Securing from DMZ

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
laptopu
Posts: 1
Joined: Mon Apr 20, 2020 6:05 pm

Securing from DMZ

Post by laptopu » Mon Apr 20, 2020 6:29 pm

Hi all thanks firstly to the team for this software it appears to be awesome!

Right here's the background. I am trying out SoftEther on a Linux box set up via Linux Deploy on an old Android mobile phone. I have installed the system as Debian 10 and got SoftEther booting up with a sysv service.

My ISP's broadband router is poor, it seems to have issues with IPSec and is well documented online as having this issue with the hardware they issue, so no matter what settings or port forwarding I use, it will always fail unless I place the box in the DMZ. That includes if I try to punch through with Azure or any other service, it always fails due to my ISP's equipment.

I also have to enable secure NAT on SoftEther for it to work even on DMZ.

Here's my issue. If I put the Linux box straight on DMZ I'm worried I'll get brute force attacked very quickly.

I have tried to install Fail2Ban but due to how the initialisation works on Linux Deploy this seems to have a problem, so after spending many hours I've given up on this idea.

What I want to do is two things really. First I want to somehow delay the attempts at allowed failed logins, so for instance if there's one failed login I want to delay or ban the next attempt. Any suggestions how I can do this any other way but not Fail2Ban?

The next thing I want to do is restrict any management or ability to log on as a server manager unless it is via a local terminal not remote, again is it possible to do this?

I've sent lots of detail to my ISP but I doubt they will change their hardware for me!

Thanks all.

OliverTejada
Posts: 46
Joined: Mon Apr 13, 2020 8:08 pm

Re: Securing from DMZ

Post by OliverTejada » Mon Apr 20, 2020 7:29 pm

Since you're running SoftEther on a linux platform, your only workaround is to configure firewall iptables so that you can control from which source addresses or subnets is IPsec traffic allowed, and from which ones aren't.

I have managed to stop intrusion attempts this way on my SEVPN server running on Windows. Windows Firewall itself is feature rich, and I have created inbound allow rules for specific IP address blocks that belong to my country. Connections coming in from any unlisted subnet is ignored and discarded.

Post Reply