win2ban - Fail2Ban for Windows

Buy now

win2ban is a Fail2ban implementation for Windows systems. It is a packaging of Fail2ban, Python, Cygwin, Winlogbeat and many other related tools to make it a complete and ready-to-use solution for brute-force attack protection.

Fail2ban is a generic intrusion prevention system, featuring multiple blocking techniques and preconfigured for a variety of server applications. It operates by monitoring log files for selected entries and running scripts based on them. Winlogbeat reads from one or more event logs using Windows APIs, filters the events based on user-configured criteria, then sends the event data to the configured outputs. Cygwin is a Linux-like environment for Windows. It consists of a DLL (Cygwin1.dll), which emulates substantial Linux API functionality, and a collection of tools.

 

Itefix provides a virtual test lab in where you can try our products with full functionality.

  • At the moment we have 8 hosts (Windows 11, 10, 7 and Windows servers 2022, 2019, 2016, 2012R2, 2008 R2).
  • Our lab has no Internet access.
  • Itefix software is available via a network share at the desktop. You need to install the software of your choice yourself. 
  • You have also access to some popular 3rd party software to test client scenarios.
  • You can also request multiple test machines to test network scenarios (one per OS type).
Access instructions will be sent to this address.

Installation

Supported platforms: Vista/2008(R2)/7/8/2012(R2)/2016

win2ban comes as a zip archive containing a Nullsoft Installer package. Unzip the downloaded file and run  the installer :

  1. Click Next at Welcome-page
  2. View license agreement.
  3. Specify an installation location.
  4. Select components to install. You can choose not to install Winlogbeat if there is no need for making eventlog entries available for processing via Fail2ban in your case.
  5. Installation starts and installs Fail2ban and optional Winlogbeat as services (win2ban_fail2ban and win2ban_winlogbeat

Usage

Fail2ban configuration files are located at etc/fail2ban. Win2ban is ready-to-protect against RDP/Network login or Copssh SSH attacks out of the box. Otherwise, you need to develop/implement your jails according to your needs. The file jail.local is configured with a proper set of default parameters for Windows usage. The file windows-firewall.local in the action.d directory contains ban/unban commands for the Windows firewall. It is also possible to configure the server using commands sent to it by fail2ban-client. A shell environment can be initiated by running win2ban-shell.cmd located at the root of the installation directory 

Fail2ban log example (var/log/fail2ban.log):

2021-05-09 20:02:21,048 fail2ban.server         : INFO    --------------------------------------------------
2021-05-09 20:02:21,048 fail2ban.server         : INFO    Starting Fail2ban v0.10.4
2021-05-09 20:02:21,155 fail2ban.database       : INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2021-05-09 20:02:21,168 fail2ban.database       : WARNING New database created. Version '2'
2021-05-09 20:02:21,170 fail2ban.jail           : INFO    Creating new jail 'win2ban-network-logon'
2021-05-09 20:02:21,171 fail2ban.jail           : INFO    Jail 'win2ban-network-logon' uses poller {}
2021-05-09 20:02:21,171 fail2ban.jail           : INFO    Initiated 'polling' backend
2021-05-09 20:02:21,177 fail2ban.filter         : INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 5acf97560c9b8014a621577ff3b4bda5)
2021-05-09 20:02:21,177 fail2ban.filter         : INFO      maxRetry: 2
2021-05-09 20:02:21,178 fail2ban.filter         : INFO      encoding: UTF-8
2021-05-09 20:02:21,179 fail2ban.filter         : INFO      findtime: 600
2021-05-09 20:02:21,179 fail2ban.actions        : INFO      banTime: 600
2021-05-09 20:02:21,180 fail2ban.jail           : INFO    Creating new jail 'copssh'
2021-05-09 20:02:21,181 fail2ban.jail           : INFO    Jail 'copssh' uses poller {}
2021-05-09 20:02:21,181 fail2ban.jail           : INFO    Initiated 'polling' backend
2021-05-09 20:02:21,182 fail2ban.filter         : INFO      maxLines: 1
2021-05-09 20:02:21,201 fail2ban.server         : INFO    Jail copssh is not a JournalFilter instance
2021-05-09 20:02:21,203 fail2ban.filter         : INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 5acf97560c9b8014a621577ff3b4bda5)
2021-05-09 20:02:21,203 fail2ban.filter         : INFO      maxRetry: 2
2021-05-09 20:02:21,203 fail2ban.filter         : INFO      encoding: UTF-8
2021-05-09 20:02:21,204 fail2ban.filter         : INFO      findtime: 600
2021-05-09 20:02:21,204 fail2ban.actions        : INFO      banTime: 600
2021-05-09 20:02:21,211 fail2ban.jail           : INFO    Jail 'win2ban-network-logon' started
2021-05-09 20:02:21,213 fail2ban.jail           : INFO    Jail 'copssh' started
2021-05-09 20:04:52,886 fail2ban.filter         : INFO     Found 192.168.100.22 - 2021-05-09 20:04:49
2021-05-09 20:05:03,081 fail2ban.filter         : INFO     Found 192.168.100.22 - 2021-05-09 20:05:00
2021-05-09 20:05:03,299 fail2ban.actions        : NOTICE   Ban 192.168.100.22

