We use OpenVPN and OSSEC together regularly. Unfortunately, OSSEC doesn’t do any useful interpretation of OpenVPN events out of the box. Instead, you’ll wade through a stream of event id 1002s in your email to see what’s going on with OpenVPN.
We recently sat down and drafted a custom decoder and a few custom rules for one of our clients who graciously permitted us to share them with the public.
The decoder is simple: a parent decoder matches on the program_name “openvpn” and two child decoders match login and failure strings. The decoder pulls the srcip and user from the log messages for use in active response.
The rules are also relatively straight-forward. Events are grouped into appropriate existing OSSEC groups. If there are ~5 authentication failures in 2 minutes, a level 10 alert is created which will trigger active response and block the offending ip address.
openvpn openvpn TLS: Username/Password authentication succeeded for username ^(\d+.\d+.\d+.\d+):\d+ TLS: Username/Password authentication succeeded for username '(\S+)' srcip,user openvpn AUTH_FAILED ^(\d+.\d+.\d+.\d+):\d+ SENT CONTROL [(\S+)] srcip,user
openvpn OpenVPN messages grouped. 100500 authentication succeeded OpenVPN authentication success. authentication_success, 100500 AUTH_FAILED OpenVPN authentication failed. authentication_failed, 100502 Multiple OpenVPN authentication failures. authentication_failures, 100500 error trying to bind as user| PLUGIN_AUTH_USER_PASS_VERIFY failed with status| Username/Password verification failed for peer| TLS Error| SIGUSR1[soft,tls-error] received, client-instance restarting OpenVPN message that is useless, redundant, or lacking context.
For cleanliness, we deploy custom decoders in decoders.d and custom rulesets in rules.d as separate files. If your OSSEC installation isn’t already configured this way, save yourself some frustration and modify your server ossec.conf to have these two lines first in your <rules> section:
and this line last:
Failure to include these in this order this will cause issues with your installation.