Fail2ban setup on Softether VPN Server

Internet facing Softether VPN server and we want to block brute force logon attempts to Softether VPN by using Fail2ban. This will block the IP addresses of any logon attempts which fail 3 times in 10 minutes and lock them out for 1 hour. These settings are configurable to suit.

The setup is done on a Linux server running Ubuntu 24.04 and Softether VPN server 4.44

Update the system with the latest updates and upgrades.

sudo apt update && sudo apt upgrade -y

‍

Install Fail2ban

sudo apt install fail2ban -y

‍

Fail2ban is installed in /etc/fail2ban

To check the version that you have installed

fail2ban-client --version

‍

Version 1.0.2 is the version that is being used by APT at this time

Start and enable the service to start automatically

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

‍

To check that the service is running

sudo systemctl status fail2ban

‍

There are two parts to the setup

/etc/fail2ban/filter.d/softethervpn.conf

/etc/fail2ban/jail.d/softethervpn.local

‍

The file in the filter directory is used to filter the Softether VPN log files to check for failed logon attempts. These are then processed by the config file in the jail directory which contains the blocking rules.

The filter file does exist as it's created as part of the standard install, but we found that it didn't correctly match failed logon attempts. Edit the file and replace the contents with this.

[INCLUDES]
before = common.conf
[Init]
maxlines = 2
[Definition]
failregex = IP address: <HOST>.*\n.*User authentication failed
ignoreregex =

‍

To test if the above is working and correctly capturing failed logon attempts, start the Softether VPN client and connect to the VPN server a couple of times with the wrong credentials. You can check if the filter is correctly capturing the invalid logon attempts by running this command.

sudo fail2ban-regex /usr/local/vpnserver/security_log/VPN/sec_$(date +%Y%m%d).log /etc/fail2ban/filter.d/softethervpn.conf

‍

If it's working correctly the matched count should be greater than 0 and should look something like this.

Lines: 41 lines, 0 ignored, 36 matched, 5 missed

‍

Now we need to create the jail config file that defines the blocking rules. The file needs to be created with nano or vi.

sudo vi /etc/fail2ban/jail.d/softethervpn.local

‍

The contents of the file will look like

[softethervpn]
enabled = true
backend = auto
port = 443,992,1194,5555,500,4500,1701
protocol = tcp,udp
filter = softethervpn
logpath = /usr/local/vpnserver/security_log/VPN/sec_*.log
maxretry = 3
bantime = 3600  # 1 hour
findtime = 600  # 10 min window
action = %(action_)s
ignoreip = 127.0.0.1/8 ::1 IP_YOU_WISH_TO_WHITELIST # Whitelist yourself

‍

Port numbers may vary in your setup and the bottom line you can add IP addresses which you want the rules to ignore.

Stop and start Fail2ban to pick up the changes

sudo systemctl restart fail2ban
sudo fail2ban-client reload

‍

Then check if everything is working okay. If you have tried to connect more than 3 times in 10 minutes it should block the IP for the period of 1 hour.

sudo fail2ban-client status softethervpn

‍

The output will look similar to this

Status for the jail: softethervpn

|- Filter

|  |- Currently failed: 0

|  |- Total failed:     0

|  `- File list:        /usr/local/vpnserver/security_log/VPN/sec_20250910.log

`- Actions

  |- Currently banned: 0

  |- Total banned:     0

  `- Banned IP list:

‍

Once the client has failed authentication then the banned IP should appear in the list

Status for the jail: softethervpn

|- Filter

|  |- Currently failed: 1

|  |- Total failed:     40

|  `- File list:        /usr/local/vpnserver/security_log/VPN/sec_20250910.log

`- Actions

  |- Currently banned: 1

  |- Total banned:     1

  `- Banned IP list:   51.52.53.54

‍

To remove an IP address from the banned list

sudo fail2ban-client unban <IP>

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