How can I configure Win2ban for Windows Remote desktop/Network logons?

  • Protecting RDP/Network logins against brute force attacks is enabled as default. 
  • Start services win2ban_winlogbeat and win2ban_fail2ban

 

Sample /var/log/fail2ban.log

2018-04-06 15:31:41,113 fail2ban.server         : INFO    Starting Fail2ban v0.10.2
2018-04-06 15:31:41,193 fail2ban.database       : INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-04-06 15:31:41,197 fail2ban.jail           : INFO    Creating new jail 'copssh'
2018-04-06 15:31:41,205 fail2ban.jail           : INFO    Jail 'copssh' uses poller {}
2018-04-06 15:31:41,205 fail2ban.jail           : INFO    Initiated 'polling' backend
2018-04-06 15:31:41,207 fail2ban.filter         : INFO      maxLines: 1
2018-04-06 15:31:41,233 fail2ban.server         : INFO    Jail copssh is not a JournalFilter instance
2018-04-06 15:31:41,235 fail2ban.filter         : INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 36044, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1)
2018-04-06 15:31:41,236 fail2ban.filter         : INFO      maxRetry: 2
2018-04-06 15:31:41,236 fail2ban.filter         : INFO      encoding: UTF-8
2018-04-06 15:31:41,237 fail2ban.actions        : INFO      banTime: 600
2018-04-06 15:31:41,237 fail2ban.filter         : INFO      findtime: 600
2018-04-06 15:31:41,239 fail2ban.jail           : INFO    Creating new jail 'win2ban-network-logon'
2018-04-06 15:31:41,239 fail2ban.jail           : INFO    Jail 'win2ban-network-logon' uses poller {}
2018-04-06 15:31:41,239 fail2ban.jail           : INFO    Initiated 'polling' backend
2018-04-06 15:31:41,242 fail2ban.filter         : INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1)
2018-04-06 15:31:41,243 fail2ban.filter         : INFO      maxRetry: 2
2018-04-06 15:31:41,243 fail2ban.filter         : INFO      encoding: UTF-8
2018-04-06 15:31:41,243 fail2ban.actions        : INFO      banTime: 600
2018-04-06 15:31:41,244 fail2ban.filter         : INFO      findtime: 600
2018-04-06 15:31:41,246 fail2ban.jail           : INFO    Jail 'copssh' started
2018-04-06 15:31:41,248 fail2ban.jail           : INFO    Jail 'win2ban-network-logon' started
2018-04-06 15:32:32,709 fail2ban.filter         : INFO     Found 192.168.122.13 - 2018-04-06 15:32:29
2018-04-06 15:32:39,423 fail2ban.filter         : INFO     Found 192.168.122.13 - 2018-04-06 15:32:36
2018-04-06 15:32:40,189 fail2ban.actions        : NOTICE   Ban 192.168.122.13
2018-04-06 15:42:37,563 fail2ban.actions        : NOTICE   Unban 192.168.122.13