What's new

router log, am I under attack?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

paulli

New Around Here
Hi,

I noticed some very strange openvpn connection in my ac68u log, am I under attack? I don't recognized the ip addresses that are trying to make the openvpn connection.

Oct 4 09:59:57 ntp: start NTP update
Oct 4 10:59:57 ntp: start NTP update
Oct 4 11:18:49 openvpn[16361]: TCP connection established with [AF_INET]176.126.221.42:56447
Oct 4 11:18:49 openvpn[16361]: 176.126.221.42:56447 WARNING: Bad encapsulated packet length from peer (32838), which must be > 0 and <= 1592 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Oct 4 11:18:49 openvpn[16361]: 176.126.221.42:56447 Connection reset, restarting [0]
Oct 4 11:18:49 openvpn[16361]: 176.126.221.42:56447 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:18:55 openvpn[16361]: TCP connection established with [AF_INET]176.126.221.42:56463
Oct 4 11:18:55 openvpn[16361]: 176.126.221.42:56463 WARNING: Bad encapsulated packet length from peer (32838), which must be > 0 and <= 1592 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Oct 4 11:18:55 openvpn[16361]: 176.126.221.42:56463 Connection reset, restarting [0]
Oct 4 11:18:55 openvpn[16361]: 176.126.221.42:56463 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:38:54 openvpn[16361]: TCP connection established with [AF_INET]213.136.104.226:57654
Oct 4 11:38:54 openvpn[16361]: 213.136.104.226:57654 TCP connection established with [AF_INET]213.136.104.226:10629
Oct 4 11:38:54 openvpn[16361]: 213.136.104.226:10629 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1592 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Oct 4 11:38:54 openvpn[16361]: 213.136.104.226:10629 Connection reset, restarting [0]
Oct 4 11:38:54 openvpn[16361]: 213.136.104.226:10629 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:38:55 openvpn[16361]: 213.136.104.226:57654 WARNING: Bad encapsulated packet length from peer (32838), which must be > 0 and <= 1592 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Oct 4 11:38:55 openvpn[16361]: 213.136.104.226:57654 Connection reset, restarting [0]
Oct 4 11:38:55 openvpn[16361]: 213.136.104.226:57654 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:43:42 openvpn[16361]: TCP connection established with [AF_INET]193.109.199.200:48439
Oct 4 11:43:42 openvpn[16361]: 193.109.199.200:48439 Connection reset, restarting [0]
Oct 4 11:43:42 openvpn[16361]: 193.109.199.200:48439 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:45:12 openvpn[16361]: TCP connection established with [AF_INET]193.109.199.200:56358
Oct 4 11:45:12 openvpn[16361]: 193.109.199.200:56358 Connection reset, restarting [0]
Oct 4 11:45:12 openvpn[16361]: 193.109.199.200:56358 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:46:57 openvpn[16361]: TCP connection established with [AF_INET]193.109.199.200:60939
Oct 4 11:46:57 openvpn[16361]: 193.109.199.200:60939 Connection reset, restarting [0]
Oct 4 11:46:57 openvpn[16361]: 193.109.199.200:60939 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:48:35 openvpn[16361]: TCP connection established with [AF_INET]193.109.199.200:55426
Oct 4 11:48:35 openvpn[16361]: 193.109.199.200:55426 Connection reset, restarting [0]
Oct 4 11:48:35 openvpn[16361]: 193.109.199.200:55426 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:50:59 openvpn[16361]: TCP connection established with [AF_INET]193.109.199.200:20374
Oct 4 11:50:59 openvpn[16361]: 193.109.199.200:20374 Connection reset, restarting [0]
Oct 4 11:50:59 openvpn[16361]: 193.109.199.200:20374 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:53:25 openvpn[16361]: TCP connection established with [AF_INET]193.109.199.200:50946
Oct 4 11:53:25 openvpn[16361]: 193.109.199.200:50946 Connection reset, restarting [0]
Oct 4 11:53:25 openvpn[16361]: 193.109.199.200:50946 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:54:47 openvpn[16361]: TCP connection established with [AF_INET]159.0.136.86:50729
Oct 4 11:54:47 openvpn[16361]: 159.0.136.86:50729 WARNING: Bad encapsulated packet length from peer (32838), which must be > 0 and <= 1592 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Oct 4 11:54:47 openvpn[16361]: 159.0.136.86:50729 Connection reset, restarting [0]
Oct 4 11:54:47 openvpn[16361]: 159.0.136.86:50729 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:54:48 openvpn[16361]: TCP connection established with [AF_INET]159.0.136.86:50720
Oct 4 11:54:48 openvpn[16361]: 159.0.136.86:50720 WARNING: Bad encapsulated packet length from peer (32838), which must be > 0 and <= 1592 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Oct 4 11:54:48 openvpn[16361]: 159.0.136.86:50720 Connection reset, restarting [0]
Oct 4 11:54:48 openvpn[16361]: 159.0.136.86:50720 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:57:52 openvpn[16361]: TCP connection established with [AF_INET]213.136.104.226:34997
Oct 4 11:57:52 openvpn[16361]: 213.136.104.226:34997 TCP connection established with [AF_INET]213.136.104.226:48262
Oct 4 11:57:52 openvpn[16361]: 213.136.104.226:48262 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1592 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Oct 4 11:57:52 openvpn[16361]: 213.136.104.226:48262 Connection reset, restarting [0]
Oct 4 11:57:52 openvpn[16361]: 213.136.104.226:48262 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:57:53 openvpn[16361]: 213.136.104.226:34997 WARNING: Bad encapsulated packet length from peer (32838), which must be > 0 and <= 1592 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Oct 4 11:57:53 openvpn[16361]: 213.136.104.226:34997 Connection reset, restarting [0]
Oct 4 11:57:53 openvpn[16361]: 213.136.104.226:34997 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:57:57 openvpn[16361]: TCP connection established with [AF_INET]213.136.104.226:55379
Oct 4 11:57:58 openvpn[16361]: TCP connection established with [AF_INET]213.136.104.226:35728
Oct 4 11:57:58 openvpn[16361]: 213.136.104.226:35728 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1592 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Oct 4 11:57:58 openvpn[16361]: 213.136.104.226:35728 Connection reset, restarting [0]
Oct 4 11:57:58 openvpn[16361]: 213.136.104.226:35728 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:57:58 openvpn[16361]: 213.136.104.226:55379 WARNING: Bad encapsulated packet length from peer (32838), which must be > 0 and <= 1592 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Oct 4 11:57:58 openvpn[16361]: 213.136.104.226:55379 Connection reset, restarting [0]
Oct 4 11:57:58 openvpn[16361]: 213.136.104.226:55379 SIGUSR1[soft,connection-reset] received, client-instance restarting
Oct 4 11:59:57 ntp: start NTP update
 
