Anyone else seeing lots of intrusion attempts against their VPN?

Mike A. · Sep 18, 2018

I've been getting tons from all over the world over the last week or so. Multiple machines hitting me on a continual basis. Appears to be coordinated among an associated group of bots. One will attempt a string of connections, then it will drop off and another will pick up, then another, etc... Never two different origins at the same time as would be expected if it were more random large scale scanning. None are successful in connecting but it's killing my logs with 10,000s of attempts cluttering things up.

Asus router logs appear as follows (nothing special about the origin IP, just one of many as an example):

Sep 18 02:28:21 [myhostname] vpnserver1: 202.131.140.191:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 18 02:28:21 [myhostname] vpnserver1: 202.131.140.191:80 TLS Error: TLS handshake failed
Sep 18 02:28:21 [myhostname] vpnserver1: 202.131.140.191:80 SIGUSR1[soft,tls-error] received, client-instance restarting

Changed my IP and they continue. I've checked everything that I can check and I see nothing beaconing out. In fact, I can pull the plug on everything on the inside of my network and change IPs and they continue so I'm pretty much sure of that. So must be just random at least across my ISP's network if not larger. This is my personal network so no reason why anyone would be hitting it in any kind of directed attack against a business, etc.

Anyway, just curious whether it's just me/my ISP or if it's more widespread.

awsum140 · Sep 18, 2018

I'm running OpenVPN on an AC86U and you made me look. Yup, tons of attempts from various addresses I have to look up to see where they're, allegedly, coming from. ISP here is ComTrash. My guess is a bot net trying to get into any VPN they can find. Let's hope they aren't successful because if they find the magic sauce I'll be shutting down outside access completely.

J Sigmo · Sep 18, 2018

I see a ton of these as well. Most recent ones are from Australia, but Germany, etc. show up, too.

Mike A. · Sep 18, 2018

Thanks. Assumed that it was more widespread but just wanted to confirm.

This is something new that seems to have started within the last few weeks. I watch my logs pretty closely and while there may be an attempted connection to the VPN once in a great while or just routine random hits on that port, I've never seen this level of attempts. Must be some sort of vulnerability that's been found in something. No point otherwise. It would be a huge waste of time and resources just bouncing off of locked doors all day. I see some mentions of the same here and there from earlier this year but nothing major.

Seems to be trying directly against the default port. I don't see any scan first to find it ahead of the attempts. Maybe I'll change that just to make things a little more challenging.

looney2ns · Sep 18, 2018

I had this as well, changed the VPN port to 443, and they've stopped. As a side benefit, some wifi spots were blocking 1194, keeping me from connecting.

crw030 · Sep 18, 2018

I missed that you had your OpenVPN on port 80, I would expect the vast number of hits is due to using a common web server port, they probably aren't even trying to hack your VPN, they are probably looking for vulnerabilities in your "web server".

Mike A. · Sep 18, 2018

crw030 said:
I missed that you had your OpenVPN on port 80, I would expect the vast number of hits is due to using a common web server port, they probably aren't even trying to hack your VPN, they are probably looking for vulnerabilities in your "web server".

It wasn't. The IP and 80 that you see above is the IP/port of origin on the remote machine attempting the connection. Most are coming from ports 80 or 443. Likely an attempt to hide among other traffic so that it doesn't stand out on the compromised host and passes through normally open ports.

Mine was on the default 1194. I've now changed it to another port and it's no longer being hit.

archedraft · Sep 18, 2018

Same thing happening to me as well. I have two OpenVPN servers setup, one on the standard 1194 and one on a random port. My logs show consistent attempts to log into the 1194 port. As soon as I disabled the 1194 vpn the log attempts go away.

J Sigmo · Sep 18, 2018

I need to learn more about what the various entries in the logs for the router mean. I switched to a different, random, high port just now, and I dont see all of those same attacks, but I see constant logging of this sort of thing:

Sep 18 15:49:19 kernel: DROP IN= vlan2 OUT = MAC=blah blah blah.....

I have no idea what that's all about.