 

If you have selected to install winlogbeat, it can be configured via winlogbeat/win2ban.yml. By default it is configured to output related event log entries last 72 hours from application, system and security eventlogs, to the logfile winlogbeat\logs\eventlog with the following format:

string: '%{} %{} %{}'

 example output:

2018-03-24T10:22:09.000Z 1704 Security policy in the Group policy objects has been applied successfully.

 

 Some good references for fail2ban/winlogbeat usage: 

Official Fail2ban Website

Man pages: fail2ban    jail.conf    fail2ban-client    fail2ban-regex    fail2ban-server

Linode.com - Use Fail2ban to Secure Your Server

 Winlogbeat reference

 

How can I configure Win2ban for brute force attacks against Copssh ?
  • Protecting Copssh against brute force attacks is enabled as default. 
  • Start services win2ban_winlogbeat and win2ban_fail2ban 

 

Sample /var/log/fail2ban.log

2018-04-05 23:54:28,411 fail2ban.server         : INFO    --------------------------------------------------
2018-04-05 23:54:28,411 fail2ban.server         : INFO    Starting Fail2ban v0.10.2
2018-04-05 23:54:28,442 fail2ban.database       : INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-04-05 23:54:28,446 fail2ban.jail           : INFO    Creating new jail 'copssh'
2018-04-05 23:54:28,447 fail2ban.jail           : INFO    Jail 'copssh' uses poller {}
2018-04-05 23:54:28,447 fail2ban.jail           : INFO    Initiated 'polling' backend
2018-04-05 23:54:28,448 fail2ban.filter         : INFO      maxLines: 1
2018-04-05 23:54:28,467 fail2ban.server         : INFO    Jail copssh is not a JournalFilter instance
2018-04-05 23:54:28,468 fail2ban.filter         : INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 19020, hash = c54619552ccd10f356c0810faec6cdba)
2018-04-05 23:54:28,468 fail2ban.filter         : INFO      maxRetry: 2
2018-04-05 23:54:28,469 fail2ban.filter         : INFO      encoding: UTF-8
2018-04-05 23:54:28,469 fail2ban.actions        : INFO      banTime: 600
2018-04-05 23:54:28,470 fail2ban.filter         : INFO      findtime: 600
2018-04-05 23:54:28,472 fail2ban.jail           : INFO    Jail 'copssh' started
2018-04-05 23:55:20,525 fail2ban.filter         : INFO     Found 192.168.122.13 - 2018-04-05 23:55:19
2018-04-05 23:55:23,787 fail2ban.filter         : INFO     Found 192.168.122.13 - 2018-04-05 23:55:22
2018-04-05 23:55:23,953 fail2ban.actions        : NOTICE   Ban 192.168.122.13
2018-04-05 23:58:22,875 fail2ban.actions        : NOTICE   Unban 192.168.122.13
2018-04-06 00:54:57,531 fail2ban.server         : INFO    Shutdown in progress...
2018-04-06 00:54:57,531 fail2ban.server         : INFO    Stopping all jails
2018-04-06 00:54:57,532 fail2ban.filter         : INFO    Removed logfile: '/winlogbeat/logs/eventlog'
2018-04-06 00:54:58,328 fail2ban.jail           : INFO    Jail 'copssh' stopped
2018-04-06 00:54:58,332 fail2ban.database       : INFO    Connection to database closed.
2018-04-06 00:54:58,333 fail2ban.server         : INFO    Exiting Fail2ban
How can I configure Win2ban for Windows Remote desktop/Network logons?
  • Protecting RDP/Network logins against brute force attacks is enabled as default. 
  • Start services win2ban_winlogbeat and win2ban_fail2ban

 