What port is your OpenVPN server listening to? I strongly recommend avoiding any of the ports used by other web services such as 80 or 443, as these will see a LOT of port scanning activity.
 
What port is your OpenVPN server listening to? I strongly recommend avoiding any of the ports used by other web services such as 80 or 443, as these will see a LOT of port scanning activity.

Unfortunately I only could use those ports because they block everything else at work.

Is there anyway I could block a network in the Asus AC68U?

I am not using the Merlin firmware because OpenVPN is extreme slow when transferring files.
 
Last edited:
Unfortunately I only could use those ports because they block everything else at work.

Is there anyway I could block a network in the Asus AC68U?

I am not using the Merlin firmware because OpenVPN is extreme slow when transferring files.

Try switching to 80 udp instead of 80 tcp, just in case the sysadmin at work isn't that clever and somehow opened port 80 for both protocols. If it works, you'll be fine - web servers don't use udp, so scanners won't be trying it out.

Switching from port 80 to 443 might also help, as most scanners will try only port 80 - the SSL handshaking of port 443 would slow their scanning process too much.

Otherwise, you'd have to go with my firmware, and customize your firewall rules to only accept inbound connections coming from your work's static IP (it's most likely static if they have such a sophisticated firewall policy in place).

OpenVPN performance should be equal or even slightly better with my firmware than stock firmware, as I enable additional compiler optimizations over those used by Asus.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top