Frequently Asked Questions - win2ban
- Install Win2ban to a separate directory
- Add the jail win2ban-network-logon to etc/fail2ban/jail.local:
[DEFAULT] backend = polling maxretry = 2 findtime = 600 bantime = 600 banaction = windows-firewall ..... [win2ban-network-logon] enabled = true filter = win2ban-network-logon logpath = /winlogbeat/logs/eventlog
- Create the file etc/fail2ban/filter.d/win2ban-network-logon.local with the following content:
# Fail2Ban filter for win2ban-network-logon [Definition] prefregex = ^ \d+ \{"AuthenticationPackageName":"NTLM".+<F-CONTENT>"IpAddress.+</F-CONTENT>\}$ # LogonType = 3: network login, 2: local login failregex = ^"IpAddress":"<HOST>".+"LogonType":"3".+$ ignoreregex =
- Start services win2ban_winlogbeat and win2ban_fail2ban
Log files:
Winlogbeat - winlogbeat/logs directory
Fail2ban - var/log directory
Sample /var/log/fail2ban.log:
2018-04-06 15:31:41,113 fail2ban.server [4040]: INFO Starting Fail2ban v0.10.2 2018-04-06 15:31:41,193 fail2ban.database [4040]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2018-04-06 15:31:41,197 fail2ban.jail [4040]: INFO Creating new jail 'copssh' 2018-04-06 15:31:41,205 fail2ban.jail [4040]: INFO Jail 'copssh' uses poller {} 2018-04-06 15:31:41,205 fail2ban.jail [4040]: INFO Initiated 'polling' backend 2018-04-06 15:31:41,207 fail2ban.filter [4040]: INFO maxLines: 1 2018-04-06 15:31:41,233 fail2ban.server [4040]: INFO Jail copssh is not a JournalFilter instance 2018-04-06 15:31:41,235 fail2ban.filter [4040]: INFO Added logfile: '/winlogbeat/logs/eventlog' (pos = 36044, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1) 2018-04-06 15:31:41,236 fail2ban.filter [4040]: INFO maxRetry: 2 2018-04-06 15:31:41,236 fail2ban.filter [4040]: INFO encoding: UTF-8 2018-04-06 15:31:41,237 fail2ban.actions [4040]: INFO banTime: 600 2018-04-06 15:31:41,237 fail2ban.filter [4040]: INFO findtime: 600 2018-04-06 15:31:41,239 fail2ban.jail [4040]: INFO Creating new jail 'win2ban-network-logon' 2018-04-06 15:31:41,239 fail2ban.jail [4040]: INFO Jail 'win2ban-network-logon' uses poller {} 2018-04-06 15:31:41,239 fail2ban.jail [4040]: INFO Initiated 'polling' backend 2018-04-06 15:31:41,242 fail2ban.filter [4040]: INFO Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1) 2018-04-06 15:31:41,243 fail2ban.filter [4040]: INFO maxRetry: 2 2018-04-06 15:31:41,243 fail2ban.filter [4040]: INFO encoding: UTF-8 2018-04-06 15:31:41,243 fail2ban.actions [4040]: INFO banTime: 600 2018-04-06 15:31:41,244 fail2ban.filter [4040]: INFO findtime: 600 2018-04-06 15:31:41,246 fail2ban.jail [4040]: INFO Jail 'copssh' started 2018-04-06 15:31:41,248 fail2ban.jail [4040]: INFO Jail 'win2ban-network-logon' started 2018-04-06 15:32:32,709 fail2ban.filter [4040]: INFO [win2ban-network-logon] Found 192.168.122.13 - 2018-04-06 15:32:29 2018-04-06 15:32:39,423 fail2ban.filter [4040]: INFO [win2ban-network-logon] Found 192.168.122.13 - 2018-04-06 15:32:36 2018-04-06 15:32:40,189 fail2ban.actions [4040]: NOTICE [win2ban-network-logon] Ban 192.168.122.13 2018-04-06 15:42:37,563 fail2ban.actions [4040]: NOTICE [win2ban-network-logon] Unban 192.168.122.13
- Install Win2ban to a separate directory
- Enable jail copssh in etc/fail2ban/jail.local:
[DEFAULT] backend = polling maxretry = 2 findtime = 600 bantime = 600 banaction = windows-firewall [copssh] enabled = true filter = copssh-sshd logpath = /winlogbeat/logs/eventlog
- Start services win2ban_winlogbeat and win2ban_fail2ban
Log files:
Winlogbeat - winlogbeat/logs directory
Fail2ban - var/log directory
Sample /var/log/fail2ban.log:
2018-04-05 23:54:28,411 fail2ban.server [424]: INFO -------------------------------------------------- 2018-04-05 23:54:28,411 fail2ban.server [424]: INFO Starting Fail2ban v0.10.2 2018-04-05 23:54:28,442 fail2ban.database [424]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2018-04-05 23:54:28,446 fail2ban.jail [424]: INFO Creating new jail 'copssh' 2018-04-05 23:54:28,447 fail2ban.jail [424]: INFO Jail 'copssh' uses poller {} 2018-04-05 23:54:28,447 fail2ban.jail [424]: INFO Initiated 'polling' backend 2018-04-05 23:54:28,448 fail2ban.filter [424]: INFO maxLines: 1 2018-04-05 23:54:28,467 fail2ban.server [424]: INFO Jail copssh is not a JournalFilter instance 2018-04-05 23:54:28,468 fail2ban.filter [424]: INFO Added logfile: '/winlogbeat/logs/eventlog' (pos = 19020, hash = c54619552ccd10f356c0810faec6cdba) 2018-04-05 23:54:28,468 fail2ban.filter [424]: INFO maxRetry: 2 2018-04-05 23:54:28,469 fail2ban.filter [424]: INFO encoding: UTF-8 2018-04-05 23:54:28,469 fail2ban.actions [424]: INFO banTime: 600 2018-04-05 23:54:28,470 fail2ban.filter [424]: INFO findtime: 600 2018-04-05 23:54:28,472 fail2ban.jail [424]: INFO Jail 'copssh' started 2018-04-05 23:55:20,525 fail2ban.filter [424]: INFO [copssh] Found 192.168.122.13 - 2018-04-05 23:55:19 2018-04-05 23:55:23,787 fail2ban.filter [424]: INFO [copssh] Found 192.168.122.13 - 2018-04-05 23:55:22 2018-04-05 23:55:23,953 fail2ban.actions [424]: NOTICE [copssh] Ban 192.168.122.13 2018-04-05 23:58:22,875 fail2ban.actions [424]: NOTICE [copssh] Unban 192.168.122.13 2018-04-06 00:54:57,531 fail2ban.server [424]: INFO Shutdown in progress... 2018-04-06 00:54:57,531 fail2ban.server [424]: INFO Stopping all jails 2018-04-06 00:54:57,532 fail2ban.filter [424]: INFO Removed logfile: '/winlogbeat/logs/eventlog' 2018-04-06 00:54:58,328 fail2ban.jail [424]: INFO Jail 'copssh' stopped 2018-04-06 00:54:58,332 fail2ban.database [424]: INFO Connection to database closed. 2018-04-06 00:54:58,333 fail2ban.server [424]: INFO Exiting Fail2ban
