rrichiez
Posts: 4
Joined: Mon Mar 03, 2014 5:00 pm

OPENVPN

Fri Feb 19, 2016 6:54 pm

Ive notices in the logs someone attempting to hack my openvpn repeatedly. my question is does anyone here know or show mw how to 1rst block that IP and second is there some way that if some ip tries 3 times it adds them to a black list ? can that be done?


please help

elatllat
Posts: 1337
Joined: Sat Dec 17, 2011 5:05 pm

Re: OPENVPN

Fri Feb 19, 2016 7:06 pm

Iptables
SBC with 32GB RAM: https://hardkernel.com

FAQ : https://raspberrypi.stackexchange.com

Unanswered: https://www.raspberrypi.org/forums/search.php?search_id=unanswered

pksato
Posts: 295
Joined: Fri Aug 03, 2012 5:25 pm
Location: Brazil

Re: OPENVPN

Fri Feb 19, 2016 7:28 pm

Hi,
If openvpn client not have fixed ip, install and configure fail2ban.
knockd also is a option to control access.

ejolson
Posts: 3237
Joined: Tue Mar 18, 2014 11:47 am

Re: OPENVPN

Fri Feb 19, 2016 7:40 pm

rrichiez wrote:Ive notices in the logs someone attempting to hack my openvpn repeatedly. my question is does anyone here know or show mw how to 1rst block that IP and second is there some way that if some ip tries 3 times it adds them to a black list ? can that be done?

please help
Note that OpenVPN and the underlying IPSEC protocols were created, in part, because IP numbers can be spoofed in a number of ways and are, therefore, not a secure way of authenticating. Automatically blacklisting IP numbers could lead to denial of service situations if you are not careful. Possible cases include

1. So many IP numbers get blacklisted that iptables starts to run really slow and the Pi becomes unusable.

2. Your own IP number gets spoofed and subsequently blacklisted, thereby preventing your legitimate connection.

3. Failed connections from many different IP numbers consume too many CPU cycles on the Pi.

Unless you are expecting people from all over the world to connect to your Pi, it would be more reliable to whitelist the IP numbers and ranges of IP numbers that are allowed to connect. This can, again, be done using iptables.

Return to “General discussion”