David, Without proof, I'm thinking the IKE exchange type of 37 and 243 are just a signature of a bot probing the IKE negotiation, something like SIPVicious and it's 'friendly-scanner' User-Agent.
The exchange types of 37 and 243 seem completely arbitrary to me. Given that, while it probably doesn't add much (if any) security to ban these probes, it may provide some comfort (fewer logs) and is straight-forward to do. So, I'll add a "racoon" filter option that will ban any IP that generates a "ERROR: Invalid exchange type" regardless of the exchange type number. It is a relatively simple addition and is not enabled by default, so why not. Seems of common interest while googling. Lonnie On Dec 25, 2015, at 9:06 AM, David Kerr <da...@kerr.net> wrote: > Thanks Lonnie. Google found this... > http://serverfault.com/questions/579648/custom-filter-for-fail2ban > so someone else ran into the same issue and basically added a filter to > /etc/fail2ban. Do we have an equivalent? > > I'm going to be away for next week plus... so won't be able to do anything > for a while. In the meantime they have no respect for the holidays and have > started trying from a different IP... > > Dec 25 05:44:47 pbx daemon.info > racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. > Dec 25 05:45:01 pbx > daemon.info > racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. > Dec 25 05:45:16 pbx > daemon.info > racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. > Dec 25 05:45:25 pbx > daemon.info racoon: ERROR: Invalid exchange type 243 from 93.81.145.36[500]. > > Thanks > David > > On Fri, Dec 25, 2015 at 9:37 AM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> > wrote: > Merry Christmas David, > > +1 to Michael's answer. > > Here is the same topic for pfSense... > > Topic: Somebody hacking my IPsec VPN? > https://forum.pfsense.org/index.php?topic=39044.0 > > Topic: Banning or throttling users making invalid connection attempts? > https://forum.pfsense.org/index.php?topic=72640.0 > (Unfortunately without any replies) > > So you are not alone, we could consider adding a "racoon" filter type to > Adaptive ban. The first concern is to make sure it is useful in practice and > not subject to false-banning for normal use. > > Possibly a look at the latest Fail2Ban to see if "racoon" has been added. > And if not wonder why. > > Clearly if you use a certificate for your IPsec server then you should be > good, but I understand the added logs are annoying. > > Lonnie > > > On Dec 24, 2015, at 11:24 PM, David Kerr <da...@kerr.net> wrote: > > > Firstly happy christmas to all. > > > > Now my question, should adaptive ban pick up on the following? I'm getting > > attacked again but neither of these IP's are getting added to the ban list. > > As far as I can tell the adaptive ban plugin is active... > > > > ENABLED=1 > > ADAPTIVE_BAN_FILE="/var/log/messages" > > ADAPTIVE_BAN_TIME=90 > > ADAPTIVE_BAN_COUNT=3 > > ADAPTIVE_BAN_TYPES="sshd asterisk lighttpd" > > > > Dec 23 20:40:09 pbx daemon.info > > racoon: ERROR: Invalid exchange type 37 from 129.192.165.10[4500]. > > Dec 23 20:40:14 pbx > > daemon.info > > ... > > > Dec 24 20:57:35 pbx daemon.info > > racoon: ERROR: Invalid exchange type 243 from 101.165.98.245[500]. > > > ------------------------------------------------------------------------------ > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
