fail2ban: Blocking automated bruteforcing

fail2ban: Blocking automated bruteforcing

Mark Kikta Mark Kikta

Mark Kikta

Published Sep 30, 2019
+ Follow

In Part 1 of this series, we discussed why using a VPN was the ideal option for remote access in the corporate world.

In Part 2, we outlined exactly how to implement and build an OpenVPN server.

Now, in Part 3, we are going to see just how easy it is to secure this server from brute forced login attacks. The primary tool we will be using is called 'fail2ban'. This is an incredibly powerful, albeit simple tool. The core concept is that you will define a log source and a regex that will define what is considered a failed login and where the IP is located in the string. If the number of occurrences for that log exceed the configured threshold, the IP will be added to a "jail", or firewall blacklist, for a predetermined period of time. For example, if we were securing an HTTP server from automated scanning, we would monitor the access logs for '404 - Not Found' responses and put the IP into a jail.

Setting up fail2ban is incredibly simple. First, we install it using the following command:

sudo apt update
sudo apt install fail2ban

Once the installation process completes, we can begin the configuration by creating a file. You can just copy and paste this entire blob of text into your command line prompt and press <ENTER>:

sudo cat > /etc/fail2ban/filter.d/openvpn.local << EOF


[Definition]

failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^ <HOST>:\d+ Connection reset, restarting
            ^ <HOST>:\d+ TLS Auth Error
            ^ <HOST>:\d+ TLS Error: TLS handshake failed$
            ^ <HOST>:\d+ VERIFY ERROR
ignoreregex = 
EOF

This will create the configuration for OpenVPN in fail2ban. Next we need to define the enforcement properties. In other words, what actions will land someone in 'jail' and how will it be handled. You are essentially writing your law. Here is a blob to get you started:

sudo cat > /etc/fail2ban/jail.d/openvpn << EOF

[openvpn]
enabled  = true
port     = 1194
protocol = udp
filter   = openvpn
logpath  = /var/log/openvpn.log
maxretry = 3
EOF

Basically what this says is that fail2ban will deny traffic to all hosts that fail to log into OpenVPN more than 3 times on UDP port 1194. The last thing we need to do is restart the service:

sudo service fail2ban restart

There you have it, you have now protected your OpenVPN interface from automated brute force login attempts. SSH protection should already be enabled if SSH is configured to use the default port of TCP 22.

Additional resources:


To view or add a comment, sign in

More articles by Mark Kikta

  • The Ease of OpenVPN
    Sep 27, 2019

    The Ease of OpenVPN

    In Part 1, we discussed why VPNs have value in a corporate environment. If you missed it, here's the link.

  • The Case for VPNs
    Sep 25, 2019

    The Case for VPNs

    This is part 1 of a 4 part series on securing remote system access. Part 2 will cover how to build and configure a…

Others also viewed

Explore content categories