Skip to main content

Tutorial: Protect the Admin and Client Web UIs from Brute-Force Attacks with Fail2Ban

Abstract

How to install and configure Fail2Ban to protect Access Server's Admin and Client Web UIs from brute-force attacks.

Overview

Fail2Ban is a security tool that protects servers from brute-force attacks by monitoring log files for suspicious activity, such as repeated failed login attempts, and blocking offending IP addresses. Access Server includes a built-in protection feature called the Authentication Failure Lockout Policy, which automatically triggers a lockout after a set number of failed login attempts within a defined timeframe. Using Fail2Ban in addition to this built-in feature provides an extra layer of defense, particularly against distributed or large-scale attacks targeting your Access Server web interfaces.

This tutorial explains how to install and configure Fail2Ban to protect Access Server's Admin and Client Web UIs.

Prerequisites

  • An installed Access Server.

  • Console access with the ability to get root privileges.

Step 1: Install Fail2Ban

  1. Connect to the console.

  2. Run the appropriate command to install Fail2Ban on your Linux OS:

    • For Ubuntu or Debian systems: Update package repositories and install Fail2Ban:

      sudo su
apt update && apt install fail2ban -y

    • For Red Hat Enterprise Linux (RHEL) systems: Install the EPEL (Extra Packages for Enterprise Linux) repository and Fail2Ban:

      sudo su
dnf install epel-release -y
dnf install fail2ban -y

Step 2: Create a Fail2Ban filter

For Access Server versions 2.14.2 or 2.14.3

  1. Create the filter file:

    nano /etc/fail2ban/filter.d/openvpnas.conf

  2. Add the following content:

    [Definition]
failregex = "<HOST>" - - \[.*\] "GET /admin/\?login-failure=SW5jb3JyZWN0IGxvZ2luLg2 HTTP/1\.1"
            "<HOST>" - - \[.*\] "POST /api/auth/login/userpassword HTTP/1\.1" (401|403)
ignoreregex =

  3. Save and exit (Ctrl+X, then Y, and press Enter).

For Access Server version 2.14.1 or older

Important

These older versions don’t log the real source IP address for web interface logins. You must enable a debug flag to capture it, which significantly increases logging and disk usage. Use this method only as a last resort. Upgrading to a newer version is strongly recommended.

  1. Edit the Access Server configuration file:

    nano /usr/local/openvpn_as/etc/as.conf

  2. Add this debug flag:

    DEBUG_LOGDB=1

  3. Save and exit (Ctrl+X, then Y, and press Enter).

  4. Restart the service:

    systemctl restart openvpnas

  5. Create the Fail2Ban filter:

    nano /etc/fail2ban/filter.d/openvpnas.conf

  6. Add the following content:

    [Definition]
failregex = ^.*LOG_DB RECORD.*"service": "WEB.*"real_ip": "<HOST>".*"auth": 0
ignoreregex =

  7. Save and exit (Ctrl+X, then Y, and press Enter).

Step 3: Configure the jail

  1. Copy the default configuration from jail.conf into a new file called jail.local:

    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

  2. Open the jail.local configuration file:

    nano /etc/fail2ban/jail.local

  3. Look for the [sshd] jail and add the following:

    enabled = false

    • Example:

      [sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = false

      Tip

      We recommend setting the sshd jail to false. It's enabled by default when installing Fail2Ban, but it isn't relevant to Access Server web services. Enabling this could potentially lock you out of SSH access.

  4. Add the following configuration to the end of the file:

    [openvpnas]
enabled = true
filter = openvpnas
logpath = /var/log/openvpnas.log
maxretry = 31
findtime = 6002
bantime = 36003
action = iptables-multiport[name=OpenVPNAS, port="443,943"4, protocol=tcp]

    1

    maxretry: The number of failed attempts before banning.

    2

    findtime: The time window (in seconds) to count failed attempts.

    3

    bantime: The duration (in seconds) of the ban.

    4

    These are the ports where Access Server's web interfaces are available. By default, they're TCP ports 943 and 443.

  5. Save and exit (Ctrl+X, then Y, and press Enter).

(Optional) Exclude trusted IP addresses

You can prevent specific IPs or networks from being banned using the ignoreip parameter.

