# Bot is trying to force my VPN [SOLVED]

## cybermc75

Hi all.

I have a small OpenVPN running through a DLINK DSL2640 router.

I have redirected the single port to my server.

This is a new thing for me, I'm not very experienced in network security.

Everything is working, my clients connecting without problems.

From the router log, these days I'm seeing:

Kernel: Intrusion->[SYN]IN=ppp_0_8_35_1 OUT=br0 SRC=<attacker-IP>

This message appears once every 5 minutes.

The IP is the same for hours, or days, then it changes ( but always with the same net prefix).

I was able to determine that this is a dynamic IP provided by one major companies here in Italy.

Today I wrote a rule to move the offending IP to a dedicated port. 

After the modify in the router, the intrusion message disappeared.

So I'm able (via tcplisten on the dedicated port) to see that:

it connects.

sends some binary codes.

waits a bit

sends again the same codes.

same thing 5 times.

disconnects

Binary codes change on each new connection.

If I try to send something, it disconnects after a CR or after a prefixed amount of data.

What I can do to stop this bot?

Is this dangerous for my VPN?

Since I'm using RSA-keys, I'm quite confident that I'm safe, but what about DoS or other possible attack?

Any help appreciated.Last edited by cybermc75 on Fri May 17, 2013 7:55 am; edited 1 time in total

----------

## Christian99

i had good experience with fail2ban against bruteforce attacks on my ssh.

it should help you out here, too. Unfortunately it doesn't provide any openvpn exampels, but you can probably find some online.

----------

## NeddySeagoon

cybermc75,

Send a log fragment to the owner of the the IP range.  They will probably take some action, like null routing their customer, unit its fixed.

Its likely to be a compromised Windows box that the owner doesn't even know is compromised.

----------

## cybermc75

Thanks Christian. I checked fail2ban. Intersting principle. Probably I can write directly some script to ban IPs logged by my router as attackers.

Neddy: yeah, probably I could, but even if I can stop that bot,  others will follow.

Happy gentooing.

----------

## cybermc75

If it can help others:

I setup rsyslogd to receive log information from my router in "/var/log/dlinkrouter/yyyymmdd.log" files.

Intersting lines are:

```
May 17 09:20:43 192.168.0.1  kernel: Intrusion->[SYN]IN=ppp_0_8_35_1 OUT=br0 SRC=37.182.157.35 DST=192.168.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=49 ID=24365 DF PROTO=TCP SPT=40577 DPT=8100 WINDOW=5840 RES=0x00 SYN URGP=0
```

I wrote /usr/local/bin/ban:

```

#!/bin/bash

if [ "$1" == "" ] ; then

  echo "USO:"

  echo " $0 <IP>"

  exit -1

fi

if iptables -L | grep "$1"; then 

  echo "already banned."

else

  iptables -A INPUT -s $1 -j DROP

  echo "$1 has been banned."

fi

```

And then:

```
tail -F /var/log/dlinkrouter/`date +%Y%m%d`.log | awk -Winteractive '/kernel: Intrusion/ { for( i=1; i<= NF; i=i+1) if (substr($i,1,4)=="SRC=") system("/usr/local/bin/ban "substr($i,5)) }'
```

does what I want.

----------

## khayyam

 *cybermc75 wrote:*   

> 
> 
> ```
> if iptables -L | grep "$1"; then
> ```
> ...

 

cybermc75 ... you might want to add '-n' here so that reverse dns lookups aren't performed, also '-L' can accept a chain (eg, INPUT) as an argument, and so you could limit the list.

best ... khay

----------

## cybermc75

Thanks Khay, much faster with iptables -nL INPUT.

----------

