OSSEC Rules for OpenVPN
We use OpenVPN and OSSEC together regularly. Unfortunately, OSSEC doesn’t do any useful interpretation of OpenVPN events out of the box. Instead, you’ll wade through a stream of event id 1002s in your email to see what’s going on with OpenVPN.
We recently sat down and drafted a custom decoder and a few custom rules for one of our clients who graciously permitted us to share them with the public.
The decoder is simple: a parent decoder matches on the program_name “openvpn” and two child decoders match login and failure strings. The decoder pulls the srcip and user from the log messages for use in active response.
The rules are also relatively straight-forward. Events are grouped into appropriate existing OSSEC groups. If there are ~5 authentication failures in 2 minutes, a level 10 alert is created which will trigger active response and block the offending ip address.
openvpn_decoder.xml:
openvpn openvpn TLS: Username/Password authentication succeeded for username ^(\d+.\d+.\d+.\d+):\d+ TLS: Username/Password authentication succeeded for username '(\S+)' srcip,user openvpn AUTH_FAILED ^(\d+.\d+.\d+.\d+):\d+ SENT CONTROL [(\S+)] srcip,user
openvpn_rules.xml:
openvpn OpenVPN messages grouped. 100500 authentication succeeded OpenVPN authentication success. authentication_success, 100500 AUTH_FAILED OpenVPN authentication failed. authentication_failed, 100502 Multiple OpenVPN authentication failures. authentication_failures, 100500 error trying to bind as user| PLUGIN_AUTH_USER_PASS_VERIFY failed with status| Username/Password verification failed for peer| TLS Error| SIGUSR1[soft,tls-error] received, client-instance restarting OpenVPN message that is useless, redundant, or lacking context.
For cleanliness, we deploy custom decoders in decoders.d and custom rulesets in rules.d as separate files. If your OSSEC installation isn’t already configured this way, save yourself some frustration and modify your server ossec.conf to have these two lines first in your <rules> section:
etc/decoder.xml
etc/decoders.d
and this line last:
etc/rules.d
Failure to include these in this order this will cause issues with your installation.
January 20, 2017 @ 5:18 am
Hi
This looks like really good work. My openvpn setup is using PAM, are these rules compatible with PAM or are they for Local Open VPN authentication? From my first attempt at getting it to work – I think they don’t work with PAM. I have another OpenVPN server using Local Auth but haven’t got round to testing. Thank you
January 27, 2019 @ 7:00 am
Sorry I’ve missed this comment for two years! I only use OpenVPN with pam, so these definitely work with it.
April 2, 2019 @ 8:15 am
Great work on the rules. If im honest im struggling to understand where to implement them and get them working. do I append these in the appropriate locations of nano /var/ossec/etc/decoder.xml && nano /var/ossec/rules/local_rules.xml then restart orrr? I mean thats what im doing and It doesn’t work for me. I assume im missing something simple.
December 12, 2021 @ 11:38 am
I was doing some research to see if sharing my work of this exact type would be helpful and how much of it is out there already… Remarkable how useful OSSEC+OpenVPN can be generally, and yet how little is openly shared. Thank you for posting this! This is outstanding to start.