Sample /var/log/fail2ban.log

2018-04-06 15:31:41,113 fail2ban.server         : INFO    Starting Fail2ban v0.10.2
2018-04-06 15:31:41,193 fail2ban.database       : INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-04-06 15:31:41,197 fail2ban.jail           : INFO    Creating new jail 'copssh'
2018-04-06 15:31:41,205 fail2ban.jail           : INFO    Jail 'copssh' uses poller {}
2018-04-06 15:31:41,205 fail2ban.jail           : INFO    Initiated 'polling' backend
2018-04-06 15:31:41,207 fail2ban.filter         : INFO      maxLines: 1
2018-04-06 15:31:41,233 fail2ban.server         : INFO    Jail copssh is not a JournalFilter instance
2018-04-06 15:31:41,235 fail2ban.filter         : INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 36044, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1)
2018-04-06 15:31:41,236 fail2ban.filter         : INFO      maxRetry: 2
2018-04-06 15:31:41,236 fail2ban.filter         : INFO      encoding: UTF-8
2018-04-06 15:31:41,237 fail2ban.actions        : INFO      banTime: 600
2018-04-06 15:31:41,237 fail2ban.filter         : INFO      findtime: 600
2018-04-06 15:31:41,239 fail2ban.jail           : INFO    Creating new jail 'win2ban-network-logon'
2018-04-06 15:31:41,239 fail2ban.jail           : INFO    Jail 'win2ban-network-logon' uses poller {}
2018-04-06 15:31:41,239 fail2ban.jail           : INFO    Initiated 'polling' backend
2018-04-06 15:31:41,242 fail2ban.filter         : INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1)
2018-04-06 15:31:41,243 fail2ban.filter         : INFO      maxRetry: 2
2018-04-06 15:31:41,243 fail2ban.filter         : INFO      encoding: UTF-8
2018-04-06 15:31:41,243 fail2ban.actions        : INFO      banTime: 600
2018-04-06 15:31:41,244 fail2ban.filter         : INFO      findtime: 600
2018-04-06 15:31:41,246 fail2ban.jail           : INFO    Jail 'copssh' started
2018-04-06 15:31:41,248 fail2ban.jail           : INFO    Jail 'win2ban-network-logon' started
2018-04-06 15:32:32,709 fail2ban.filter         : INFO     Found 192.168.122.13 - 2018-04-06 15:32:29
2018-04-06 15:32:39,423 fail2ban.filter         : INFO     Found 192.168.122.13 - 2018-04-06 15:32:36
2018-04-06 15:32:40,189 fail2ban.actions        : NOTICE   Ban 192.168.122.13
2018-04-06 15:42:37,563 fail2ban.actions        : NOTICE   Unban 192.168.122.13
How can I unban IP-address(es) manually

Initiate win2ban-shell  at the root of the installation directory 

 

Command to unban specific addresses:

fail2ban-client unban ip-address ip-address ...

 

Command to unban all IP-addresses:

fail2ban-client unban --all

How can I verify if a ban rule is in effect for a specific jail ?

Initiate win2ban-shell  at the root of the installation directory and issue the command below (example jail win2ban-network-logon):

 

$ fail2ban-client status win2ban-network-logon

Status for the jail: win2ban-network-logon

|- Filter

|  |- Currently failed: 1

|  |- Total failed:     5

|  `- File list:        /winlogbeat/logs/eventlog

`- Actions

   |- Currently banned: 1

   |- Total banned:     2

   `- Banned IP list:   192.168.100.22

 

The related firewall rule(s) can be displayed by using the following Powershell command:

get-netfirewallrule -all | Where-Object {$_.DisplayName -like "win2ban*"} | Format-Table

Name                                   DisplayName                  DisplayGroup Enabled Profile Direction Action

----                                   -----------                  ------------ ------- ------- --------- ------ 

{F9BAA4EB-D8A8-48C7-9205-D3246D70F990} win2ban - ban 192.168.100.22              True    Any     Inbound   Block

How to handle large log files effectively ?

 Try to append the option tail to the logpath parameter of your jail definition. Win2ban will then start to read from the end of the file instead of from the beginnning. Visit Fail2ban man page https://www.systutorials.com/docs/linux/man/5-jail.conf and search for tail for more information.

Win2ban 2.0.4

release date: 
Sun, 09/17/2023
2023

Win2ban 2.0.3

release date: 
Tue, 06/20/2023
2023

Win2ban 2.0.2

release date: 
Thu, 03/09/2023
2023

Win2ban 2.0.1

release date: 
Sun, 11/20/2022
2022

Win2ban 2.0.0

release date: 
Thu, 12/16/2021
2021

Win2ban 1.1.1

release date: 
Sun, 05/09/2021
2021

Win2ban 1.1.0

release date: 
Sat, 10/27/2018
2018

win2ban 1.0.1

release date: 
Fri, 04/06/2018
2018

Release announcements