firewall breach

I set up vpn server on my vyos and after some time i noticed, that someone is getting access to my vyos.
Part of auth.log

Mar 10 15:54:09 hostname1 sshd[10658]: pam_unix(sshd:session): session closed for user alturew Mar 10 16:17:01 hostname1 CRON[11463]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 10 16:17:01 hostname1 CRON[11463]: pam_unix(cron:session): session closed for user root Mar 10 17:17:01 hostname1 CRON[11609]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 10 17:17:01 hostname1 CRON[11609]: pam_unix(cron:session): session closed for user root Mar 10 18:17:01 hostname1 CRON[11735]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 10 18:17:01 hostname1 CRON[11735]: pam_unix(cron:session): session closed for user root Mar 10 19:17:01 hostname1 CRON[11863]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 10 19:17:01 hostname1 CRON[11863]: pam_unix(cron:session): session closed for user root Mar 10 20:17:01 hostname1 CRON[11996]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 10 20:17:01 hostname1 CRON[11996]: pam_unix(cron:session): session closed for user root Mar 10 21:17:01 hostname1 CRON[12122]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 10 21:17:01 hostname1 CRON[12122]: pam_unix(cron:session): session closed for user root Mar 10 22:02:56 hostname1 pluto[11306]: packet from 93.174.95.106:4500: initial Main Mode message received on 130.0.34.184:4500 but no connection has been authorized with policy=PSK+PUBKEY Mar 10 22:17:01 hostname1 CRON[12251]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 10 22:17:01 hostname1 CRON[12251]: pam_unix(cron:session): session closed for user root Mar 10 23:17:01 hostname1 CRON[12378]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 10 23:17:01 hostname1 CRON[12378]: pam_unix(cron:session): session closed for user root Mar 11 00:17:01 hostname1 CRON[12506]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 00:17:01 hostname1 CRON[12506]: pam_unix(cron:session): session closed for user root Mar 11 01:17:01 hostname1 CRON[12632]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 01:17:01 hostname1 CRON[12632]: pam_unix(cron:session): session closed for user root Mar 11 02:17:01 hostname1 CRON[12758]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 02:17:01 hostname1 CRON[12758]: pam_unix(cron:session): session closed for user root Mar 11 03:17:01 hostname1 CRON[12884]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 03:17:01 hostname1 CRON[12884]: pam_unix(cron:session): session closed for user root Mar 11 04:00:15 hostname1 pluto[11306]: packet from 216.218.206.122:2542: initial Main Mode message received on 130.0.34.184:500 but no connection has been authorized Mar 11 04:17:01 hostname1 CRON[13012]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 04:17:01 hostname1 CRON[13012]: pam_unix(cron:session): session closed for user root Mar 11 05:17:02 hostname1 CRON[13138]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 05:17:02 hostname1 CRON[13138]: pam_unix(cron:session): session closed for user root Mar 11 06:17:01 hostname1 CRON[13264]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 06:17:01 hostname1 CRON[13264]: pam_unix(cron:session): session closed for user root Mar 11 06:25:01 hostname1 CRON[13286]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 06:30:31 hostname1 su[13371]: Successful su for www-data by root Mar 11 06:30:31 hostname1 su[13371]: + ??? root:www-data Mar 11 06:30:31 hostname1 su[13371]: pam_unix(su:session): session opened for user www-data by (uid=0) Mar 11 06:30:31 hostname1 su[13371]: pam_unix(su:session): session closed for user www-data Mar 11 06:30:31 hostname1 su[13376]: Successful su for www-data by root Mar 11 06:30:31 hostname1 su[13376]: + ??? root:www-data Mar 11 06:30:31 hostname1 su[13376]: pam_unix(su:session): session opened for user www-data by (uid=0) Mar 11 06:30:31 hostname1 su[13376]: pam_unix(su:session): session closed for user www-data Mar 11 06:30:32 hostname1 CRON[13286]: pam_unix(cron:session): session closed for user root Mar 11 07:17:01 hostname1 CRON[13558]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 07:17:01 hostname1 CRON[13558]: pam_unix(cron:session): session closed for user root Mar 11 08:17:01 hostname1 CRON[13686]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 08:17:01 hostname1 CRON[13686]: pam_unix(cron:session): session closed for user root Mar 11 09:17:01 hostname1 CRON[13812]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 09:17:01 hostname1 CRON[13812]: pam_unix(cron:session): session closed for user root Mar 11 10:17:01 hostname1 CRON[13939]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 10:17:01 hostname1 CRON[13939]: pam_unix(cron:session): session closed for user root Mar 11 11:17:01 hostname1 CRON[14068]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 11:17:01 hostname1 CRON[14068]: pam_unix(cron:session): session closed for user root Mar 11 12:17:01 hostname1 CRON[14196]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 12:17:01 hostname1 CRON[14196]: pam_unix(cron:session): session closed for user root Mar 11 