At 09:56 PM 7/18/2021, Sergey Ivanov wrote:
Hi,
we see an ongoing attack on our SoftEther VPN. In the logs after
replacing IP of our server with x.x.x.x the lines looks like:
----------
2021-07-06 00:00:00.128 OpenVPN Session 1074444968
(141.95.18.54:58360 -> x.x.x.x:1194): A new session is created. Protocol: UDP
2021-07-06 00:00:00.128 OpenVPN Session 1074444968
(141.95.18.54:58360 -> x.x.x.x:1194) Channel 0: A new channel is created.
2021-07-06 00:00:30.132 OpenVPN Session 1074444968
(141.95.18.54:58360 -> x.x.x.x:1194): Deleting the session.
----------
We had about 2 millions a day of such sessions opened each for 30
seconds. Each IP address opens in parallel thousands of such
sessions. It was easy to mitigate this attack with fail2ban.
Is there a community repository to share jail.d and filter.d
contents like that which we wrote for SoftEther VPN? Did somebody
experienced such attacks?
I'm using this https://github.com/dpsystems/login-shield as a front
line of defense before fail2ban and it's been working very
well. It's a blacklist of known troublesome IP space to block login ports.
Is that IP address: 141.95.18.54, the source of the attacks? We see
a lot of rogue traffice from OVH.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
