Tutorial: Protect the Admin and Client Web UIs from Brute-Force Attacks with Fail2Ban
How to install and configure Fail2Ban to protect Access Server's Admin and Client Web UIs from brute-force attacks.
Overview
Fail2Ban is a security tool that protects servers from brute-force attacks by monitoring log files for suspicious activity, such as repeated failed login attempts, and blocking offending IP addresses. Access Server includes a built-in protection feature called the Authentication Failure Lockout Policy, which automatically triggers a lockout after a set number of failed login attempts within a defined timeframe. Using Fail2Ban in addition to this built-in feature provides an extra layer of defense, particularly against distributed or large-scale attacks targeting your Access Server web interfaces.
This tutorial explains how to install and configure Fail2Ban to protect Access Server's Admin and Client Web UIs.
Prerequisites
An installed Access Server.
Console access with the ability to get root privileges.
Connect to the console.
Run the appropriate command to install Fail2Ban on your Linux OS:
For Ubuntu or Debian systems: Update package repositories and install Fail2Ban:
sudo su apt update && apt install fail2ban -y
For Red Hat Enterprise Linux (RHEL) systems: Install the EPEL (Extra Packages for Enterprise Linux) repository and Fail2Ban:
sudo su dnf install epel-release -y dnf install fail2ban -y
Create the filter file:
nano /etc/fail2ban/filter.d/openvpnas.conf
Add the following content:
[Definition] failregex = "<HOST>" - - \[.*\] "POST /api/auth/login/userpassword HTTP/1\.1" (401|403) ignoreregex =
Save and exit (Ctrl+X, then Y, and press Enter).
Copy the default configuration from jail.conf into a new file called jail.local:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open the jail.local configuration file:
nano /etc/fail2ban/jail.local
Look for the
[sshd]jail and add the following:enabled = false
Example:
[sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s enabled = false
Tip
We recommend setting the
sshdjail to false. It's enabled by default when installing Fail2Ban, but it isn't relevant to Access Server web services. Enabling this could potentially lock you out of SSH access.
Add the following configuration to the end of the file:
[openvpnas] enabled = true filter = openvpnas logpath = /var/log/openvpnas.log maxretry = 31 findtime = 6002 bantime = 36003 action = iptables-multiport[name=OpenVPNAS, port="443,943"4, protocol=tcp]
Save and exit (Ctrl+X, then Y, and press Enter).
Note
When Access Server is configured to use more than one TCP daemon, it creates additional iptables port-forwarding rules in the INPUT chain. These rules are evaluated before the iptables rules created by Fail2Ban.
As a result, a client that has been banned by Fail2Ban may still be able to access the Admin or Client Web UI (for example, over TCP 443), because the connection is internally redirected to daemon-specific ports before Fail2Ban can block it.
For example, if two TCP daemons are configured:
root@openvpnas:~# sacli ConfigQuery | grep daemon.tcp.n "vpn.server.daemon.tcp.n_daemons": "2",
Access Server adds rules similar to the following to the INPUT chain (output simplified):
root@openvpnas:~# iptables -L INPUT -v -n Chain INPUT (policy ACCEPT 645 packets, 34857 bytes) pkts bytes target prot opt in out source destination . . . 3973 207K AS0_ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:914 1782 93032 AS0_ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:915
To ensure Fail2Ban correctly blocks access, include all relevant ports (including daemon-specific ports) in the jail action configuration. For example:
action = iptables-multiport[name=OpenVPNAS, port="443,943,914,915", protocol=tcp]
The port numbers and number of ports vary depending on how many TCP daemons are configured. Ensure you adjust the port list accordingly.
You can prevent specific IPs or networks from being banned using the ignoreip parameter.
Enable Fail2Ban to start on boot and restart to apply the configuration:
systemctl enable fail2ban systemctl restart fail2ban
Verify the jail is active:
fail2ban-client status
Example output:
root@Jose-F2B-AS:~# fail2ban-client status Status |- Number of jail: 2 `- Jail list: openvpnas, sshd
To check a specific jail:
fail2ban-client status <jail>
Example output:
root@Jose-F2B-AS:~# fail2ban-client status openvpnas Status for the jail: openvpnas |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/openvpnas.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
If you accidentally block your own IP or a legitimate user, unban it with:
fail2ban-client set <jail> unbanip <IP Address>
You can review Fail2Ban logs for details on jail activity, bans, and matches:
cat /var/log/fail2ban.log
Example output:
root@F2B-AS:~# cat /var/log/fail2ban.log 2025-07-24 03:00:15,532 fail2ban.server [127066]: INFO -------------------------------------------------- 2025-07-24 03:00:15,533 fail2ban.server [127066]: INFO Starting Fail2ban v1.0.2 2025-07-24 03:00:15,533 fail2ban.observer [127066]: INFO Observer start... 2025-07-24 03:00:15,540 fail2ban.database [127066]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2025-07-24 03:00:15,541 fail2ban.jail [127066]: INFO Creating new jail 'openvpnas' 2025-07-24 03:00:15,652 fail2ban.jail [127066]: INFO Jail 'openvpnas' uses pyinotify {} 2025-07-24 03:00:15,655 fail2ban.jail [127066]: INFO Initiated 'pyinotify' backend 2025-07-24 03:00:15,656 fail2ban.filter [127066]: INFO maxRetry: 3 2025-07-24 03:00:15,656 fail2ban.filter [127066]: INFO findtime: 60 2025-07-24 03:00:15,656 fail2ban.actions [127066]: INFO banTime: 3600 2025-07-24 03:00:15,656 fail2ban.filter [127066]: INFO encoding: UTF-8 2025-07-24 03:00:15,657 fail2ban.filter [127066]: INFO Added logfile: '/var/log/openvpnas.log' (pos = 848561, hash = 4b51ab4c9af2b90b1b2952c50a6f2eb4b521d62d) 2025-07-24 03:00:15,658 fail2ban.jail [127066]: INFO Jail 'openvpnas' started 2025-07-24 03:00:52,391 fail2ban.filter [127066]: INFO [openvpnas] Found 192.168.1.254 - 2025-07-24 03:00:52 2025-07-24 03:00:53,994 fail2ban.filter [127066]: INFO [openvpnas] Found 192.168.1.254 - 2025-07-24 03:00:53 2025-07-24 03:00:54,776 fail2ban.filter [127066]: INFO [openvpnas] Found 192.168.1.254 - 2025-07-24 03:00:54 2025-07-24 03:00:54,876 fail2ban.actions [127066]: NOTICE [openvpnas] Ban 192.168.1.254
To confirm iptables entries created by Fail2Ban:
iptables-save -c | grep f2b-OpenVPNAS
Example output:
root@Jose-F2B-AS:~# iptables-save -c | grep f2b-OpenVPNAS :f2b-OpenVPNAS - [0:0] [22:9108] -A INPUT -p tcp -m multiport --dports 443,943 -j f2b-OpenVPNAS [22:9108] -A f2b-OpenVPNAS -s 37.47.66.32/32 -j REJECT --reject-with icmp-port-unreachable [0:0] -A f2b-OpenVPNAS -j RETURN