Mike A. · Sep 18, 2018

Drops are fine. That just means that something attempted to connect to a port but that the connection was not accepted and dropped. You'll see gazillions of those. Nothing that you can do about it with a directly connected system on the Internet like a router. Just noise and comes with the territory.

What you don't want to see, at least for a non-open system where you don't have some service(s) that you want people to connect to like a web server, etc., are ACCEPTs. That means that the connection was made. You will see ACCEPTS for connections that you make to your closed system or other open ports with your IPs shown. Beyond that you shouldn't see any.

It is a good idea to keep an eye on your logs. If for no other reason than initially to prove to yourself what an absolutely terrible idea it is to leave ports open these days. Used to be able to get away with that years ago but now virtually everything gets scanned on a continual basis by bot networks and it's just a matter of time before it's found especially on more common and high value ports. Beyond that useful on an ongoing basis for seeing things like this where there are more directed probes and attacks, troubleshooting, etc. There are various tools that you can feed the logs into to make it more convenient than logging into the router and for better analysis and filtering. Papertrail has a free level and you can point your logs there and then just keep a tab on your browser that you can check easily. A little set up required but if you can get a VPN going then shouldn't have much trouble. Other more elaborate systems if you need/want that but most don't for a home system.

Mine now below. I said above that the attempts stopped when I changed the port but what I meant to say is that it's no longer able to hit the VPN on that port. The attempts to access port 1194 continue but now are just dropped since the port is no longer open.

Sep 18 18:20:51 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=53543 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:20:51 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=147.135.26.117 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=114 ID=49941 PROTO=UDP SPT=61124 DPT=1194 LEN=22
Sep 18 18:20:51 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=147.135.26.117 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=114 ID=49942 PROTO=UDP SPT=61124 DPT=1194 LEN=22
Sep 18 18:20:51 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64989 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:20:51 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64990 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:20:54 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=31.184.237.22 DST=71.178.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=7354 PROTO=TCP SPT=52192 DPT=45747 SEQ=2360480351 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Sep 18 18:20:55 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=147.135.26.117 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=1046 PROTO=UDP SPT=61124 DPT=1194 LEN=22
Sep 18 18:20:55 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=147.135.26.117 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=1047 PROTO=UDP SPT=61124 DPT=1194 LEN=22
Sep 18 18:20:55 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=113 ID=53152 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:20:55 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=113 ID=53153 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:20:55 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=53544 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:20:56 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64989 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:20:56 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64990 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:20:56 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=53545 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:20:57 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=119 ID=63989 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:20:57 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=119 ID=63990 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:00 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=53546 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:01 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64989 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:01 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64990 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:01 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=53547 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:03 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=113 ID=53152 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:03 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=113 ID=53153 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:04 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=147.135.26.117 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=1042 PROTO=UDP SPT=61124 DPT=1194 LEN=22
Sep 18 18:21:04 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=147.135.26.117 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=1043 PROTO=UDP SPT=61124 DPT=1194 LEN=22
Sep 18 18:21:05 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64989 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:05 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64990 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:06 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=53548 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:06 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=53549 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:07 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=147.135.26.117 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=114 ID=49941 PROTO=UDP SPT=61124 DPT=1194 LEN=22
Sep 18 18:21:07 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=147.135.26.117 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=114 ID=49942 PROTO=UDP SPT=61124 DPT=1194 LEN=22
Sep 18 18:21:10 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64989 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:10 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64990 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:11 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=119 ID=63989 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:11 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=119 ID=63990 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:11 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=53550 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:11 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=53551 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:11 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=113 ID=53152 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:11 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=113 ID=53153 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:13 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=147.135.26.117 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=1044 PROTO=UDP SPT=61124 DPT=1194 LEN=22
Sep 18 18:21:13 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=147.135.26.117 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=1045 PROTO=UDP SPT=61124 DPT=1194 LEN=22
Sep 18 18:21:15 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64989 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:15 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64990 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:16 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=53552 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:16 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=120 ID=53553 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:17 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=146.185.222.19 DST=71.178.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=57596 PROTO=TCP SPT=50980 DPT=45249 SEQ=3922324587 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Sep 18 18:21:18 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=119 ID=63989 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:18 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=193.104.68.17 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=119 ID=63990 PROTO=UDP SPT=27015 DPT=1194 LEN=22
Sep 18 18:21:19 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=113 ID=53152 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:19 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=113 ID=53153 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:20 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64989 PROTO=UDP SPT=63234 DPT=1194 LEN=22
Sep 18 18:21:20 xxxxxxx kernel: DROP IN=eth0 OUT= MAC=70:8b:cd:de:0e:98:f4:b5:2f:07:b0:c3:08:00 SRC=158.69.5.198 DST=71.178.x.x LEN=42 TOS=0x00 PREC=0x00 TTL=116 ID=64990 PROTO=UDP SPT=63234 DPT=1194 LEN=22

