Anyone else seeing lots of intrusion attempts against their VPN?

Discussion in 'Chit-Chat' started by Mike A., Sep 18, 2018.

Share This Page

  1. Mike A.

    Mike A. Pulling my weight

    Joined:
    May 6, 2017
    Messages:
    315
    Likes Received:
    145
    I've been getting tons from all over the world over the last week or so. Multiple machines hitting me on a continual basis. Appears to be coordinated among an associated group of bots. One will attempt a string of connections, then it will drop off and another will pick up, then another, etc... Never two different origins at the same time as would be expected if it were more random large scale scanning. None are successful in connecting but it's killing my logs with 10,000s of attempts cluttering things up.

    Asus router logs appear as follows (nothing special about the origin IP, just one of many as an example):

    Sep 18 02:28:21 [myhostname] vpnserver1: 202.131.140.191:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sep 18 02:28:21 [myhostname] vpnserver1: 202.131.140.191:80 TLS Error: TLS handshake failed
    Sep 18 02:28:21 [myhostname] vpnserver1: 202.131.140.191:80 SIGUSR1[soft,tls-error] received, client-instance restarting

    Changed my IP and they continue. I've checked everything that I can check and I see nothing beaconing out. In fact, I can pull the plug on everything on the inside of my network and change IPs and they continue so I'm pretty much sure of that. So must be just random at least across my ISP's network if not larger. This is my personal network so no reason why anyone would be hitting it in any kind of directed attack against a business, etc.

    Anyway, just curious whether it's just me/my ISP or if it's more widespread.
     
  2. awsum140

    awsum140 Getting comfortable

    Joined:
    Nov 14, 2017
    Messages:
    761
    Likes Received:
    518
    Location:
    Southern NJ
    I'm running OpenVPN on an AC86U and you made me look. Yup, tons of attempts from various addresses I have to look up to see where they're, allegedly, coming from. ISP here is ComTrash. My guess is a bot net trying to get into any VPN they can find. Let's hope they aren't successful because if they find the magic sauce I'll be shutting down outside access completely.
     
  3. J Sigmo

    J Sigmo Getting comfortable

    Joined:
    Feb 5, 2018
    Messages:
    392
    Likes Received:
    304
    I see a ton of these as well. Most recent ones are from Australia, but Germany, etc. show up, too.
     
  4. Mike A.

    Mike A. Pulling my weight

    Joined:
    May 6, 2017
    Messages:
    315
    Likes Received:
    145
    Thanks. Assumed that it was more widespread but just wanted to confirm.

    This is something new that seems to have started within the last few weeks. I watch my logs pretty closely and while there may be an attempted connection to the VPN once in a great while or just routine random hits on that port, I've never seen this level of attempts. Must be some sort of vulnerability that's been found in something. No point otherwise. It would be a huge waste of time and resources just bouncing off of locked doors all day. I see some mentions of the same here and there from earlier this year but nothing major.

    Seems to be trying directly against the default port. I don't see any scan first to find it ahead of the attempts. Maybe I'll change that just to make things a little more challenging.
     
  5. looney2ns

    looney2ns IPCT Contributor

    Joined:
    Sep 25, 2016
    Messages:
    5,603
    Likes Received:
    3,556
    Location:
    Evansville, Indiana
    I had this as well, changed the VPN port to 443, and they've stopped. As a side benefit, some wifi spots were blocking 1194, keeping me from connecting.
     
    djernie and Tinman like this.
  6. crw030

    crw030 Getting comfortable

    Joined:
    Apr 26, 2016
    Messages:
    225
    Likes Received:
    113
    I missed that you had your OpenVPN on port 80, I would expect the vast number of hits is due to using a common web server port, they probably aren't even trying to hack your VPN, they are probably looking for vulnerabilities in your "web server".
     
    alastairstevenson and looney2ns like this.
  7. Mike A.

    Mike A. Pulling my weight

    Joined:
    May 6, 2017
    Messages:
    315
    Likes Received:
    145
    It wasn't. The IP and 80 that you see above is the IP/port of origin on the remote machine attempting the connection. Most are coming from ports 80 or 443. Likely an attempt to hide among other traffic so that it doesn't stand out on the compromised host and passes through normally open ports.

    Mine was on the default 1194. I've now changed it to another port and it's no longer being hit.
     
  8. archedraft

    archedraft n3wb

    Joined:
    Sep 11, 2018
    Messages:
    29
    Likes Received:
    12
    Location:
    North America
    Same thing happening to me as well. I have two OpenVPN servers setup, one on the standard 1194 and one on a random port. My logs show consistent attempts to log into the 1194 port. As soon as I disabled the 1194 vpn the log attempts go away.
     
  9. J Sigmo

    J Sigmo Getting comfortable

    Joined:
    Feb 5, 2018
    Messages:
    392
    Likes Received:
    304
    I need to learn more about what the various entries in the logs for the router mean. I switched to a different, random, high port just now, and I dont see all of those same attacks, but I see constant logging of this sort of thing:

    Sep 18 15:49:19 kernel: DROP IN= vlan2 OUT = MAC=blah blah blah.....

    I have no idea what that's all about.
     
