Fail2Ban

[Nobody]

Is there anybody who is using fail2ban with SoftEther? Could somebody please tell me how to set up fail2ban? I'm a real beginner and I don't really know fail2ban and regex...

[ghfatw]

I asked the same question a few months ago and no one answered. In principle it should be possible but the structure of the log file and how they are saved makes it not so simple to do in my view.

[Nobody]

Yeah I think so too, that's why I asked. I managed somehow that SE only logs in one security log file. That could be significant important. But I don't know regular expressions verry well. But http://reddit.com/u/quixrick helps me. I think the filter is almost finished. But the other problems not now...

[Nobody]

I think I have managed to get fail2ban working. What you must know is, you MUST have a fail2ban version higher then 0.9.*. With the version in the Debian repos didn't work as I initially wrote this post.
I want to say thanks to quixrick, who helped me very much. http://reddit.com/u/quixrick Thanks for the good explanations and the regex.
So let's start.

Edit Dec. 2022: If you're using an up to date Debian machine, most likely you won't need to install fail2ban yourself anymore as the Debian repos contain a much more recent version nowadays. Feel free to skip the fail2ban installation part.

First make sure you don't have a version of fail2ban on your Debian machine. And please remove if it is installed:
sudo apt-get remove fail2ban
then connect to your SoftEther VPN server with the SoftEther VPN Server Manager (Windows tested) download from here: http://www.softether-download.com/en.as ... =softether
Then login to your VPN server with your Admin password.
Then double click on your virtual host and in the opening window click on "Log save Setting"
In the next window check the box "Save Security Log" if it is not selected. Next click at the Log file Switch Cycle select box and choose "No switching". Next click multiple times on the following exit buttons on the bottom of the Window.
Next login to your VPN server if possible with root / Admin rights
then change to your home directory with
cd
then make a directory for the download of fail2ban:
mkdir f2bdownload
Then go into this directory
cd f2bdownload
and download fail2ban at the time of writing this was 0.9.5:
wget https://github.com/fail2ban/fail2ban/ar ... 9.5.tar.gz
then unpack it:
tar -xzf 0.9.*
And delete the tar:
rm 0.9.*
then change into the directory
cd fail2ban*
And install fail2ban
python setup.py install
so fail2ban should work now but the init system needs a script too start and stop fail2ban properly. Fail2ban provides one, which you install like this:
cd files
sudo cp debian-initd /etc/init.d/fail2ban
And make it executable:
chmod 755 /etc/init.d/fail2ban
Now reboot and check if fail2ban works properly.
sudo reboot
Now add a fail2ban filter:
sudo nano /etc/fail2ban/filter.d/vpnserver.conf
paste this in the editor or download it from GitHub: https://gist.github.com/ann0see/a61e41c ... d0e9f3aa7e

[code]
# Fail2Ban filter for SoftEther authentication failures
#
#Thanks to quixrick from Reddit! https://reddit.com/u/quixrick

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

#Enable multi line support. Doesn't work with versions < 0.9
[Init]
maxlines = 2
# The regular expression filter follows
[Definition]

failregex =IP address: <HOST>.*\n.*User authentication failed
ignoreregex=
[/code]
Now you should have a working filter.
What the filter does:
It searches the Log for a specific string:
IP address: <HOST>.*\n.*User authentication failed

This tells the regular expression engine to look for the literal string `IP address: <HOST>`, followed by anything else up until the end of the line. `\n` will then match a newline. Once it finds that, it looks for any character, occurring any number of times until it comes across the string `User authentication failed`.

