Hello,
is there any way to block “port scanners” or like, causing floods in my logs? I have openvpn server on 1194/udp, and few times a day I am facing logs like this:
Feb 20 13:19:22 mktk-hostname ovpn,info <50.116.31.18>: disconnected
It is possible to limit such logs by limiting the amount of new connections to the server.
Are all those requests from the same external address or subnet?
It is ~10k lines from same IP in same second. This will not get caught by “connection ratio” as from firewalls point of view its one connection (or udp stream to be precise)
I have captured this situation now, but it is really suspicious. Looks like RouterOS OpenVPN implementation BUG, because ONLY ONE packet has been received to udp/1194, and 31 packets has been sent back to “attacker” AND 80k LINES were written into log
# cat mktk-hostname.log | uniq -c
1 Feb 21 10:09:14 mktk-hostname ovpn,info connection established from 38.132.109.163, port: 35370 to 1.2.3.4
688 Feb 21 10:09:44 mktk-hostname ovpn,info <38.132.109.163>: disconnected <TLS failed>
1 Feb 21 10:09:44 mktk-hostname ovpn,info <38.132.109.163>: disconnected <internal error>
41628 Feb 21 10:09:44 mktk-hostname ovpn,info <38.132.109.163>: disconnected <TLS failed>
39137 Feb 21 10:09:45 mktk-hostname ovpn,info <38.132.109.163>: disconnected <TLS failed>
I will try to make capture direct on line without TZSP streaming to be completely sure I have not missed anything, and if this is confirmed, I will contact support.