  10. Mike A.

    Mike A. Pulling my weight

    Joined:
    May 6, 2017
    Messages:
    315
    Likes Received:
    145
    Drops are fine. That just means that something attempted to connect to a port but that the connection was not accepted and dropped. You'll see gazillions of those. Nothing that you can do about it with a directly connected system on the Internet like a router. Just noise and comes with the territory.

    What you don't want to see, at least for a non-open system where you don't have some service(s) that you want people to connect to like a web server, etc., are ACCEPTs. That means that the connection was made. You will see ACCEPTS for connections that you make to your closed system or other open ports with your IPs shown. Beyond that you shouldn't see any.

    It is a good idea to keep an eye on your logs. If for no other reason than initially to prove to yourself what an absolutely terrible idea it is to leave ports open these days. Used to be able to get away with that years ago but now virtually everything gets scanned on a continual basis by bot networks and it's just a matter of time before it's found especially on more common and high value ports. Beyond that useful on an ongoing basis for seeing things like this where there are more directed probes and attacks, troubleshooting, etc. There are various tools that you can feed the logs into to make it more convenient than logging into the router and for better analysis and filtering. Papertrail has a free level and you can point your logs there and then just keep a tab on your browser that you can check easily. A little set up required but if you can get a VPN going then shouldn't have much trouble. Other more elaborate systems if you need/want that but most don't for a home system.

    Mine now below. I said above that the attempts stopped when I changed the port but what I meant to say is that it's no longer able to hit the VPN on that port. The attempts to access port 1194 continue but now are just dropped since the port is no longer open.

    Date, time, host name are clear. kernel is what's handling the connection, with basic networking running at that level. For VPN, you'd see vpnserver. DROP is as above. IN is incoming. eth0 is the network interface. OUT= empty in this case since dropped. MAC is the MAC of the router/interface. SRC is the IP for the source of the traffic. DST is the destination of that traffic (your IP). Then some basic packet and protocol info. PROTO is the protocol (TCP, UDP, etc.). SPT is the source port on the outside machine. DPT is the destination port it's attempting to connect to on your side.

    You'll also see a variety of other router messages for what's happening. e.g., errors, status, loading up the VPN and making the connection, etc.
     
    Last edited: Sep 18, 2018
  11. c hris527

    c hris527 Known around here

    Joined:
    Oct 12, 2015
    Messages:
    731
    Likes Received:
    398
    Location:
    NY
    You are correct, my VPN is getting hammered also, just make sure your password is good and long. Something is up if they are attacking this way.
    Black Hat 2018 was addressing security flaws and the cat is out of the bag. Compression and VPNs Make for Leaked Secrets
     
    J Sigmo and looney2ns like this.
  12. J Sigmo

    J Sigmo Getting comfortable

    Joined:
    Feb 5, 2018
    Messages:
    392
    Likes Received:
    304
    Well, that could explain the sudden uptick in these attempts.

    Thanks for the explanations and time you spent writing this up. I suspect what may be constantly being "dropped" are attempts from my cameras themselves trying to access the internet directly, even though I have their IPs blocked, in the router, from accessing the internet.
     
  13. ElusiveX99

    ElusiveX99 n3wb

    Joined:
    Sep 19, 2018
    Messages:
    1
    Likes Received:
    1
    Location:
    United States

    Some big CVE's were issues on ASUS by NIST this past week. Root hasn't been completely established. I have the firmware in question and locked out of my ac-5300 management page. I believe these aren't just limited to the 5300 series.

    Read more here. SB18-260: Vulnerability Summary for the Week of September 10, 2018 | US Government Information

    I did an external pen test and am showing all kinds of ports open.

    I'd make sure remote management is turned off for sure it's most likely the vector that's been used for compromising this code branch.

    Stack-based buffer overflow on the ASUS GT-AC5300 router through 3.0.0.4.384_32738 allows remote attackers to cause a denial of service (device crash) or possibly have unspecified other impact by setting a long sh_path0 value and then sending an appGet.cgi?hook=select_list(“Storage_x_SharedPath”) request, because ej_select_list in router/httpd/web.c uses strcpy.


    Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm.
     
    c hris527 likes this.
  14. c hris527

    c hris527 Known around here

    Joined:
    Oct 12, 2015
    Messages:
    731
    Likes Received:
    398
    Location:
    NY
    I checked my vpn log this morning, seems to be back to normal, I had one attempt overnight. I WAS getting slammed earlier in the week, most of the traffic was coming from South America.
     
  15. crw030

    crw030 Getting comfortable

    Joined:
    Apr 26, 2016
    Messages:
    225
    Likes Received:
    113
    Simply for comparison, my pfSense firewall logs 1100 blocked connection attempts per hour (average), 9 million in the past 196 days. To say the internet is a dangerous place, would be an understatement! :D

    I need to make time in my "free time" to write a script to extract the important bits (any connection which is ACCEPTed) and summarize the remaining 9 million data points down to a couple important bits like source IP, type of attempt and number of times it was tried.

    Odds are high these are mostly botnets, so reporting them to the provider will get the wrong people in trouble, but at least I can (hopefully) identify if a connection makes it through the firewall that I didn't want (ugh).
     
    Last edited: Sep 20, 2018
    J Sigmo and looney2ns like this.