Next add a jail to the jail.local in fail2ban: sudo nano /etc/fail2ban/jail.local
And just add this at the end of the file:

[code]
[vpnserver]
enabled = true
logpath = /path/to/the/security/log
port = all
protocol = udp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver

[vpnserver]
enabled = true
logpath = /path/to/the/security/log
port = all
protocol = tcp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver
[/code]

Next edit the line logpath=
And maybe the line protocol=
There you must add the protocol, the vpnserver uses. Eg. UDP for L2TP VPN.
The line logpath must contain the path to the security log.
But let's see the example:
[code]
[vpnserver]
enabled = true
logpath = /usr/local/vpnserver/security_log/VPN/sec.log
port = all
protocol = udp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver

[vpnserver]
enabled = true
logpath = /usr/local/vpnserver/security_log/VPN/sec.log
port = all
protocol = tcp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver
[/code]

ATTENTION: this is only an example. So you must tweak it!
I hope your fail2ban is working now.
If you have any questions please ask me...

[Nobody]

The old link seems to be broken...
The gist can be found here: https://gist.github.com/ann0see/a61e41c ... d0e9f3aa7e

[GerryB]

Fail2ban function should be integral to the server please. It is one missing essential feature of a wonderful programme.

There need to be a setting within the server config pages that can ban an IPv4 or IPV6/64 after n failed attempts for x minutes, and if repeated within z banned for y hours.

I was worried ++ about security when the html "feature" popped up. Not keen on it at all.

Gerry

[augur]

For everybody to know...logfiles can be setup with wildcards so no change to Softether is necessary.

[vpnserver]
action = iptables-allports[]
enabled = true
filter = vpnserver
logpath = /usr/local/bin/vpnserver/security_log/*/sec_*.log
/etc/fail2ban/jail.local (END)

So very easy to use but it would be nicer if the logfiles would be stored in standard logfolder....

[walawa75]

Hi

Very interesting but .... this does not work on my server. The f2b service does not start because of missing log file for vpnserver filter.

How to fix that ?


Edit: By adding wildcard lo path !! It works all good thanks !!

Very scarce and usefull post !!

[red]

I have yet to get fail2ban to cooperate with Softether. 

I have implemented fail2ban a number of times before on other systems with good results.  But not here yet.

Versions: 
fail2ban 0.11.2
 CentOS 7

When the jail is enabled, I always get the following error.

fail2ban [8631]: ERROR Failed during configuration: Have not found any log file for vpnserver jail

I have tried every iteration of logpath including wildcards and a specific log and the error is always the same (not found any log file) if I reference the logs in place in the vpnserver directory itself.
 
I have to cron copy the logs from vpnserver into /tmp to get fail2ban to work, and it does fine with the logs copied out of the vpnserver dir.

Must be something obvious I am missing. 

Any ideas?

[TranheiserBusch]

Great post, made my life much easier to setup fail2ban on my softether server. I did notice that it did not ban any failed attempts using the vpncmd tool though. Seems any failed attempts using vpncmd are logged in the server_log and do not fit the regex provided for the security_log. I am no expert on fail2ban, but I created a jail for the additional log and regex, seems to work so I thought I'd share it. Check all paths and make sure they don't need tweaking. Any feedback appreciated

Server: Ubuntu 20.04.6 LTS
fail2ban ver 0.11.1-1 (from repo)
SoftEther v4.41-9787-rtm

sudo nano /etc/fail2ban/jail.local

Added this to end:

**** code start ****

[vpnserveradmin]
enabled = true
maxretry = 3
findtime = 1d
bantime = 4w
logpath = /usr/local/vpnserver/server_log/vpn_*.log
port = all
protocol = tcp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserveradmin

**** code end ****

I created new filter:
sudo nano /etc/fail2ban/filter.d/vpnserveradmin.conf

and added this:

**** code start ****

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
#Enable multi line support. Doesn't work with versions < 0.9
[Init]
maxlines = 4
# The regular expression filter follows
[Definition]
failregex =IP address: <HOST>.*\n.*\n.*\n.*Access has been denied
ignoreregex=

**** code end ****

Don't forget to restart fail2ban:
sudo systemctl restart fail2ban.service

[Nobody]

That's great. I just saw that fail2ban now has an official config file: https://github.com/fail2ban/fail2ban/bl ... ervpn.conf I'd say it's worth contributing to the official repository.