How can I configure Win2ban for Windows Remote desktop/Network logons?

  • Install Win2ban to a separate directory  
  • Add the jail win2ban-network-logon  to etc/fail2ban/jail.local
[DEFAULT]
backend = polling
maxretry = 2
findtime = 600
bantime = 600
banaction = windows-firewall

.....

[win2ban-network-logon]
enabled  = true
filter   = win2ban-network-logon
logpath  = /winlogbeat/logs/eventlog

  

  • Create the file etc/fail2ban/filter.d/win2ban-network-logon.local with the following content: 
# Fail2Ban filter for win2ban-network-logon

[Definition]
prefregex = ^ \d+ \{"AuthenticationPackageName":"NTLM".+<F-CONTENT>"IpAddress.+</F-CONTENT>\}$

# LogonType = 3: network login, 2: local login
failregex = ^"IpAddress":"<HOST>".+"LogonType":"3".+$

ignoreregex = 

 

  • Start services win2ban_winlogbeat and win2ban_fail2ban

Log files:

Winlogbeat - winlogbeat/logs directory

Fail2ban - var/log directory

Sample /var/log/fail2ban.log:

 

2018-04-06 15:31:41,113 fail2ban.server         [4040]: INFO    Starting Fail2ban v0.10.2
2018-04-06 15:31:41,193 fail2ban.database       [4040]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-04-06 15:31:41,197 fail2ban.jail           [4040]: INFO    Creating new jail 'copssh'
2018-04-06 15:31:41,205 fail2ban.jail           [4040]: INFO    Jail 'copssh' uses poller {}
2018-04-06 15:31:41,205 fail2ban.jail           [4040]: INFO    Initiated 'polling' backend
2018-04-06 15:31:41,207 fail2ban.filter         [4040]: INFO      maxLines: 1
2018-04-06 15:31:41,233 fail2ban.server         [4040]: INFO    Jail copssh is not a JournalFilter instance
2018-04-06 15:31:41,235 fail2ban.filter         [4040]: INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 36044, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1)
2018-04-06 15:31:41,236 fail2ban.filter         [4040]: INFO      maxRetry: 2
2018-04-06 15:31:41,236 fail2ban.filter         [4040]: INFO      encoding: UTF-8
2018-04-06 15:31:41,237 fail2ban.actions        [4040]: INFO      banTime: 600
2018-04-06 15:31:41,237 fail2ban.filter         [4040]: INFO      findtime: 600
2018-04-06 15:31:41,239 fail2ban.jail           [4040]: INFO    Creating new jail 'win2ban-network-logon'
2018-04-06 15:31:41,239 fail2ban.jail           [4040]: INFO    Jail 'win2ban-network-logon' uses poller {}
2018-04-06 15:31:41,239 fail2ban.jail           [4040]: INFO    Initiated 'polling' backend
2018-04-06 15:31:41,242 fail2ban.filter         [4040]: INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1)
2018-04-06 15:31:41,243 fail2ban.filter         [4040]: INFO      maxRetry: 2
2018-04-06 15:31:41,243 fail2ban.filter         [4040]: INFO      encoding: UTF-8
2018-04-06 15:31:41,243 fail2ban.actions        [4040]: INFO      banTime: 600
2018-04-06 15:31:41,244 fail2ban.filter         [4040]: INFO      findtime: 600
2018-04-06 15:31:41,246 fail2ban.jail           [4040]: INFO    Jail 'copssh' started
2018-04-06 15:31:41,248 fail2ban.jail           [4040]: INFO    Jail 'win2ban-network-logon' started
2018-04-06 15:32:32,709 fail2ban.filter         [4040]: INFO    [win2ban-network-logon] Found 192.168.122.13 - 2018-04-06 15:32:29
2018-04-06 15:32:39,423 fail2ban.filter         [4040]: INFO    [win2ban-network-logon] Found 192.168.122.13 - 2018-04-06 15:32:36
2018-04-06 15:32:40,189 fail2ban.actions        [4040]: NOTICE  [win2ban-network-logon] Ban 192.168.122.13
2018-04-06 15:42:37,563 fail2ban.actions        [4040]: NOTICE  [win2ban-network-logon] Unban 192.168.122.13