win2ban Installation/Usage

Installation

Supported platforms: Vista/2008(R2)/7/8/2012(R2)/2016

win2ban comes as a zip archive containing a Nullsoft Installer package. Unzip the downloaded file and run  the installer :

  1. Click Next at Welcome-page
  2. View license agreement.
  3. Specify an installation location.
  4. Select components to install. You can choose not to install Winlogbeat if there is no need for making eventlog entries available for processing via Fail2ban in your case.
  5. Installation starts and installs Fail2ban and optional Winlogbeat as services (win2ban_fail2ban and win2ban_winlogbeat

Usage

Fail2ban configuration files are located at etc/fail2ban. You need to develop/implement your jails according to your needs. The file jail.local is configured with a proper set of default parameters for Windows usage. The file windows-firewall.local in the action.d directory contains ban/unban commands for the Windows firewall. It is also possible to configure the server using commands sent to it by fail2ban-client. A shell environment can be initiated by running win2ban-shell.cmd located at the root of the installation directory See also our FAQs for more examples:

 

A simple fail2ban example:

Log file tmp/test.log:

Problem: 1.2.3.4 2018-03-26 22:37:16
Problem: 1.2.3.4 2018-03-26 22:41:12
Problem: 5.6.7.8 2018-03-26 22:41:16

 

File etc/fail2ban/jail.local:

[DEFAULT]
maxretry = 1
findtime = 6000
bantime = 180
banaction = windows-firewall
backend = polling

[test]
enabled  = true
filter   = test
logpath  = /tmp/test.log

File etc/fail2ban/filter.d/test.local:

[Definition]
failregex   = ^Problem: <HOST>\s*$
ignoreregex =

 

Fail2ban log example (var/log/fail2ban.log):

2018-03-26 22:36:42,176 fail2ban.server         [3056]: INFO    --------------------------------------------------
2018-03-26 22:36:42,176 fail2ban.server         [3056]: INFO    Starting Fail2ban v0.10.2
2018-03-26 22:36:42,176 fail2ban.server         [3056]: INFO    Daemon started
2018-03-26 22:36:42,209 fail2ban.database       [3056]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-03-26 22:36:42,212 fail2ban.jail           [3056]: INFO    Creating new jail 'test'
2018-03-26 22:36:42,212 fail2ban.jail           [3056]: INFO    Jail 'test' uses poller {}
2018-03-26 22:36:42,213 fail2ban.jail           [3056]: INFO    Initiated 'polling' backend
2018-03-26 22:36:42,215 fail2ban.filter         [3056]: INFO    Added logfile: '/tmp/test.log' (pos = 761, hash = ab6aa4af41e46cc1dfbb26a99bc80bd0)
2018-03-26 22:36:42,216 fail2ban.filter         [3056]: INFO      maxRetry: 1
2018-03-26 22:36:42,216 fail2ban.filter         [3056]: INFO      encoding: UTF-8
2018-03-26 22:36:42,217 fail2ban.actions        [3056]: INFO      banTime: 180
2018-03-26 22:36:42,217 fail2ban.filter         [3056]: INFO      findtime: 6000
2018-03-26 22:36:42,220 fail2ban.jail           [3056]: INFO    Jail 'test' started
2018-03-26 22:37:28,483 fail2ban.filter         [3056]: INFO    [test] Found 1.2.3.4 - 2018-03-26 22:37:12
2018-03-26 22:37:28,483 fail2ban.filter         [3056]: INFO    [test] Found 1.2.3.4 - 2018-03-26 22:37:16
2018-03-26 22:37:29,220 fail2ban.actions        [3056]: NOTICE  [test] Ban 1.2.3.4
2018-03-26 22:40:16,358 fail2ban.actions        [3056]: NOTICE  [test] Unban 1.2.3.4
2018-03-26 22:42:07,750 fail2ban.filter         [3056]: INFO    [test] Found 1.2.3.4 - 2018-03-26 22:41:12
2018-03-26 22:42:07,750 fail2ban.filter         [3056]: INFO    [test] Found 5.6.7.8 - 2018-03-26 22:41:16
2018-03-26 22:42:07,766 fail2ban.actions        [3056]: NOTICE  [test] Ban 1.2.3.4
2018-03-26 22:42:07,891 fail2ban.actions        [3056]: NOTICE  [test] Ban 5.6.7.8
2018-03-26 22:44:13,826 fail2ban.actions        [3056]: NOTICE  [test] Unban 1.2.3.4
2018-03-26 22:44:18,041 fail2ban.actions        [3056]: NOTICE  [test] Unban 5.6.7.8
2018-03-27 00:01:10,808 fail2ban.server         [3056]: INFO    Shutdown in progress...
2018-03-27 00:01:10,808 fail2ban.server         [3056]: INFO    Stopping all jails
2018-03-27 00:01:10,808 fail2ban.filter         [3056]: INFO    Removed logfile: '/tmp/test.log'
2018-03-27 00:01:11,245 fail2ban.jail           [3056]: INFO    Jail 'test' stopped
2018-03-27 00:01:11,245 fail2ban.database       [3056]: INFO    Connection to database closed.
2018-03-27 00:01:11,245 fail2ban.server         [3056]: INFO    Exiting Fail2ban
2018-03-27 09:00:07,232 fail2ban.server         [3692]: INFO    --------------------------------------------------

 

If you have selected to install winlogbeat, it can be configured via winlogbeat/win2ban.yml. By default it is configured to output event log entries last 72 hours from application, system and security eventlogs, to the logfile winlogbeat\logs\eventlog with the following format:

string: '%{[@timestamp]} %{[event_id]} %{[message]}'

 example output:

2018-03-24T10:22:09.000Z 1704 Security policy in the Group policy objects has been applied successfully.

 

 Some good references for fail2ban/winlogbeat usage: 

Official Fail2ban Website

Man pages: fail2ban    jail.conf    fail2ban-client    fail2ban-regex    fail2ban-server

Linode.com - Use Fail2ban to Secure Your Server

 Winlogbeat reference