OpenVPN Security question - Is this likely an attack? Can it be firewalled?
-
I was looking through my openvpn.log file and found a log of messages like the one below. Is this an attack? If so , how serious, can I firewall it? Suggestions/comments/hits most appreciated. Thanks.
Mar 5 02:06:36 guardian openvpn[53698]: 83.97.20.33:8553 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 02:06:44 guardian openvpn[53698]: 83.97.20.33:62304 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 02:06:53 guardian openvpn[53698]: 83.97.20.33:39047 WARNING: Bad encapsulated packet length from peer (27648), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 03:48:20 guardian openvpn[53698]: 164.52.24.162:58353 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 03:48:20 guardian openvpn[53698]: 164.52.24.162:34334 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 03:48:21 guardian openvpn[53698]: 164.52.24.162:44893 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 03:48:21 guardian openvpn[53698]: 164.52.24.162:33844 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 03:48:25 guardian openvpn[53698]: 164.52.24.162:60803 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 03:48:25 guardian openvpn[53698]: 164.52.24.162:48203 WARNING: Bad encapsulated packet length from peer (49153), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 03:48:26 guardian openvpn[53698]: 164.52.24.162:56052 WARNING: Bad encapsulated packet length from peer (6949), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 03:48:26 guardian openvpn[53698]: 164.52.24.162:34693 WARNING: Bad encapsulated packet length from peer (20304), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 03:48:27 guardian openvpn[53698]: 164.52.24.162:40267 WARNING: Bad encapsulated packet length from peer (41984), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 03:48:27 guardian openvpn[53698]: 164.52.24.162:54843 WARNING: Bad encapsulated packet length from peer (0), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Mar 5 03:48:27 guardian openvpn[53698]: 164.52.24.162:34565 WARNING: Bad encapsulated packet length from peer (4108), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
-
@guardian said in OpenVPN Security question - Is this likely an attack? Can it be firewalled?:
164.52.24.162
Looking up 164.52.24.162, it's appearing constantly in an abuse database, so likely to be an automated attack. Might want to contact the registrar and request a disconnect.....
-
@Paulk201270 said in OpenVPN Security question - Is this likely an attack? Can it be firewalled?:
@guardian said in OpenVPN Security question - Is this likely an attack? Can it be firewalled?:
164.52.24.162
Looking up 164.52.24.162, it's appearing constantly in an abuse database, so likely to be an automated attack. Might want to contact the registrar and request a disconnect.....
Thanks for the heads up.... Where did you find it?
-
@guardian Just did a google search on the ip and abuse and got 100% certainty, with lots of people reporting it. Sorry for the lengthy delay, extremely busy month.
Best regards
Paul. -
-
You could use pfBlocker GeoIP to block regions that you dont want people to hit your ovpn server.
-
@NogBadTheBad Yep, or just add a blacklist to an IP range individually.