- Solutions
- Backup/synchronization
- Git
- Log files
- Nagios ® World
- Nagwin - Nagios for Windows
- winrpe - Nagios NRPE for Windows
- Nagios NRPE Plugins for Windows
- Security
- Tools
- Online services
- Support
- Store
- Login
win2ban Installation/Usage
Installation
Supported platforms: Vista/2008(R2)/7/8/2012(R2)/2016
win2ban comes as a zip archive containing a Nullsoft Installer package. Unzip the downloaded file and run the installer :
- Click Next at Welcome-page
- View license agreement.
- Specify an installation location.
- Select components to install. You can choose not to install Winlogbeat if there is no need for making eventlog entries available for processing via Fail2ban in your case.
- Installation starts and installs Fail2ban and optional Winlogbeat as services (win2ban_fail2ban and win2ban_winlogbeat)
Usage
Fail2ban configuration files are located at etc/fail2ban. You need to develop/implement your jails according to your needs. The file jail.local is configured with a proper set of default parameters for Windows usage. The file windows-firewall.local in the action.d directory contains ban/unban commands for the Windows firewall. It is also possible to configure the server using commands sent to it by fail2ban-client. A shell environment can be initiated by running win2ban-shell.cmd located at the root of the installation directory. See also our FAQs for more examples:
- How can I configure Win2ban for Windows Remote desktop/Network logons?
- How can I configure Win2ban for brute force attacks against Copssh ?
A simple fail2ban example:
Log file tmp/test.log: Problem: 1.2.3.4 2018-03-26 22:37:16 Problem: 1.2.3.4 2018-03-26 22:41:12 Problem: 5.6.7.8 2018-03-26 22:41:16
|
File etc/fail2ban/jail.local: maxretry = 1 findtime = 6000 bantime = 180 banaction = windows-firewall backend = polling enabled = true filter = test logpath = /tmp/test.log |
File etc/fail2ban/filter.d/test.local: failregex = ^Problem: <HOST>\s*$ ignoreregex = |
Fail2ban log example (var/log/fail2ban.log):
2018-03-26 22:36:42,176 fail2ban.server : INFO -------------------------------------------------- 2018-03-26 22:36:42,176 fail2ban.server : INFO Starting Fail2ban v0.10.2 2018-03-26 22:36:42,176 fail2ban.server : INFO Daemon started 2018-03-26 22:36:42,209 fail2ban.database : INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2018-03-26 22:36:42,212 fail2ban.jail : INFO Creating new jail 'test' 2018-03-26 22:36:42,212 fail2ban.jail : INFO Jail 'test' uses poller {} 2018-03-26 22:36:42,213 fail2ban.jail : INFO Initiated 'polling' backend 2018-03-26 22:36:42,215 fail2ban.filter : INFO Added logfile: '/tmp/test.log' (pos = 761, hash = ab6aa4af41e46cc1dfbb26a99bc80bd0) 2018-03-26 22:36:42,216 fail2ban.filter : INFO maxRetry: 1 2018-03-26 22:36:42,216 fail2ban.filter : INFO encoding: UTF-8 2018-03-26 22:36:42,217 fail2ban.actions : INFO banTime: 180 2018-03-26 22:36:42,217 fail2ban.filter : INFO findtime: 6000 2018-03-26 22:36:42,220 fail2ban.jail : INFO Jail 'test' started 2018-03-26 22:37:28,483 fail2ban.filter : INFO Found 1.2.3.4 - 2018-03-26 22:37:12 2018-03-26 22:37:28,483 fail2ban.filter : INFO Found 1.2.3.4 - 2018-03-26 22:37:16 2018-03-26 22:37:29,220 fail2ban.actions : NOTICE Ban 1.2.3.4 2018-03-26 22:40:16,358 fail2ban.actions : NOTICE Unban 1.2.3.4 2018-03-26 22:42:07,750 fail2ban.filter : INFO Found 1.2.3.4 - 2018-03-26 22:41:12 2018-03-26 22:42:07,750 fail2ban.filter : INFO Found 5.6.7.8 - 2018-03-26 22:41:16 2018-03-26 22:42:07,766 fail2ban.actions : NOTICE Ban 1.2.3.4 2018-03-26 22:42:07,891 fail2ban.actions : NOTICE Ban 5.6.7.8 2018-03-26 22:44:13,826 fail2ban.actions : NOTICE Unban 1.2.3.4 2018-03-26 22:44:18,041 fail2ban.actions : NOTICE Unban 5.6.7.8 2018-03-27 00:01:10,808 fail2ban.server : INFO Shutdown in progress... 2018-03-27 00:01:10,808 fail2ban.server : INFO Stopping all jails 2018-03-27 00:01:10,808 fail2ban.filter : INFO Removed logfile: '/tmp/test.log' 2018-03-27 00:01:11,245 fail2ban.jail : INFO Jail 'test' stopped 2018-03-27 00:01:11,245 fail2ban.database : INFO Connection to database closed. 2018-03-27 00:01:11,245 fail2ban.server : INFO Exiting Fail2ban 2018-03-27 09:00:07,232 fail2ban.server : INFO --------------------------------------------------
If you have selected to install winlogbeat, it can be configured via winlogbeat/win2ban.yml. By default it is configured to output event log entries last 72 hours from application, system and security eventlogs, to the logfile winlogbeat\logs\eventlog with the following format:
string: '%{} %{} %{}'
example output:
2018-03-24T10:22:09.000Z 1704 Security policy in the Group policy objects has been applied successfully.
Some good references for fail2ban/winlogbeat usage:
Man pages: fail2ban jail.conf fail2ban-client fail2ban-regex fail2ban-server
Linode.com - Use Fail2ban to Secure Your Server