SoftEther Server 'Under Attack'?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
aboka
Posts: 44
Joined: Tue Mar 14, 2017 9:38 am

SoftEther Server 'Under Attack'?

Post by aboka » Thu Apr 30, 2020 12:42 pm

hi, hv learn to setup a SoftEther server online using Ubuntu and all is working fine - with all default ports and settings and SecureNAT

hv check the log and found lotsa 'probe' from unknown sources. would like to ask is this normal and how could we protect against them?

here is the logs-
.
.
.
2020-04-30 11:19:16.427 For the client (IP address: 178.62.18.197, host name: "178.62.18.197", port number: 23912), connection "CID-403" has been created.
2020-04-30 11:19:16.538 SSL communication for connection "CID-403" has been started. The encryption algorithm name is "AES128-SHA".
2020-04-30 11:19:16.753 Connection "CID-403" terminated by the cause "A client which is non-SoftEther VPN software has connected to the port." (code 5).
2020-04-30 11:19:16.753 Connection "CID-403" has been terminated.
2020-04-30 11:19:16.753 The connection with the client (IP address 178.62.18.197, Port number 23912) has been disconnected.
2020-04-30 11:55:34.589 On the TCP Listener (Port 5555), a Client (IP address 83.97.20.34, Host name "34.20.97.83.ro.ovo.sc", Port number 26498) has connected.
2020-04-30 11:55:34.589 For the client (IP address: 83.97.20.34, host name: "34.20.97.83.ro.ovo.sc", port number: 26498), connection "CID-404" has been created.
2020-04-30 11:55:34.589 Connection "CID-404" has been terminated.
2020-04-30 11:55:34.589 The connection with the client (IP address 83.97.20.34, Port number 26498) has been disconnected.
2020-04-30 12:02:56.141 On the TCP Listener (Port 5555), a Client (IP address 185.202.2.132, Host name "185.202.2.132", Port number 62235) has connected.
2020-04-30 12:02:56.141 For the client (IP address: 185.202.2.132, host name: "185.202.2.132", port number: 62235), connection "CID-405" has been created.
2020-04-30 12:02:56.141 Connection "CID-405" has been terminated.
2020-04-30 12:02:56.141 The connection with the client (IP address 185.202.2.132, Port number 62235) has been disconnected.
2020-04-30 12:16:15.253 On the TCP Listener (Port 5555), a Client (IP address 202.130.114.22, Host name "202.130.114.22", Port number 47652) has connected.
2020-04-30 12:16:15.253 For the client (IP address: 202.130.114.22, host name: "202.130.114.22", port number: 47652), connection "CID-406" has been created.
2020-04-30 12:16:15.253 Connection "CID-406" has been terminated.
.
.
.
.
Thank you,

MikeL
Posts: 8
Joined: Fri Jan 05, 2018 11:51 pm

Re: SoftEther Server 'Under Attack'?

Post by MikeL » Thu Apr 30, 2020 9:43 pm

I think you'll find that this is normal. My set up is on Windows but I see entries like yours in the server log every day.
Once you open up a port to allow connection requests you are opening yourself up to this kind of probing. In fact earlier today I had a case where the server log entries covering less than 3 seconds elapsed time had over a hundred entries of the following form:

2020-04-30 11:07:01.902 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 172.105.84.195, port number is 52484. This connection will be forcefully disconnected now.

The source IP address was the same in each case but the port number was different.

In my case the source IP addresses I want to allow to connect are known to me and I have SE Server configured to only accept connections from a list of know IP addresses, however, that does not stop connection attempts getting logged.
Based on today's events I added rules to my firewall to block Inbound connection requests so I should stop seeing all of these messages now.
Don't know if you can do the same thing in Ubuntu.

Good luck
Mike

aboka
Posts: 44
Joined: Tue Mar 14, 2017 9:38 am

Re: SoftEther Server 'Under Attack'?

Post by aboka » Fri May 01, 2020 12:56 pm

MikeL wrote:
Thu Apr 30, 2020 9:43 pm
I think you'll find that this is normal. My set up is on Windows but I see entries like yours in the server log every day.
Once you open up a port to allow connection requests you are opening yourself up to this kind of probing. In fact earlier today I had a case where the server log entries covering less than 3 seconds elapsed time had over a hundred entries of the following form:

2020-04-30 11:07:01.902 A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 172.105.84.195, port number is 52484. This connection will be forcefully disconnected now.

The source IP address was the same in each case but the port number was different.

In my case the source IP addresses I want to allow to connect are known to me and I have SE Server configured to only accept connections from a list of know IP addresses, however, that does not stop connection attempts getting logged.
Based on today's events I added rules to my firewall to block Inbound connection requests so I should stop seeing all of these messages now.
Don't know if you can do the same thing in Ubuntu.

