Being able to remotely connect to my home network over VPN has always been on my ‘nice to have’ list. It allows easier access to resources and direct ssh (rather then hoping through the gateway). I have recently updated the OpenBSD server I used for VPN to 6.0 and thought I would share the configuration and settings.
In an effort to improve monitoring, I setup an ELK (Elasticsearch, Logstash, Kibana) server and setup my different servers to forward their logs. Filebeat is typically installed on the servers to do the forwarding and normally this installation is pretty straight forward.
However, Filebeat is dependent on Go 1.7 and OpenBSD 6.0 only provides 1.6 as a binary package.
The following steps will setup an OpenBSD ports build machine, update the ports to current, build the required packages; then copy the packages to the target OpenBSD server, install the packages, install and configure Filebeat.
If you have ever had a server exposed to the Internet, you will often see attempts to login to ssh on port 22.
After improving my log monitoring, these login attempts annoyed me enough to take action. So I installed Fail2ban.
Fail2ban monitors logs and will add ip addresses to your firewall to block based on rules. Fail2ban is written in Python and available for several platforms and can monitor different logs (not just ssh).
I have setup Fail2ban to watch for 3 failed logins (one failed login will allow 3 password attempts) and then block that IP address for 1 day.
The following instructions are for:
The instructions also assume that you have an OpenBSD server running with ssh port 22 exposed to the Internet and use Packet Filter (PF) for your firewall.