Fail2Ban

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Nobody
Posts: 10
Joined: Mon Aug 08, 2016 7:13 am

Fail2Ban

Post by Nobody » Mon Oct 03, 2016 1:44 pm

Is there anybody who is using fail2ban with SoftEther? Could somebody please tell me how to set up fail2ban? I'm a real beginner and I don't really know fail2ban and regex...

ghfatw
Posts: 6
Joined: Mon Jul 18, 2016 6:34 am

Re: Fail2Ban

Post by ghfatw » Fri Oct 07, 2016 9:28 am

I asked the same question a few months ago and no one answered. In principle it should be possible but the structure of the log file and how they are saved makes it not so simple to do in my view.

Nobody
Posts: 10
Joined: Mon Aug 08, 2016 7:13 am

Re: Fail2Ban

Post by Nobody » Fri Oct 07, 2016 11:38 am

Yeah I think so too, that's why I asked. I managed somehow that SE only logs in one security log file. That could be significant important. But I don't know regular expressions verry well. But http://reddit.com/u/quixrick helps me. I think the filter is almost finished. But the other problems not now...

Nobody
Posts: 10
Joined: Mon Aug 08, 2016 7:13 am

Re: Fail2Ban

Post by Nobody » Fri Oct 14, 2016 7:22 pm

I think I have managed to get fail2ban working. What you must know is, you MUST have a fail2ban version higher then 0.9.*. With the current version in the Debian repos it wouldn't work. I want to say thanks to quixrick, who helped me very much. http://reddit.com/u/quixrick Thanks for the good explanations and the regex.
So let's start.

First make sure you don't have a version of fail2ban on your Debian machine. And please remove if it is installed:
sudo apt-get remove fail2ban
then connect to your SoftEther VPN server with the SoftEther VPN Server Manager (Windows tested) download from here: http://www.softether-download.com/en.as ... =softether
Then login to your VPN server with your Admin password.
Then double klick on your virtual host and in the opening window click on "Log save Setting"
In the next window check the box "Save Security Log" if it is unselected. Next click at the Log file Switch Cycle select box and choose "No switching". Next click multiple times on the following exit buttons on the bottom of the Window.
Next login to your VPN server if possible with root / Admin rights
then change to your home directory with
cd
then make a directory for the download of fail2ban:
mkdir f2bdownload
Then go into this directory
cd f2bdownload
and download fail2ban currently 0.9.5:
wget https://github.com/fail2ban/fail2ban/ar ... 9.5.tar.gz
then unpack it:
tar -xzf 0.9.*
And delete the tar:
rm 0.9.*
then change into the directory
cd fail2ban*
And install fail2ban
python setup.py install
so fail2ban should work now but the init system needs a script too start and stop fail2ban properly. Fail2ban provides one, which you install like this:
cd files
sudo cp debian-initd /etc/init.d/fail2ban
And make it executable:
chmod 755 /etc/init.d/fail2ban
Now Reboot and check if fail2ban works properly.
sudo reboot
Now add a fail2ban filter:
sudo nano /etc/fail2ban/filter.d/vpnserver.conf
paste this in the editor or download it from GitHub: https://gist.github.com/ann0see/a61e41c ... d0e9f3aa7e

[code]
# Fail2Ban filter for SoftEther authentication failures
#
#Thanks to quixrick from Reddit! https://reddit.com/u/quixrick

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

#Enable multi line support. Doesn't work with versions < 0.9
[Init]
maxlines = 2
# The regular expression filter follows
[Definition]

failregex =IP address: <HOST>.*\n.*User authentication failed
ignoreregex=
[/code]
Now you should have a working filter.
What the filter does:
It searches the Log for a specific string:
IP address: <HOST>.*\n.*User authentication failed

This tells the regular expression engine to look for the literal string `IP address: <HOST>`, followed by anything else up until the end of the line. `\n` will then match a newline. Once it finds that, it looks for any character, occurring any number of times until it comes across the string `User authentication failed`.

Next add a jail to the jail.local in fail2ban: sudo nano /etc/fail2ban/jail.local
And just add this at the end of the file:

[code]
[vpnserver]
enabled = true
logpath = /path/to/the/security/log
port = all
protocol = udp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver

[vpnserver]
enabled = true
logpath = /path/to/the/security/log
port = all
protocol = tcp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver
[/code]

Next edit the line logpath=
And maybe the line protocol=
There you must add the protocol, the vpnserver uses. Eg. UDP for L2TP VPN.
The line logpath must contain the path to the security log.
But let's see the example:
[code]
[vpnserver]
enabled = true
logpath = /usr/local/vpnserver/security_log/VPN/sec.log
port = all
protocol = udp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver

[vpnserver]
enabled = true
logpath = /usr/local/vpnserver/security_log/VPN/sec.log
port = all
protocol = tcp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver
[/code]

ATTENTION: this is only an example. So you must tweak it!
I hope your fail2ban is working now.
If you have any questions please ask me...
Last edited by Nobody on Sun Dec 30, 2018 10:46 pm, edited 3 times in total.

Nobody
Posts: 10
Joined: Mon Aug 08, 2016 7:13 am

Re: Fail2Ban

Post by Nobody » Sun Dec 30, 2018 10:38 pm

The old link seems to be broken...
The gist can be found here: https://gist.github.com/ann0see/a61e41c ... d0e9f3aa7e

Post Reply