13:17:01 hostname1 CRON[14326]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 13:17:01 hostname1 CRON[14326]: pam_unix(cron:session): session closed for user root Mar 11 14:17:01 hostname1 CRON[14453]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 14:17:01 hostname1 CRON[14453]: pam_unix(cron:session): session closed for user root Mar 11 15:17:01 hostname1 CRON[14581]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 15:17:01 hostname1 CRON[14581]: pam_unix(cron:session): session closed for user root Mar 11 16:17:01 hostname1 CRON[14710]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 16:17:01 hostname1 CRON[14710]: pam_unix(cron:session): session closed for user root Mar 11 17:17:01 hostname1 CRON[14844]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 17:17:01 hostname1 CRON[14844]: pam_unix(cron:session): session closed for user root Mar 11 18:17:01 hostname1 CRON[14973]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 18:17:01 hostname1 CRON[14973]: pam_unix(cron:session): session closed for user root Mar 11 19:17:01 hostname1 CRON[15100]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 19:17:01 hostname1 CRON[15100]: pam_unix(cron:session): session closed for user root Mar 11 20:17:01 hostname1 CRON[15236]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 20:17:01 hostname1 CRON[15236]: pam_unix(cron:session): session closed for user root Mar 11 21:17:01 hostname1 CRON[15364]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 21:17:01 hostname1 CRON[15364]: pam_unix(cron:session): session closed for user root Mar 11 22:17:01 hostname1 CRON[15490]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 22:17:01 hostname1 CRON[15490]: pam_unix(cron:session): session closed for user root Mar 11 23:17:01 hostname1 CRON[15619]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 11 23:17:01 hostname1 CRON[15619]: pam_unix(cron:session): session closed for user root Mar 12 00:17:01 hostname1 CRON[15746]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 00:17:01 hostname1 CRON[15746]: pam_unix(cron:session): session closed for user root Mar 12 00:57:01 hostname1 CRON[15834]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 00:57:01 hostname1 CRON[15834]: pam_unix(cron:session): session closed for user root Mar 12 01:17:01 hostname1 CRON[15880]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 01:17:01 hostname1 CRON[15880]: pam_unix(cron:session): session closed for user root Mar 12 02:17:01 hostname1 CRON[16010]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 02:17:02 hostname1 CRON[16010]: pam_unix(cron:session): session closed for user root Mar 12 03:17:01 hostname1 CRON[16146]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 03:17:01 hostname1 CRON[16146]: pam_unix(cron:session): session closed for user root Mar 12 03:21:12 hostname1 pluto[11306]: packet from 216.218.206.66:60333: initial Main Mode message received on 130.0.34.184:500 but no connection has been authorized Mar 12 04:17:01 hostname1 CRON[16273]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 04:17:01 hostname1 CRON[16273]: pam_unix(cron:session): session closed for user root Mar 12 05:17:01 hostname1 CRON[16399]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 05:17:01 hostname1 CRON[16399]: pam_unix(cron:session): session closed for user root Mar 12 06:17:01 hostname1 CRON[16525]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 06:17:01 hostname1 CRON[16525]: pam_unix(cron:session): session closed for user root Mar 12 06:25:01 hostname1 CRON[16547]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 06:44:32 hostname1 su[16631]: Successful su for www-data by root Mar 12 06:44:32 hostname1 su[16631]: + ??? root:www-data Mar 12 06:44:32 hostname1 su[16631]: pam_unix(su:session): session opened for user www-data by (uid=0) Mar 12 06:44:32 hostname1 su[16631]: pam_unix(su:session): session closed for user www-data Mar 12 06:44:32 hostname1 su[16636]: Successful su for www-data by root Mar 12 06:44:32 hostname1 su[16636]: + ??? root:www-data Mar 12 06:44:32 hostname1 su[16636]: pam_unix(su:session): session opened for user www-data by (uid=0) Mar 12 06:44:32 hostname1 su[16636]: pam_unix(su:session): session closed for user www-data Mar 12 06:44:32 hostname1 CRON[16547]: pam_unix(cron:session): session closed for user root Mar 12 06:47:01 hostname1 CRON[16689]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 06:47:03 hostname1 CRON[16689]: pam_unix(cron:session): session closed for user root Mar 12 07:17:01 hostname1 CRON[16761]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 07:17:01 hostname1 CRON[16761]: pam_unix(cron:session): session closed for user root Mar 12 08:17:01 hostname1 CRON[16891]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 08:17:01 hostname1 CRON[16891]: pam_unix(cron:session): session closed for user root Mar 12 09:17:01 hostname1 CRON[17022]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 09:17:01 hostname1 CRON[17022]: pam_unix(cron:session): session closed for user root Mar 12 10:17:01 hostname1 CRON[17149]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 10:17:01 hostname1 