Package: fail2ban Version: 0.8.13-1 Severity: normal Tags: patch Hello,
We use fail2ban for openvpn, here are the rules we are using. Samuel -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14.0 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- Samuel <O> Ça peut être une madeleine à sous munitions (avec des composants, par exemple) -+- #runtime -+-
diff --exclude .svn --exclude .git --exclude CVS --exclude .hg -urN fail2ban-0.8.13/config/filter.d/openvpn.conf fail2ban-0.8.13-mine/config/filter.d/openvpn.conf --- fail2ban-0.8.13/config/filter.d/openvpn.conf 1970-01-01 01:00:00.000000000 +0100 +++ fail2ban-0.8.13-mine/config/filter.d/openvpn.conf 2014-05-14 01:41:15.373568176 +0200 @@ -0,0 +1,10 @@ +# Fail2Ban configuration file for openvpn + +[Definition] + +failregex = .* ovpn-.* ::ffff:<HOST> Connection reset, restarting \[[0-9-]{1,2}\] + .* ovpn-.* <HOST> Connection reset, restarting \[[0-9-]{1,2}\] + .* ovpn-.* ::ffff:<HOST>:[0-9]{1,2,34,5} TLS Auth Error: Auth Username/Password verification failed for peer.*$ + .* ovpn-.* <HOST>:[0-9]{1,2,34,5} TLS Auth Error: Auth Username/Password verification failed for peer.*$ + +ignoreregex = diff --exclude .svn --exclude .git --exclude CVS --exclude .hg -urN fail2ban-0.8.13/debian/jail.conf fail2ban-0.8.13-mine/debian/jail.conf --- fail2ban-0.8.13/debian/jail.conf 2014-03-19 16:43:38.000000000 +0100 +++ fail2ban-0.8.13-mine/debian/jail.conf 2014-05-14 01:38:41.114112002 +0200 @@ -550,3 +550,15 @@ sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"] logpath = /var/log/messages ; nrpe.cfg may define a different log_facility maxretry = 1 + +[openvpn] + +enabled = true +filter = openvpn +port = all +protocol = all +banaction = iptables-allports +port = anyport +logpath = /var/log/daemon.log +maxretry = 10 +