- Solutions
- Backup/synchronization
- Git
- Log files
- Nagios ® World
- Nagwin - Nagios for Windows
- winrpe - Nagios NRPE for Windows
- Nagios NRPE Plugins for Windows
- Security
- Tools
- Online services
- Support
- Store
- Login
Win2ban FAQs
How to handle large log files effectively ?
Try to append the option tail to the logpath parameter of your jail definition. Win2ban will then start to read from the end of the file instead of from the beginnning. Visit Fail2ban man page https://www.systutorials.com/docs/linux/man/5-jail.conf and search for tail for more information.
How can I configure Win2ban for Windows Remote desktop/Network logons?
- Install Win2ban to a separate directory
- locate the win2ban.yml file in the winlogbeat directory and make sure that the Event log shipper is configured to ship related events:
- name: Security ignore_older: 72h event_id: 4625
- Add the jail win2ban-network-logon to etc/fail2ban/jail.local:
backend = polling maxretry = 2 findtime = 600 bantime = 600 banaction = windows-firewall ..... enabled = true filter = win2ban-network-logon logpath = /winlogbeat/logs/eventlog
- Create the file etc/fail2ban/filter.d/win2ban-network-logon.local with the following content:
# Fail2Ban filter for win2ban-network-logon prefregex = ^ \d+ \{"AuthenticationPackageName":"NTLM".+<F-CONTENT>"IpAddress.+</F-CONTENT>\}$ # LogonType = 3: network login, 2: local login failregex = ^"IpAddress":"<HOST>".+"LogonType":"3".+$ ignoreregex =
- Start services win2ban_winlogbeat and win2ban_fail2ban
Log files:
Winlogbeat - winlogbeat/logs directory
Fail2ban - var/log directory
Sample /var/log/fail2ban.log:
2018-04-06 15:31:41,113 fail2ban.server : INFO Starting Fail2ban v0.10.2 2018-04-06 15:31:41,193 fail2ban.database : INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2018-04-06 15:31:41,197 fail2ban.jail : INFO Creating new jail 'copssh' 2018-04-06 15:31:41,205 fail2ban.jail : INFO Jail 'copssh' uses poller {} 2018-04-06 15:31:41,205 fail2ban.jail : INFO Initiated 'polling' backend 2018-04-06 15:31:41,207 fail2ban.filter : INFO maxLines: 1 2018-04-06 15:31:41,233 fail2ban.server : INFO Jail copssh is not a JournalFilter instance 2018-04-06 15:31:41,235 fail2ban.filter : INFO Added logfile: '/winlogbeat/logs/eventlog' (pos = 36044, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1) 2018-04-06 15:31:41,236 fail2ban.filter : INFO maxRetry: 2 2018-04-06 15:31:41,236 fail2ban.filter : INFO encoding: UTF-8 2018-04-06 15:31:41,237 fail2ban.actions : INFO banTime: 600 2018-04-06 15:31:41,237 fail2ban.filter : INFO findtime: 600 2018-04-06 15:31:41,239 fail2ban.jail : INFO Creating new jail 'win2ban-network-logon' 2018-04-06 15:31:41,239 fail2ban.jail : INFO Jail 'win2ban-network-logon' uses poller {} 2018-04-06 15:31:41,239 fail2ban.jail : INFO Initiated 'polling' backend 2018-04-06 15:31:41,242 fail2ban.filter : INFO Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1) 2018-04-06 15:31:41,243 fail2ban.filter : INFO maxRetry: 2 2018-04-06 15:31:41,243 fail2ban.filter : INFO encoding: UTF-8 2018-04-06 15:31:41,243 fail2ban.actions : INFO banTime: 600 2018-04-06 15:31:41,244 fail2ban.filter : INFO findtime: 600 2018-04-06 15:31:41,246 fail2ban.jail : INFO Jail 'copssh' started 2018-04-06 15:31:41,248 fail2ban.jail : INFO Jail 'win2ban-network-logon' started 2018-04-06 15:32:32,709 fail2ban.filter : INFO Found 192.168.122.13 - 2018-04-06 15:32:29 2018-04-06 15:32:39,423 fail2ban.filter : INFO Found 192.168.122.13 - 2018-04-06 15:32:36 2018-04-06 15:32:40,189 fail2ban.actions : NOTICE Ban 192.168.122.13 2018-04-06 15:42:37,563 fail2ban.actions : NOTICE Unban 192.168.122.13
How can I configure Win2ban for brute force attacks against Copssh ?
- Install Win2ban to a separate directory
- Enable jail copssh in etc/fail2ban/jail.local:
backend = polling maxretry = 2 findtime = 600 bantime = 600 banaction = windows-firewall enabled = true filter = copssh-sshd logpath = /winlogbeat/logs/eventlog
- Start services win2ban_winlogbeat and win2ban_fail2ban
Log files:
Winlogbeat - winlogbeat/logs directory
Fail2ban - var/log directory
Sample /var/log/fail2ban.log:
2018-04-05 23:54:28,411 fail2ban.server : INFO -------------------------------------------------- 2018-04-05 23:54:28,411 fail2ban.server : INFO Starting Fail2ban v0.10.2 2018-04-05 23:54:28,442 fail2ban.database : INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2018-04-05 23:54:28,446 fail2ban.jail : INFO Creating new jail 'copssh' 2018-04-05 23:54:28,447 fail2ban.jail : INFO Jail 'copssh' uses poller {} 2018-04-05 23:54:28,447 fail2ban.jail : INFO Initiated 'polling' backend 2018-04-05 23:54:28,448 fail2ban.filter : INFO maxLines: 1 2018-04-05 23:54:28,467 fail2ban.server : INFO Jail copssh is not a JournalFilter instance 2018-04-05 23:54:28,468 fail2ban.filter : INFO Added logfile: '/winlogbeat/logs/eventlog' (pos = 19020, hash = c54619552ccd10f356c0810faec6cdba) 2018-04-05 23:54:28,468 fail2ban.filter : INFO maxRetry: 2 2018-04-05 23:54:28,469 fail2ban.filter : INFO encoding: UTF-8 2018-04-05 23:54:28,469 fail2ban.actions : INFO banTime: 600 2018-04-05 23:54:28,470 fail2ban.filter : INFO findtime: 600 2018-04-05 23:54:28,472 fail2ban.jail : INFO Jail 'copssh' started 2018-04-05 23:55:20,525 fail2ban.filter : INFO Found 192.168.122.13 - 2018-04-05 23:55:19 2018-04-05 23:55:23,787 fail2ban.filter : INFO Found 192.168.122.13 - 2018-04-05 23:55:22 2018-04-05 23:55:23,953 fail2ban.actions : NOTICE Ban 192.168.122.13 2018-04-05 23:58:22,875 fail2ban.actions : NOTICE Unban 192.168.122.13 2018-04-06 00:54:57,531 fail2ban.server : INFO Shutdown in progress... 2018-04-06 00:54:57,531 fail2ban.server : INFO Stopping all jails 2018-04-06 00:54:57,532 fail2ban.filter : INFO Removed logfile: '/winlogbeat/logs/eventlog' 2018-04-06 00:54:58,328 fail2ban.jail : INFO Jail 'copssh' stopped 2018-04-06 00:54:58,332 fail2ban.database : INFO Connection to database closed. 2018-04-06 00:54:58,333 fail2ban.server : INFO Exiting Fail2ban
Comments
x86 Version ?
Hi ,
I just bought win2ban, but it seems there is only a x64 version to download, which is a big surprise, as I need the software on a x86 windows 10 system.
I suppose there is no x86 based version ?
Regards,
Chris Heldeis