I think I have managed to get fail2ban working. What you must know is, you MUST have a fail2ban version higher then 0.9.*. With the version in the Debian repos didn't work as I initially wrote this post.
I want to say thanks to quixrick, who helped me very much.
http://reddit.com/u/quixrick Thanks for the good explanations and the regex.
So let's start.
Edit Dec. 2022: If you're using an up to date Debian machine, most likely you won't need to install fail2ban yourself anymore as the Debian repos contain a much more recent version nowadays. Feel free to skip the fail2ban installation part.
First make sure you don't have a version of fail2ban on your Debian machine. And please remove if it is installed:
sudo apt-get remove fail2ban
then connect to your SoftEther VPN server with the SoftEther VPN Server Manager (Windows tested) download from here:
http://www.softether-download.com/en.as ... =softether
Then login to your VPN server with your Admin password.
Then double click on your virtual host and in the opening window click on "Log save Setting"
In the next window check the box "Save Security Log" if it is not selected. Next click at the Log file Switch Cycle select box and choose "No switching". Next click multiple times on the following exit buttons on the bottom of the Window.
Next login to your VPN server if possible with root / Admin rights
then change to your home directory with
cd
then make a directory for the download of fail2ban:
mkdir f2bdownload
Then go into this directory
cd f2bdownload
and download fail2ban at the time of writing this was 0.9.5:
wget
https://github.com/fail2ban/fail2ban/ar ... 9.5.tar.gz
then unpack it:
tar -xzf 0.9.*
And delete the tar:
rm 0.9.*
then change into the directory
cd fail2ban*
And install fail2ban
python setup.py install
so fail2ban should work now but the init system needs a script too start and stop fail2ban properly. Fail2ban provides one, which you install like this:
cd files
sudo cp debian-initd /etc/init.d/fail2ban
And make it executable:
chmod 755 /etc/init.d/fail2ban
Now reboot and check if fail2ban works properly.
sudo reboot
Now add a fail2ban filter:
sudo nano /etc/fail2ban/filter.d/vpnserver.conf
paste this in the editor or download it from GitHub:
https://gist.github.com/ann0see/a61e41c ... d0e9f3aa7e
[code]
# Fail2Ban filter for SoftEther authentication failures
#
#Thanks to quixrick from Reddit!
https://reddit.com/u/quixrick
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
#Enable multi line support. Doesn't work with versions < 0.9
[Init]
maxlines = 2
# The regular expression filter follows
[Definition]
failregex =IP address: <HOST>.*\n.*User authentication failed
ignoreregex=
[/code]
Now you should have a working filter.
What the filter does:
It searches the Log for a specific string:
IP address: <HOST>.*\n.*User authentication failed
This tells the regular expression engine to look for the literal string `IP address: <HOST>`, followed by anything else up until the end of the line. `\n` will then match a newline. Once it finds that, it looks for any character, occurring any number of times until it comes across the string `User authentication failed`.
Next add a jail to the jail.local in fail2ban: sudo nano /etc/fail2ban/jail.local
And just add this at the end of the file:
[code]
[vpnserver]
enabled = true
logpath = /path/to/the/security/log
port = all
protocol = udp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver
[vpnserver]
enabled = true
logpath = /path/to/the/security/log
port = all
protocol = tcp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver
[/code]
Next edit the line logpath=
And maybe the line protocol=
There you must add the protocol, the vpnserver uses. Eg. UDP for L2TP VPN.
The line logpath must contain the path to the security log.
But let's see the example:
[code]
[vpnserver]
enabled = true
logpath = /usr/local/vpnserver/security_log/VPN/sec.log
port = all
protocol = udp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver
[vpnserver]
enabled = true
logpath = /usr/local/vpnserver/security_log/VPN/sec.log
port = all
protocol = tcp
banaction = iptables-allports
# Uncomment the following line if you want to be notified about banned IP's
# action= %(action_mwl)s
filter=vpnserver
[/code]
ATTENTION: this is only an example. So you must tweak it!
I hope your fail2ban is working now.
If you have any questions please ask me...