Date, time, host name are clear. kernel is what's handling the connection, with basic networking running at that level. For VPN, you'd see vpnserver. DROP is as above. IN is incoming. eth0 is the network interface. OUT= empty in this case since dropped. MAC is the MAC of the router/interface. SRC is the IP for the source of the traffic. DST is the destination of that traffic (your IP). Then some basic packet and protocol info. PROTO is the protocol (TCP, UDP, etc.). SPT is the source port on the outside machine. DPT is the destination port it's attempting to connect to on your side.

You'll also see a variety of other router messages for what's happening. e.g., errors, status, loading up the VPN and making the connection, etc.

c hris527 · Sep 18, 2018

Mike A. said:
Thanks. Assumed that it was more widespread but just wanted to confirm.

This is something new that seems to have started within the last few weeks. I watch my logs pretty closely and while there may be an attempted connection to the VPN once in a great while or just routine random hits on that port, I've never seen this level of attempts. Must be some sort of vulnerability that's been found in something. No point otherwise. It would be a huge waste of time and resources just bouncing off of locked doors all day. I see some mentions of the same here and there from earlier this year but nothing major.

Seems to be trying directly against the default port. I don't see any scan first to find it ahead of the attempts. Maybe I'll change that just to make things a little more challenging.

You are correct, my VPN is getting hammered also, just make sure your password is good and long. Something is up if they are attacking this way.
Black Hat 2018 was addressing security flaws and the cat is out of the bag. Compression and VPNs Make for Leaked Secrets

J Sigmo · Sep 18, 2018

c hris527 said:
You are correct, my VPN is getting hammered also, just make sure your password is good and long. Something is up if they are attacking this way.
Black Hat 2018 was addressing security flaws and the cat is out of the bag. Compression and VPNs Make for Leaked Secrets

Well, that could explain the sudden uptick in these attempts.

Mike A. said:
Drops are fine. That just means that something attempted to connect to a port but that the connection was not accepted and dropped. You'll see gazillions of those. Nothing that you can do about it with a directly connected system on the Internet like a router. Just noise and comes with the territory.

What you don't want to see, at least for a non-open system where you don't have some service(s) that you want people to connect to like a web server, etc., are ACCEPTs. That means that the connection was made. You will see ACCEPTS for connections that you make to your closed system or other open ports with your IPs shown. Beyond that you shouldn't see any.

It is a good idea to keep an eye on your logs. If for no other reason than initially to prove to yourself what an absolutely terrible idea it is to leave ports open these days. Used to be able to get away with that years ago but now virtually everything gets scanned on a continual basis by bot networks and it's just a matter of time before it's found especially on more common and high value ports. Beyond that useful on an ongoing basis for seeing things like this where there are more directed probes and attacks, troubleshooting, etc. There are various tools that you can feed the logs into to make it more convenient than logging into the router and for better analysis and filtering. Papertrail has a free level and you can point your logs there and then just keep a tab on your browser that you can check easily. A little set up required but if you can get a VPN going then shouldn't have much trouble. Other more elaborate systems if you need/want that but most don't for a home system.

Mine now below. I said above that the attempts stopped when I changed the port but what I meant to say is that it's no longer able to hit the VPN on that port. The attempts to access port 1194 continue but now are just dropped since the port is no longer open.