CRON[17149]: pam_unix(cron:session): session closed for user root Mar 12 11:17:01 hostname1 CRON[17282]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 11:17:01 hostname1 CRON[17282]: pam_unix(cron:session): session closed for user root Mar 12 12:17:01 hostname1 CRON[17416]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 12:17:01 hostname1 CRON[17416]: pam_unix(cron:session): session closed for user root Mar 12 13:17:01 hostname1 CRON[17542]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 13:17:02 hostname1 CRON[17542]: pam_unix(cron:session): session closed for user root Mar 12 14:17:01 hostname1 CRON[17670]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 14:17:01 hostname1 CRON[17670]: pam_unix(cron:session): session closed for user root Mar 12 15:17:01 hostname1 CRON[17798]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 15:17:01 hostname1 CRON[17798]: pam_unix(cron:session): session closed for user root Mar 12 16:17:01 hostname1 CRON[17925]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 16:17:01 hostname1 CRON[17925]: pam_unix(cron:session): session closed for user root Mar 12 17:17:01 hostname1 CRON[18052]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 17:17:01 hostname1 CRON[18052]: pam_unix(cron:session): session closed for user root Mar 12 18:17:01 hostname1 CRON[18180]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 18:17:01 hostname1 CRON[18180]: pam_unix(cron:session): session closed for user root Mar 12 19:17:01 hostname1 CRON[18307]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 19:17:01 hostname1 CRON[18307]: pam_unix(cron:session): session closed for user root Mar 12 20:17:01 hostname1 CRON[18440]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 20:17:01 hostname1 CRON[18440]: pam_unix(cron:session): session closed for user root Mar 12 21:17:01 hostname1 CRON[18567]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 21:17:01 hostname1 CRON[18567]: pam_unix(cron:session): session closed for user root Mar 12 22:17:01 hostname1 CRON[18695]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 22:17:01 hostname1 CRON[18695]: pam_unix(cron:session): session closed for user root Mar 12 22:30:26 hostname1 pluto[11306]: packet from 89.248.172.16:500: initial Main Mode message received on 130.0.34.184:500 but no connection has been authorized with policy=PSK+PUBKEY Mar 12 23:17:01 hostname1 CRON[18825]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 12 23:17:01 hostname1 CRON[18825]: pam_unix(cron:session): session closed for user root Mar 13 00:17:01 hostname1 CRON[18953]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 13 00:17:01 hostname1 CRON[18953]: pam_unix(cron:session): session closed for user root Mar 13 01:17:01 hostname1 CRON[19081]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 13 01:17:01 hostname1 CRON[19081]: pam_unix(cron:session): session closed for user root Mar 13 02:17:01 hostname1 CRON[19207]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 13 02:17:01 hostname1 CRON[19207]: pam_unix(cron:session): session closed for user root Mar 13 03:17:01 hostname1 CRON[19334]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 13 03:17:01 hostname1 CRON[19334]: pam_unix(cron:session): session closed for user root Mar 13 03:17:48 hostname1 pluto[11306]: packet from 216.218.206.70:28188: initial Main Mode message received on 130.0.34.184:500 but no connection has been authorized Mar 13 04:17:01 hostname1 CRON[19461]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 13 04:17:01 hostname1 CRON[19461]: pam_unix(cron:session): session closed for user root Mar 13 05:17:01 hostname1 CRON[19592]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 13 05:17:01 hostname1 CRON[19592]: pam_unix(cron:session): session closed for user root Mar 13 06:17:01 hostname1 CRON[19718]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 13 06:17:01 hostname1 CRON[19718]: pam_unix(cron:session): session closed for user root Mar 13 06:25:01 hostname1 CRON[19740]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 13 06:52:25 hostname1 su[19839]: Successful su for www-data by root Mar 13 06:52:25 hostname1 su[19839]: + ??? root:www-data Mar 13 06:52:25 hostname1 su[19839]: pam_unix(su:session): session opened for user www-data by (uid=0) Mar 13 06:52:25 hostname1 su[19839]: pam_unix(su:session): session closed for user www-data Mar 13 06:52:25 hostname1 su[19844]: Successful su for www-data by root Mar 13 06:52:25 hostname1 su[19844]: + ??? root:www-data Mar 13 06:52:25 hostname1 su[19844]: pam_unix(su:session): session opened for user www-data by (uid=0) Mar 13 06:52:25 hostname1 su[19844]: pam_unix(su:session): session closed for user www-data Mar 13 06:52:26 hostname1 CRON[19740]: pam_unix(cron:session): session closed for user root Mar 13 07:17:01 hostname1 CRON[19941]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 13 07:17:01 hostname1 CRON[19941]: pam_unix(cron:session): session closed for user root Mar 13 08:17:01 hostname1 CRON[20070]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 13 08:17:01 hostname1 CRON[20070]: pam_unix(cron:session): session closed for user root

Part of messages

Mar 10 22:02:56 hostname1 pluto[11306]: packet from 93.174.95.106:4500: initial Main Mode message received on XXX.XXX.XXX.XXX:4500 but no connection has been authorized with policy=PSK+PUBKEY Mar 11 04:00:15 hostname1 pluto[11306]: packet from 216.218.206.122:2542: initial Main Mode message received on XXX.XXX.XXX.XXX:500 but no connection has been authorized Mar 12 03:21:12 hostname1 pluto[11306]: packet from 216.218.206.66:60333: initial Main Mode message received on XXX.XXX.XXX.XXX:500 but no connection has been authorized Mar 12 22:30:26 hostname1 pluto[11306]: packet from 89.248.172.16:500: initial Main Mode message received on XXX.XXX.XXX.XXX:500 but no connection has been authorized with policy=PSK+PUBKEY Mar 13 03:17:48 hostname1 pluto[11306]: packet from 216.218.206.70:28188: initial Main Mode message received on XXX.XXX.XXX.XXX:500 but no connection has been authorized

My local firewall rule:

show firewall name wan_local default-action drop rule 1 { action drop protocol icmp } rule 3 { action drop destination { port 22,23,20,21 } protocol tcp_udp } rule 4 { action drop destination { port ssh } protocol tcp_udp } rule 5 { action drop destination { port 23 } protocol tcp_udp } rule 10 { action accept state { established enable related enable } } rule 40 { action accept disable protocol esp } rule 41 { action accept destination { port 500 } protocol udp } rule 42 { action accept destination { port 4500 } protocol udp } rule 43 { action accept destination { port 1701 } protocol udp }

My ssh setup:

show service ssh listen-address 192.168.1.1 port 9355

What did i missed?

“but no connection has been authorized” suggests me, that they are knocking on your door, but not getting in. For VPN, you opened up some ports, it’s “normal” to see those ports receive traffic like this.

On site2site tunnel, your might configure source IPs on UDP 500 and 4500 rules, but on remote access you can’t.
(I’m running openvpn, and intend using country blocking on WAN_LOCAL rule to allow only my country VPN access)

Thank you for explanation, i’ll try blocking all VPN connections except my country IP addresses for additional security.
Regards,
Nufay.