  1. Edit the jail configuration:

    nano /etc/fail2ban/jail.local

  2. Add the ignoreip parameter under the [openvpnas] section:

    ignoreip = 198.51.100.0/241

    1

    Define a list of IP addresses, CIDR masks, or DNS hosts using space or comma separators.

  3. Save and exit (Ctrl+X, then Y, and press Enter).

Step 4: Restart Fail2Ban and verify the jail

  1. Enable Fail2Ban to start on boot and restart to apply the configuration:

    systemctl enable fail2ban
systemctl restart fail2ban

  2. Verify the jail is active:

    fail2ban-client status

    • Example output:

      root@Jose-F2B-AS:~# fail2ban-client status
Status
|- Number of jail:	2
`- Jail list:	openvpnas, sshd

  3. To check a specific jail:

    fail2ban-client status <jail>

    • Example output:

      root@Jose-F2B-AS:~# fail2ban-client status openvpnas
Status for the jail: openvpnas
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/openvpnas.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:

(Optional) Unban an IP address

If you accidentally block your own IP or a legitimate user, unban it with:

fail2ban-client set <jail> unbanip <IP Address>

(Optional) Verify Fail2Ban logs

  1. You can review Fail2Ban logs for details on jail activity, bans, and matches:

    cat /var/log/fail2ban.log

    • Example output:

      root@F2B-AS:~# cat /var/log/fail2ban.log
2025-07-24 03:00:15,532 fail2ban.server         [127066]: INFO    --------------------------------------------------
2025-07-24 03:00:15,533 fail2ban.server         [127066]: INFO    Starting Fail2ban v1.0.2
2025-07-24 03:00:15,533 fail2ban.observer       [127066]: INFO    Observer start...
2025-07-24 03:00:15,540 fail2ban.database       [127066]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2025-07-24 03:00:15,541 fail2ban.jail           [127066]: INFO    Creating new jail 'openvpnas'
2025-07-24 03:00:15,652 fail2ban.jail           [127066]: INFO    Jail 'openvpnas' uses pyinotify {}
2025-07-24 03:00:15,655 fail2ban.jail           [127066]: INFO    Initiated 'pyinotify' backend
2025-07-24 03:00:15,656 fail2ban.filter         [127066]: INFO      maxRetry: 3
2025-07-24 03:00:15,656 fail2ban.filter         [127066]: INFO      findtime: 60
2025-07-24 03:00:15,656 fail2ban.actions        [127066]: INFO      banTime: 3600
2025-07-24 03:00:15,656 fail2ban.filter         [127066]: INFO      encoding: UTF-8
2025-07-24 03:00:15,657 fail2ban.filter         [127066]: INFO    Added logfile: '/var/log/openvpnas.log' (pos = 848561, hash = 4b51ab4c9af2b90b1b2952c50a6f2eb4b521d62d)
2025-07-24 03:00:15,658 fail2ban.jail           [127066]: INFO    Jail 'openvpnas' started
2025-07-24 03:00:52,391 fail2ban.filter         [127066]: INFO    [openvpnas] Found 192.168.1.254 - 2025-07-24 03:00:52
2025-07-24 03:00:53,994 fail2ban.filter         [127066]: INFO    [openvpnas] Found 192.168.1.254 - 2025-07-24 03:00:53
2025-07-24 03:00:54,776 fail2ban.filter         [127066]: INFO    [openvpnas] Found 192.168.1.254 - 2025-07-24 03:00:54
2025-07-24 03:00:54,876 fail2ban.actions        [127066]: NOTICE  [openvpnas] Ban 192.168.1.254

  2. To confirm iptables entries created by Fail2Ban:

    iptables-save -c | grep f2b-OpenVPNAS

    • Example output:

      root@Jose-F2B-AS:~# iptables-save -c | grep f2b-OpenVPNAS
:f2b-OpenVPNAS - [0:0]
[22:9108] -A INPUT -p tcp -m multiport --dports 443,943 -j f2b-OpenVPNAS
[22:9108] -A f2b-OpenVPNAS -s 37.47.66.32/32 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A f2b-OpenVPNAS -j RETURN
In this section: