Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
9 octobre 2013 3 09 /10 /octobre /2013 20:40

We'll see here how to protect our PPTP server with Fail2BAN, to suppress brute-forcing attacks. The OS used is RASPBIAN, but this should work with any Ubuntu or Debian variants.

VPN 7 : PPTP server protection with Fail2ban

Fail2ban monitors the system logs for failed login attemps, and dynamically builds iptables rules to block individual IPs.

Do note that using Fail2ban with pptpd is kind of a hack, due to the fanciful way pptpd performs logging.

Tested using Raspbian June 2014 / Last edited July 28 2014

 

1. Fail2Ban installation

We do the usual updates :

sudo apt-get update
sudo apt-get upgrade

We install fail2ban :

sudo apt-get install fail2ban

We create a fail2ban jail.local file to add pptp :

sudo nano /etc/fail2ban/jail.local
we create a pptp entry :
------------------------------------------------------------------------------------------------------------------
[pptp]

enabled = true
port = 1723
protocol = tcp
filter = pptp
logpath = /var/log/syslog
bantime=60
findtime=600
maxretry = 2

------------------------------------------------------------------------------------------------------------------

The last three lines are the most important, to shape your protection :

bantime : time an IP is banned, in seconds. Negative number for a permanent ban.
maxretry : number of match before an IP is banned
findtime : time, in seconds, before an IP match counter is reset to 0

 

We create the pptp failed connection detection filter, using regex :
sudo nano /etc/fail2ban/filter.d/pptp.conf :
-------------------------------------------------------------------------------------------------------
[Definition]
failregex = CTRL: Client <HOST> control connection finished
ignoreregex =
--------------------------------------------------------------------------------------------------------

We restart the fail2ban service :
sudo service fail2ban restart

Note : You may need pptp debugging, for this trick to work, if /var/log/syslog doesn't log IP addresses :
sudo nano /etc/ppp/options
and uncomment debug:
----------------------------------------------------------------------------------------------------------------
debug
----------------------------------------------------------------------------------------------------------------

This is kind of a hack, because there is no way for fail2ban to distinguish a failed login from a reguler PPTP connection termination, due to pptpd fanciful logging format. Thus, regular logins will be counted as failed-ones, and the IP will eventually get banned. ( You will need to lift the ban manually using SSH, or just cleverly design the bantime/findtime/maxretry values so to allow regular usage while preventing brute-forcing at the same time )

 

2. Fail2Ban use

Actives ban/unbans can be checked using :
cat /var/log/fail2ban.log

Another way to check active bans are with iptables :

sudo iptables -L

 

Likewise, unbanning an IP can be performed using IPtables.

 


To debug your regex expressions match :
sudo fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/pptp.conf

If you're using the ignoreregex value too, use :

sudo fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/pptp.conf /etc/fail2ban/filter.d/pptp.conf

 

nb : Here we are using a jail.local file instead of editing the jail.conf file. jail.local is loaded at startup and appended to jail.conf.

 

Partager cet article

Repost 0
Published by computer outlines - dans VPN PPTP
commenter cet article

commentaires

Yevgeny 15/05/2017 22:15

I ran similar issue and here is my solution: https://github.com/phaoost/pptp-ppp-fail2ban

Coornaert David 16/03/2015 10:51

https://drive.google.com/file/d/0BxuaO1z3Hb3Ac1BRRGFPRnNDeDA/view?usp=sharing
here's my fail2ban pptpd detect regular expression
this one will not be affected by regular login :)

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens