OpenVPN: iptables against attack

[oversim]

Hi! For some reasons I had to modify external openvpn port from its default value (1194) to 22.
And this is ok for me, BUT some port scan daemon maybe when occurs on my public IP cause a lot of this entries in my AC87U system log.

Jun 21 13:54:21 openvpn[1332]: xxx.xxx.xxx.xxx WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 21 13:54:48 openvpn[1332]: xxx.xxx.xxx.xxx WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 21 13:55:35 openvpn[1332]: xxx.xxx.xxx.xxx WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 21 13:55:36 openvpn[1332]: xxx.xxx.xxx.xxx WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

Using google I tried something like

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 2 -j DROP

But openvpn log entries already spam my log :-D Any suggestion?
OpenVPN log verbosity is still to minimum value.

 

[Fitz Mutch]

Any suggestion?

You could try collecting those source IP addresses in an IPSET when any source IP attempts to connect to an unused port on the Internet-facing side of your router, then drop those sources ASAP.

At first I noticed the Shadow Server Foundation doing it to me (the good guys). After observing this phenomenon for some time, I see that the source IPs are from all over the world, including some Tor exit nodes. It's like a nexus of good guys and other criminals.

 

[RMerlin]

See if UDP is allowed through your firewall. It's less likely to get hit by scanners than TCP.

Repurposing a known port like you're doing here is never a good idea.

 

[Martineau]

Using google I tried something like

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 2 -j DROP

But openvpn log entries already spam my log :-D Any suggestion?

I believe the rules are in the wrong order?
(The insert '-I' syntax creates rules in reverse order unlike the add '-A' syntax.)

The first rule to execute should be the '--set', and the second rule to execute should be the '-j DROP', so without explicitly specifying the rule position for the insert '-I' syntax, issue:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 2 -j DROP
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set

NOTE: You could explicitly correctly insert them using the original sequence (still using the '-I' syntax) by specifying the absolute rule position to be used:

iptables -I INPUT 1 -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT 2 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 2 -j DROP