SoftEther Server 'Under Attack'?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
aboka
Posts: 30
Joined: Tue Mar 14, 2017 9:38 am

SoftEther Server 'Under Attack'?

Post by aboka » Thu Apr 30, 2020 12:42 pm

hi, hv learn to setup a SoftEther server online using Ubuntu and all is working fine - with all default ports and settings and SecureNAT

hv check the log and found lotsa 'probe' from unknown sources. would like to ask is this normal and how could we protect against them?

here is the logs-
.
.
.
2020-04-30 11:19:16.427 For the client (IP address: 178.62.18.197, host name: "178.62.18.197", port number: 23912), connection "CID-403" has been created.
2020-04-30 11:19:16.538 SSL communication for connection "CID-403" has been started. The encryption algorithm name is "AES128-SHA".
2020-04-30 11:19:16.753 Connection "CID-403" terminated by the cause "A client which is non-SoftEther VPN software has connected to the port." (code 5).
2020-04-30 11:19:16.753 Connection "CID-403" has been terminated.
2020-04-30 11:19:16.753 The connection with the client (IP address 178.62.18.197, Port number 23912) has been disconnected.
2020-04-30 11:55:34.589 On the TCP Listener (Port 5555), a Client (IP address 83.97.20.34, Host name "34.20.97.83.ro.ovo.sc", Port number 26498) has connected.
2020-04-30 11:55:34.589 For the client (IP address: 83.97.20.34, host name: "34.20.97.83.ro.ovo.sc", port number: 26498), connection "CID-404" has been created.
2020-04-30 11:55:34.589 Connection "CID-404" has been terminated.
2020-04-30 11:55:34.589 The connection with the client (IP address 83.97.20.34, Port number 26498) has been disconnected.
2020-04-30 12:02:56.141 On the TCP Listener (Port 5555), a Client (IP address 185.202.2.132, Host name "185.202.2.132", Port number 62235) has connected.
2020-04-30 12:02:56.141 For the client (IP address: 185.202.2.132, host name: "185.202.2.132", port number: 62235), connection "CID-405" has been created.
2020-04-30 12:02:56.141 Connection "CID-405" has been terminated.
2020-04-30 12:02:56.141 The connection with the client (IP address 185.202.2.132, Port number 62235) has been disconnected.
2020-04-30 12:16:15.253 On the TCP Listener (Port 5555), a Client (IP address 202.130.114.22, Host name "202.130.114.22", Port number 47652) has connected.
2020-04-30 12:16:15.253 For the client (IP address: 202.130.114.22, host name: "202.130.114.22", port number: 47652), connection "CID-406" has been created.
2020-04-30 12:16:15.253 Connection "CID-406" has been terminated.
.
.
.
.
Thank you,

MikeL
Posts: 8
Joined: Fri Jan 05, 2018 11:51 pm

Re: SoftEther Server 'Under Attack'?

Post by MikeL » Thu Apr 30, 2020 9:43 pm

I think you'll find that this is normal. My set up is on Windows but I see entries like yours in the server log every day.
Once you open up a port to allow connection requests you are opening yourself up to this kind of probing. In fact earlier today I had a case where the server log entries covering less than 3 seconds elapsed time had over a hundred entries of the following form:

2020-04-30 11:07:01.902 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 172.105.84.195, port number is 52484. This connection will be forcefully disconnected now.

The source IP address was the same in each case but the port number was different.

In my case the source IP addresses I want to allow to connect are known to me and I have SE Server configured to only accept connections from a list of know IP addresses, however, that does not stop connection attempts getting logged.
Based on today's events I added rules to my firewall to block Inbound connection requests so I should stop seeing all of these messages now.
Don't know if you can do the same thing in Ubuntu.

Good luck
Mike

aboka
Posts: 30
Joined: Tue Mar 14, 2017 9:38 am

Re: SoftEther Server 'Under Attack'?

Post by aboka » Fri May 01, 2020 12:56 pm

MikeL wrote:
Thu Apr 30, 2020 9:43 pm
I think you'll find that this is normal. My set up is on Windows but I see entries like yours in the server log every day.
Once you open up a port to allow connection requests you are opening yourself up to this kind of probing. In fact earlier today I had a case where the server log entries covering less than 3 seconds elapsed time had over a hundred entries of the following form:

2020-04-30 11:07:01.902 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 172.105.84.195, port number is 52484. This connection will be forcefully disconnected now.

The source IP address was the same in each case but the port number was different.