Date, time, host name are clear. kernel is what's handling the connection, with basic networking running at that level. For VPN, you'd see vpnserver. DROP is as above. IN is incoming. eth0 is the network interface. OUT= empty in this case since dropped. MAC is the MAC of the router/interface. SRC is the IP for the source of the traffic. DST is the destination of that traffic (your IP). Then some basic packet and protocol info. PROTO is the protocol (TCP, UDP, etc.). SPT is the source port on the outside machine. DPT is the destination port it's attempting to connect to on your side.

You'll also see a variety of other router messages for what's happening. e.g., errors, status, loading up the VPN and making the connection, etc.

Thanks for the explanations and time you spent writing this up. I suspect what may be constantly being "dropped" are attempts from my cameras themselves trying to access the internet directly, even though I have their IPs blocked, in the router, from accessing the internet.

ElusiveX99 · Sep 19, 2018

Mike A. said:
I've been getting tons from all over the world over the last week or so. Multiple machines hitting me on a continual basis. Appears to be coordinated among an associated group of bots. One will attempt a string of connections, then it will drop off and another will pick up, then another, etc... Never two different origins at the same time as would be expected if it were more random large scale scanning. None are successful in connecting but it's killing my logs with 10,000s of attempts cluttering things up.

Asus router logs appear as follows (nothing special about the origin IP, just one of many as an example):

Sep 18 02:28:21 [myhostname] vpnserver1: 202.131.140.191:80 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 18 02:28:21 [myhostname] vpnserver1: 202.131.140.191:80 TLS Error: TLS handshake failed
Sep 18 02:28:21 [myhostname] vpnserver1: 202.131.140.191:80 SIGUSR1[soft,tls-error] received, client-instance restarting

Changed my IP and they continue. I've checked everything that I can check and I see nothing beaconing out. In fact, I can pull the plug on everything on the inside of my network and change IPs and they continue so I'm pretty much sure of that. So must be just random at least across my ISP's network if not larger. This is my personal network so no reason why anyone would be hitting it in any kind of directed attack against a business, etc.

Anyway, just curious whether it's just me/my ISP or if it's more widespread.

Some big CVE's were issues on ASUS by NIST this past week. Root hasn't been completely established. I have the firmware in question and locked out of my ac-5300 management page. I believe these aren't just limited to the 5300 series.

Read more here. SB18-260: Vulnerability Summary for the Week of September 10, 2018 | US Government Information

I did an external pen test and am showing all kinds of ports open.

I'd make sure remote management is turned off for sure it's most likely the vector that's been used for compromising this code branch.

Stack-based buffer overflow on the ASUS GT-AC5300 router through 3.0.0.4.384_32738 allows remote attackers to cause a denial of service (device crash) or possibly have unspecified other impact by setting a long sh_path0 value and then sending an appGet.cgi?hook=select_list(“Storage_x_SharedPath”) request, because ej_select_list in router/httpd/web.c uses strcpy.

Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm.

c hris527 · Sep 19, 2018

I checked my vpn log this morning, seems to be back to normal, I had one attempt overnight. I WAS getting slammed earlier in the week, most of the traffic was coming from South America.

crw030 · Sep 20, 2018

Simply for comparison, my pfSense firewall logs 1100 blocked connection attempts per hour (average), 9 million in the past 196 days. To say the internet is a dangerous place, would be an understatement!

I need to make time in my "free time" to write a script to extract the important bits (any connection which is ACCEPTed) and summarize the remaining 9 million data points down to a couple important bits like source IP, type of attempt and number of times it was tried.

Odds are high these are mostly botnets, so reporting them to the provider will get the wrong people in trouble, but at least I can (hopefully) identify if a connection makes it through the firewall that I didn't want (ugh).

Search

Search

Anyone else seeing lots of intrusion attempts against their VPN?

Mike A.

Known around here

awsum140

Known around here

J Sigmo

Known around here

Mike A.

Known around here

looney2ns

crw030

Mike A.

Known around here

archedraft

Getting the hang of it

J Sigmo

Known around here

Mike A.

Known around here

c hris527

Known around here

J Sigmo

Known around here

ElusiveX99

n3wb

c hris527

Known around here

crw030