Hi all,
I'm having a few attemps at my openvpn server that I would like to block. BanIP got my interest, but not sure if that is what I'm looking for (maybe it is!).
So for example this IP tries several times to connect to my openvpn server: 185.200.118.49
Is there a way to block it, I mean automatically if the IP changes to .50 for isntance, or .119.49?
Can I block attemps at my openvpn server based on geo-location?
Thanks for your help.
That normally is the topic of fail2ban
Thanks faser, I will read a little on that one. It's recommended over banip or does it work differently?
Two different function and the combination of both is suggested.
Ok, thanks. Is this automated or do I have to manually block attempts? I only want to block attempts on my openvpn server because thats the only exploited service (as far as I know of). Typically the attacker tries one time and waits 8-16-24h before the next try.
My pc or iphone will never have a bad attempt so this would a OK way to do it? I mean, since I have the certificate and all..
It's not worth mentioning and can be safely ignored.
Just make sure to run the service as an unprivileged user.
Well it is "automated" for specific applications that you configure. But I think the standard templates don't fit your requirements ' 8-16-24h before the next try.` For that you would need to write your own rules.
But as @vgaetera wrote really questionable if it is worth the effort to block such a infrequent attack.
you can always ban after one attempt, and white list your own unpriviledged user, if you're planning to
logging in from the WAN side.
I think I have my f2b set up for a 24hr discover window.
I had exactly him and his friends in my server also. Sometimes they get cranky and mounts DoS attacks around 30min or so.
I have BanIP also and logging on the firewall WAN interface.
My most effective solution to the biggest problem which was DoS attacks was to simply change the standard 1194 port to something else. Then the bad guys keep on scanning the 1194 port for ever and find it closed and they never knew what happened.
And the DoS attacks are gone.
BanIP can never stop the DoS attacks since you are the end of the line, you get all the shit that is coming anyways. The thing that trigger the attacker to make you a target is the port status open/filtered. When they find that they will attack. And they will always auto scan 1194 since it has become a registered OVPN port so the bad guys smells gold when finding a live OVPN port since most companies work at home nowdays.
It sounds like you are confusing port scans with actual attacks.
And even if it is an attack, it may not be related to DoS.
It is denial of service per definition when they plug the incoming 100Mbit line with 100Mbit data for 20-30min and then give up.
That has nothing to do with the port scans, the scans are just ways to fins the targets.
When specifically this guy has found you the individual IP will mount up quickly. And they will use the whole 1-255 range so your problem will mount up quickly.
I had about 10-15 different domains with a lot of individual IP numbers knocking on the 1194 port after a couple of months.
But you can’t block them by area because if you look them up on abuseip or similar sites every single IP are just spoofed serverhalls placed mostly in Europe (Frence, Germany, GB and Ireland) and the USA. Some are Russia and China but not a lot.
Thanks for all your replies, I sum it up like I don't need the banIP service, but I will change my openvpn server port to something else. Thanks guys!
edit: I assume I can use port 52001 for instance?
you can use whichever port you like, as long as it isn't taken.
Thanks frollic, just changed it now. Also edited openvpn client file and openvpn server conf, but it looks like from my iphone openvpn log that it's using port 1194 for starting then switch to 52001?
BanIP is a cyber security tool in the toolbox so it isn’t useless.
Different threats needs different tools. For the OVPN port problem the most effective solution is to slip under the radar with the legal traffic and for that to change the port is a good tactic.
BanIP for example when I tested the slipstream attack that was announced late last year did stop every exploit attempt I did with the test server after about 3 attempts instead of a lot of attempts without BanIP so BanIP is a tool worth having for different kind of random cyber treats, it also have some standard protection from different kind of sites.
Thanks for that comment, I will definetly look into banip after I read that.
It was actually by a classic test mistake i found out that BanIP blocked the slipstream.
The instructions only talked about firewalls in the test computer but the test was stopping very fast with a strange fault message kind of: “lost ability to connect” or something like that?
After some thinking I found out that it actually was BanIP that I had forgot that stopped me playing around in the hacker world 
Hehe, cool!
I simply installed banip and luci-app-banip, do I have to do something more? I guess if something is blocked and it's not supposed to, I will be notified 
BanIP as standard doesn’t talk a lot in the logs.
But first of all enable it!
Choose what URL lists to activate.
And also make a cron job to update the URL lists as mentioned in the manual at Github.