In my case the source IP addresses I want to allow to connect are known to me and I have SE Server configured to only accept connections from a list of know IP addresses, however, that does not stop connection attempts getting logged.
Based on today's events I added rules to my firewall to block Inbound connection requests so I should stop seeing all of these messages now.
Don't know if you can do the same thing in Ubuntu.

Good luck
Mike
hi, thanks foe the reply. its the first time i saw 'DoS attack' logging. so i assume SE has some kind of mechanism to blocks those attacks(like block the ip etc when detected an attack).

i believe ubuntu(linux base os) has a very strong firewall, but not easy to learn the iptables/ufw/etc as im not familiar with the os. even thou im familiar, this might not work in my case as the connecting client all using dynamic ip

hv u consider changing the default ports? do you think that will be more secure?

p/s - jus do a search and found out that SE by default will have this DoS Protection enable.Very cool :)

cheers,

petttu
Posts: 2
Joined: Mon Jun 01, 2020 3:38 pm

Re: SoftEther Server 'Under Attack'?

Post by petttu » Mon Jun 01, 2020 5:03 pm

I actually have same kind of problem, either Im being Dossed or then there is something strange going on. So my set up has an server with SoftEther, Piwigo and Plex. It has worked well for some time, until about few weeks ago the network has been really slow. I thought that our modem is dying, since rebooting the modem usually gives a day to few days "fast" operating for the network (and the previous modem did the same thing). But today I found out, that my router has been overwhelmed with incoming connections, and that is the reason why it has been so slow. Turns out that there has been a number of (usually) middle-east connections that tries to connect with that server, and they are literally just connecting to every single UDP port, and by doing that it just kills the speed as the router has trouble keeping up with it. I checked that those connections are trying to get to the server since when I unplug it, the status will change form assured to unreplied.

So just to be safe I have already changed passwords, and disabled SoftEther (to keep the network working for other devices), but I am quite confused about the situation, since basically the dd-wrt router should kill those connections, because I had to some port forwarding to get SoftEther to work, but there were only few ports that are open. But then I dont think that any other program in the server uses openvpn, so that makes me think that maybe there is some wrong setting with SoftEther (and maybe with my Router?). I dont have the VPN gate on, so I have no idea who or why there are so many connections. And the SoftEther has users, and none of those has been active for this few weeks. Any ideas?

Picture is from dd-wrt connections list (it goes on, but there is some idea what it looks like), basically there are 4000 connection (max number), from those (maybe) 50-200 connections are from other devices of the network, and the rest are those openvpn UDP connections.
You do not have the required permissions to view the files attached to this post.

aboka
Posts: 30
Joined: Tue Mar 14, 2017 9:38 am

Re: SoftEther Server 'Under Attack'?

Post by aboka » Mon Jun 01, 2020 5:35 pm

hi, sorry hv no idea and hvn't heard of this before. are you using dynamic IP? if yes hv no idea how they manage to 'track' your IP after you reboot your modem. any chances it is fr someone you know and that have access to your ovpn file previously so they hv your dynamic dns settings?

p/s - perhaps you want to report to your isp since it happens so many times

petttu
Posts: 2
Joined: Mon Jun 01, 2020 3:38 pm

Re: SoftEther Server 'Under Attack'?

Post by petttu » Mon Jun 01, 2020 6:33 pm

Well, yeas its a dynamic IP address, I dont even know that are they "tracking" my address because its not the same IP address that is doing that, there are atleast 10 of them, mainly from Saudi-Arabia and Kuwait (sometimes Indonesia). Maybe I will try to unplug the modem for longer time to be sure (because the IP does not change every time, if it is a short reset).
I haven't given to ovpn file to anyone, but it does exist at the desktop of the server (for later purposes). But I am using dynamic DNS from softether, if they are tracking that could be it, but though I dont see any logging in on the softether side, so I dont think that they can get in. But I am a little worried about that "assured" status, maybe they could getting in? I actually noticed, that if softether is running (but the session is offline), the status says assured, but if I close softether completely the status is unreplied.

Yeah maybe I should ask isp for advice, I just noticed it yesterday. And maybe a scan from mallwarebytes, defender did not find anything.

aboka
Posts: 30
Joined: Tue Mar 14, 2017 9:38 am

Re: SoftEther Server 'Under Attack'?

Post by aboka » Mon Jun 01, 2020 7:50 pm

keep us updated. as curious and would like to learn something. good luck.

cheers,

Post Reply