# Fail2Ban filter for SoftEtherVPN # Detecting unauthorized access to SoftEtherVPN # typically logged in /usr/local/vpnserver/security_log/*/sec.log, or in syslog, depending on configuration [INCLUDES] before = common.conf [Definition] failregex = ^%(__prefix_line)s(?:(?:\([\d\-]+ [\d:.]+\) )?<SECURITY_LOG>: )?Connection "[^"]+": User authentication failed. The user name that has been provided was "<F-USER>(?:[^"]+|.+)</F-USER>", from <ADDR>\.$