Fail2Ban

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Nobody
Posts: 11
Joined: Mon Aug 08, 2016 7:13 am

Fail2Ban

Post by Nobody » Mon Oct 03, 2016 1:44 pm

Is there anybody who is using fail2ban with SoftEther? Could somebody please tell me how to set up fail2ban? I'm a real beginner and I don't really know fail2ban and regex...

ghfatw
Posts: 6
Joined: Mon Jul 18, 2016 6:34 am

Re: Fail2Ban

Post by ghfatw » Fri Oct 07, 2016 9:28 am

I asked the same question a few months ago and no one answered. In principle it should be possible but the structure of the log file and how they are saved makes it not so simple to do in my view.

Nobody
Posts: 11
Joined: Mon Aug 08, 2016 7:13 am

Re: Fail2Ban

Post by Nobody » Fri Oct 07, 2016 11:38 am

Yeah I think so too, that's why I asked. I managed somehow that SE only logs in one security log file. That could be significant important. But I don't know regular expressions verry well. But http://reddit.com/u/quixrick helps me. I think the filter is almost finished. But the other problems not now...

Nobody
Posts: 11
Joined: Mon Aug 08, 2016 7:13 am

Re: Fail2Ban

Post by Nobody » Fri Oct 14, 2016 7:22 pm

I think I have managed to get fail2ban working. What you must know is, you MUST have a fail2ban version higher then 0.9.*. With the version in the Debian repos didn't work as I initially wrote this post.
I want to say thanks to quixrick, who helped me very much. http://reddit.com/u/quixrick Thanks for the good explanations and the regex.
So let's start.

Edit Dec. 2022: If you're using an up to date Debian machine, most likely you won't need to install fail2ban yourself anymore as the Debian repos contain a much more recent version nowadays. Feel free to skip the fail2ban installation part.

First make sure you don't have a version of fail2ban on your Debian machine. And please remove if it is installed:
sudo apt-get remove fail2ban
then connect to your SoftEther VPN server with the SoftEther VPN Server Manager (Windows tested) download from here: http://www.softether-download.com/en.as ... =softether
Then login to your VPN server with your Admin password.
Then double click on your virtual host and in the opening window click on "Log save Setting"
In the next window check the box "Save Security Log" if it is not selected. Next click at the Log file Switch Cycle select box and choose "No switching". Next click multiple times on the following exit buttons on the bottom of the Window.
Next login to your VPN server if possible with root / Admin rights
then change to your home directory with
cd
then make a directory for the download of fail2ban:
mkdir f2bdownload
Then go into this directory
cd f2bdownload
and download fail2ban at the time of writing this was 0.9.5:
wget https://github.com/fail2ban/fail2ban/ar ... 9.5.tar.gz
then unpack it:
tar -xzf 0.9.*
And delete the tar:
rm 0.9.*
then change into the directory
cd fail2ban*
And install fail2ban
python setup.py install
so fail2ban should work now but the init system needs a script too start and stop fail2ban properly. Fail2ban provides one, which you install like this:
cd files
sudo cp debian-initd /etc/init.d/fail2ban
And make it executable:
chmod 755 /etc/init.d/fail2ban
Now reboot and check if fail2ban works properly.
sudo reboot
Now add a fail2ban filter:
sudo nano /etc/fail2ban/filter.d/vpnserver.conf
paste this in the editor or download it from GitHub: https://gist.github.com/ann0see/a61e41c ... d0e9f3aa7e

[code]
# Fail2Ban filter for SoftEther authentication failures
#
#Thanks to quixrick from Reddit! https://reddit.com/u/quixrick

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

#Enable multi line support. Doesn't work with versions < 0.9
[Init]
maxlines = 2
# The regular expression filter follows
[Definition]

failregex =IP address: <HOST>.*\n.*User authentication failed
ignoreregex=
[/code]
Now you should have a working filter.
What the filter does:
It searches the Log for a specific string:
IP address: <HOST>.*\n.*User authentication failed

This tells the regular expression engine to look for the literal string `IP address: <HOST>`, followed by anything else up until the end of the line. `\n` will then match a newline. Once it finds that, it looks for any character, occurring any number of times until it comes across the string `User authentication failed`.

Next add a jail to the jail.local in fail2ban: sudo nano /etc/fail2ban/jail.local
And just add this at the end of the file:

[code]
[vpnserver]
enabled = true
logpath = /path/to/the/security/log
port = all
protocol = udp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver

[vpnserver]
enabled = true
logpath = /path/to/the/security/log
port = all
protocol = tcp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver
[/code]

Next edit the line logpath=
And maybe the line protocol=
There you must add the protocol, the vpnserver uses. Eg. UDP for L2TP VPN.
The line logpath must contain the path to the security log.
But let's see the example:
[code]
[vpnserver]
enabled = true
logpath = /usr/local/vpnserver/security_log/VPN/sec.log
port = all
protocol = udp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver

[vpnserver]
enabled = true
logpath = /usr/local/vpnserver/security_log/VPN/sec.log
port = all
protocol = tcp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver
[/code]

ATTENTION: this is only an example. So you must tweak it!
I hope your fail2ban is working now.
If you have any questions please ask me...
Last edited by Nobody on Sun Dec 25, 2022 9:27 pm, edited 4 times in total.