Good luck
Mike
hi, thanks foe the reply. its the first time i saw 'DoS attack' logging. so i assume SE has some kind of mechanism to blocks those attacks(like block the ip etc when detected an attack).

i believe ubuntu(linux base os) has a very strong firewall, but not easy to learn the iptables/ufw/etc as im not familiar with the os. even thou im familiar, this might not work in my case as the connecting client all using dynamic ip

hv u consider changing the default ports? do you think that will be more secure?

p/s - jus do a search and found out that SE by default will have this DoS Protection enable.Very cool :)

cheers,

petttu
Posts: 4
Joined: Mon Jun 01, 2020 3:38 pm

Re: SoftEther Server 'Under Attack'?

Post by petttu » Mon Jun 01, 2020 5:03 pm

I actually have same kind of problem, either Im being Dossed or then there is something strange going on. So my set up has an server with SoftEther, Piwigo and Plex. It has worked well for some time, until about few weeks ago the network has been really slow. I thought that our modem is dying, since rebooting the modem usually gives a day to few days "fast" operating for the network (and the previous modem did the same thing). But today I found out, that my router has been overwhelmed with incoming connections, and that is the reason why it has been so slow. Turns out that there has been a number of (usually) middle-east connections that tries to connect with that server, and they are literally just connecting to every single UDP port, and by doing that it just kills the speed as the router has trouble keeping up with it. I checked that those connections are trying to get to the server since when I unplug it, the status will change form assured to unreplied.

So just to be safe I have already changed passwords, and disabled SoftEther (to keep the network working for other devices), but I am quite confused about the situation, since basically the dd-wrt router should kill those connections, because I had to some port forwarding to get SoftEther to work, but there were only few ports that are open. But then I dont think that any other program in the server uses openvpn, so that makes me think that maybe there is some wrong setting with SoftEther (and maybe with my Router?). I dont have the VPN gate on, so I have no idea who or why there are so many connections. And the SoftEther has users, and none of those has been active for this few weeks. Any ideas?

Picture is from dd-wrt connections list (it goes on, but there is some idea what it looks like), basically there are 4000 connection (max number), from those (maybe) 50-200 connections are from other devices of the network, and the rest are those openvpn UDP connections.
You do not have the required permissions to view the files attached to this post.

aboka
Posts: 44
Joined: Tue Mar 14, 2017 9:38 am

Re: SoftEther Server 'Under Attack'?

Post by aboka » Mon Jun 01, 2020 5:35 pm

hi, sorry hv no idea and hvn't heard of this before. are you using dynamic IP? if yes hv no idea how they manage to 'track' your IP after you reboot your modem. any chances it is fr someone you know and that have access to your ovpn file previously so they hv your dynamic dns settings?

p/s - perhaps you want to report to your isp since it happens so many times

petttu
Posts: 4
Joined: Mon Jun 01, 2020 3:38 pm

Re: SoftEther Server 'Under Attack'?

Post by petttu » Mon Jun 01, 2020 6:33 pm

Well, yeas its a dynamic IP address, I dont even know that are they "tracking" my address because its not the same IP address that is doing that, there are atleast 10 of them, mainly from Saudi-Arabia and Kuwait (sometimes Indonesia). Maybe I will try to unplug the modem for longer time to be sure (because the IP does not change every time, if it is a short reset).
I haven't given to ovpn file to anyone, but it does exist at the desktop of the server (for later purposes). But I am using dynamic DNS from softether, if they are tracking that could be it, but though I dont see any logging in on the softether side, so I dont think that they can get in. But I am a little worried about that "assured" status, maybe they could getting in? I actually noticed, that if softether is running (but the session is offline), the status says assured, but if I close softether completely the status is unreplied.

Yeah maybe I should ask isp for advice, I just noticed it yesterday. And maybe a scan from mallwarebytes, defender did not find anything.

aboka
Posts: 44
Joined: Tue Mar 14, 2017 9:38 am

Re: SoftEther Server 'Under Attack'?

Post by aboka » Mon Jun 01, 2020 7:50 pm

keep us updated. as curious and would like to learn something. good luck.

cheers,

petttu
Posts: 4
Joined: Mon Jun 01, 2020 3:38 pm

Re: SoftEther Server 'Under Attack'?

