logrotate already has a fail2ban configuration that is attempting to rotate /var/log/openvpn.log, so nothing needs to be done for rotation.
         
         
         

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                sgaudette Scott Gaudette
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.