Nobody
Posts: 11
Joined: Mon Aug 08, 2016 7:13 am

Re: Fail2Ban

Post by Nobody » Sun Dec 30, 2018 10:38 pm

The old link seems to be broken...
The gist can be found here: https://gist.github.com/ann0see/a61e41c ... d0e9f3aa7e

GerryB
Posts: 20
Joined: Thu Sep 19, 2013 6:35 am

Re: Fail2Ban

Post by GerryB » Thu Jul 09, 2020 10:32 pm

Fail2ban function should be integral to the server please. It is one missing essential feature of a wonderful programme.

There need to be a setting within the server config pages that can ban an IPv4 or IPV6/64 after n failed attempts for x minutes, and if repeated within z banned for y hours.

I was worried ++ about security when the html "feature" popped up. Not keen on it at all.

Gerry

augur
Posts: 12
Joined: Tue Jun 04, 2019 6:09 am

Re: Fail2Ban

Post by augur » Wed May 26, 2021 5:43 am

For everybody to know...logfiles can be setup with wildcards so no change to Softether is necessary.

[vpnserver]
action = iptables-allports[]
enabled = true
filter = vpnserver
logpath = /usr/local/bin/vpnserver/security_log/*/sec_*.log
/etc/fail2ban/jail.local (END)

So very easy to use but it would be nicer if the logfiles would be stored in standard logfolder....

walawa75
Posts: 1
Joined: Mon Jun 06, 2022 10:32 pm

Re: Fail2Ban

Post by walawa75 » Mon Jun 06, 2022 10:57 pm

Hi

Very interesting but .... this does not work on my server. The f2b service does not start because of missing log file for vpnserver filter.

How to fix that ?


Edit: By adding wildcard lo path !! It works all good thanks !!

Very scarce and usefull post !!

red
Posts: 6
Joined: Fri Sep 09, 2016 8:27 pm

Re: Fail2Ban

Post by red » Mon Aug 22, 2022 3:23 pm

I have yet to get fail2ban to cooperate with Softether. 

I have implemented fail2ban a number of times before on other systems with good results.  But not here yet.

Versions: 
fail2ban 0.11.2
 CentOS 7

When the jail is enabled, I always get the following error.

fail2ban [8631]: ERROR Failed during configuration: Have not found any log file for vpnserver jail

I have tried every iteration of logpath including wildcards and a specific log and the error is always the same (not found any log file) if I reference the logs in place in the vpnserver directory itself.
 
I have to cron copy the logs from vpnserver into /tmp to get fail2ban to work, and it does fine with the logs copied out of the vpnserver dir.

Must be something obvious I am missing. 

Any ideas?

TranheiserBusch
Posts: 1
Joined: Fri Apr 14, 2023 5:56 pm

Re: Fail2Ban

Post by TranheiserBusch » Fri Apr 14, 2023 6:26 pm

Great post, made my life much easier to setup fail2ban on my softether server. I did notice that it did not ban any failed attempts using the vpncmd tool though. Seems any failed attempts using vpncmd are logged in the server_log and do not fit the regex provided for the security_log. I am no expert on fail2ban, but I created a jail for the additional log and regex, seems to work so I thought I'd share it. Check all paths and make sure they don't need tweaking. Any feedback appreciated

Server: Ubuntu 20.04.6 LTS
fail2ban ver 0.11.1-1 (from repo)
SoftEther v4.41-9787-rtm

sudo nano /etc/fail2ban/jail.local

Added this to end:

**** code start ****

[vpnserveradmin]
enabled = true
maxretry = 3
findtime = 1d
bantime = 4w
logpath = /usr/local/vpnserver/server_log/vpn_*.log
port = all
protocol = tcp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserveradmin

**** code end ****

I created new filter:
sudo nano /etc/fail2ban/filter.d/vpnserveradmin.conf

and added this:

**** code start ****

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
#Enable multi line support. Doesn't work with versions < 0.9
[Init]
maxlines = 4
# The regular expression filter follows
[Definition]
failregex =IP address: <HOST>.*\n.*\n.*\n.*Access has been denied
ignoreregex=

**** code end ****

Don't forget to restart fail2ban:
sudo systemctl restart fail2ban.service

Nobody
Posts: 11
Joined: Mon Aug 08, 2016 7:13 am

Re: Fail2Ban

Post by Nobody » Tue Jul 25, 2023 6:39 pm

That's great. I just saw that fail2ban now has an official config file: https://github.com/fail2ban/fail2ban/bl ... ervpn.conf I'd say it's worth contributing to the official repository.

koval
Posts: 2
Joined: Sun May 14, 2023 6:52 pm

Re: Fail2Ban

Post by koval » Sat Jan 27, 2024 11:43 am

Hello,
Pull request was created https://github.com/fail2ban/fail2ban/pull/3669

Post Reply