Post by petttu » Tue Jun 02, 2020 9:36 pm

It finally stopped (after a few hours of SoftEther being closed), though today I started SoftEther again (before restarting modem), but could not connect from my iPhone. Also trouble shooting that I could not "see" any open UDP ports from outside, maybe ISP shut UDP ports down? ISP was not helpful, because their (help)services are designed to be used by "limited minds", only advice was to reset the modem. But after I restarted the modem (with 10min wait time) there were some update (for the modem), since the modem booted in Router mode (usually I have it bridged, and a different dd-wrt router behind it), and after I set it back to bridged everything worked fine, no more connections from middle-east, and all the software worked. Strange thing was that actually the IP address still stayed the same (thought Im not paying for a fixed one).
Few ideas, maybe there was some vulnerability in the modem provided by the ISP (that was fixed with the update (those updates are forced by the ISP)), and some group was trying to use it? But still, it should not affect dd-wrt or SoftEther (unless it was some kind of brute force vulnerability?).
Second idea that there was just some sort of DoS attack, and the ISP reacted to it. But then I still have the same IP, so why dont they just use different addresses if it was the aim?
Third idea is, that maybe the modem was some how misbehaving, "calling home", though I think that Sagemcom is a French company, surely I dont think that Finnish ISP DNA has any business over middle-east.

But for now the network is working well, no more strange connections, and everything, including SoftEther, is working fine. So it is resolved for now, I will update if something strange happens again.

aboka
Posts: 44
Joined: Tue Mar 14, 2017 9:38 am

Re: SoftEther Server 'Under Attack'?

Post by aboka » Wed Jun 03, 2020 8:04 am

Great to know that it has stopped. hopefully it wont be back again. I use to use and like DDWRT alot last time but not playing with it anymore as the hardware is getting much better with the price coming down.

p/s - rgd your isp not changing your IP sometimes after a reboot, thats just 'normal' - as it cycles automatically. try shutdown for longer period and probably you get a new one

p/ss - even thou not sure yet what cause this, but at least we learn that this kind of attack exist ;)

cheers,

petttu
Posts: 4
Joined: Mon Jun 01, 2020 3:38 pm

Re: SoftEther Server 'Under Attack'?

Post by petttu » Wed Jun 03, 2020 7:59 pm

Well there is a reason why I am using dd-wrt, and it is because without it the ISP modem just stops working with in a week of use. With a different router behind the modem (and the modem bridged) and it has worked flawlessly for several years. The router I actually dumpster dived.

But there is an update, it started again. Router basically jammed again, not even getting to the login page (without restarting). I noticed that if I connect to the modem directly, the ISP line actually works fine, no lag at all. So the fault is in the router (or its ability to route the traffic) witch is still interesting, and again after I shutdown the SoftEther the status changed from assured -> unreplied.

I think I will try another router witch is more powerful CPU (and more ram), but I cannot install ddwrt to it, so I dont really know whats going on. I think it as a CPU monitor, so that should at least indicate if it is struggling with traffic. And off course if it does not slow down after few days maybe it will solve my problems. Though Im still worried, that maybe just adding more power to the router does not solve the actual problem, witch is the connections, but rather just has enough power to "comply" them. I dont know maybe I could use some other software to check what is moving between the router and the server (wireshark was on my mind, but I haven't used it before)? But I will still test the other router to see if the behavior changes.

aboka
Posts: 44
Joined: Tue Mar 14, 2017 9:38 am

Re: SoftEther Server 'Under Attack'?

Post by aboka » Thu Jun 04, 2020 8:46 am

hmmm, not good :/ hopefully you could solve them soon for real. wireshark also pops up in mind while reading your post, but not sure as im no expert in that. but you should hv some kind of logging in your device. just that it might not be as details. gluck!

Gerard1
Posts: 15
Joined: Thu May 14, 2020 10:49 am

Re: SoftEther Server 'Under Attack'?

Post by Gerard1 » Fri Jun 05, 2020 6:52 am

2020-04-30 11:19:16.427
2020-04-30 11:55:34.589
2020-04-30 12:02:56.141

seems that connections not too frequent.
i don't think this is targeted attack. probably some hackers scanning open ports. if you check attackers IP you will see this. https://www.abuseipdb.com/check/83.97.20.34

you can ban this IP's via iptables in ubuntu.
just like this:
sudo iptables -t filter -A INPUT -s 83.97.20.34 -j DROP
firewall on ununtu will discard all incoming connections from this IP.

aboka
Posts: 44
Joined: Tue Mar 14, 2017 9:38 am

Re: SoftEther Server 'Under Attack'?

Post by aboka » Fri Jun 05, 2020 7:07 am

@Gerard1 thanks for the info. you mention that the IP is not that frequent, how much would you consider frequent?

and could you pls explain whats the switch in the rules mean - '-t filter'

Post Reply