Win2ban FAQs

How to handle large log files effectively ?

 

Try to append the option tail to the logpath parameter of your jail definition. Win2ban will then start to read from the end of the file instead of from the beginnning. Visit Fail2ban man page https://www.systutorials.com/docs/linux/man/5-jail.conf and search for tail for more information.

How can I configure Win2ban for Windows Remote desktop/Network logons?

  • Install Win2ban to a separate directory  
  • Add the jail win2ban-network-logon  to etc/fail2ban/jail.local
[DEFAULT]
backend = polling
maxretry = 2
findtime = 600
bantime = 600
banaction = windows-firewall

.....

[win2ban-network-logon]
enabled  = true
filter   = win2ban-network-logon
logpath  = /winlogbeat/logs/eventlog

  

  • Create the file etc/fail2ban/filter.d/win2ban-network-logon.local with the following content: 
# Fail2Ban filter for win2ban-network-logon

[Definition]
prefregex = ^ \d+ \{"AuthenticationPackageName":"NTLM".+<F-CONTENT>"IpAddress.+</F-CONTENT>\}$

# LogonType = 3: network login, 2: local login
failregex = ^"IpAddress":"<HOST>".+"LogonType":"3".+$

ignoreregex = 

 

  • Start services win2ban_winlogbeat and win2ban_fail2ban

Log files:

Winlogbeat - winlogbeat/logs directory

Fail2ban - var/log directory

Sample /var/log/fail2ban.log:

 

2018-04-06 15:31:41,113 fail2ban.server         [4040]: INFO    Starting Fail2ban v0.10.2
2018-04-06 15:31:41,193 fail2ban.database       [4040]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-04-06 15:31:41,197 fail2ban.jail           [4040]: INFO    Creating new jail 'copssh'
2018-04-06 15:31:41,205 fail2ban.jail           [4040]: INFO    Jail 'copssh' uses poller {}
2018-04-06 15:31:41,205 fail2ban.jail           [4040]: INFO    Initiated 'polling' backend
2018-04-06 15:31:41,207 fail2ban.filter         [4040]: INFO      maxLines: 1
2018-04-06 15:31:41,233 fail2ban.server         [4040]: INFO    Jail copssh is not a JournalFilter instance
2018-04-06 15:31:41,235 fail2ban.filter         [4040]: INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 36044, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1)
2018-04-06 15:31:41,236 fail2ban.filter         [4040]: INFO      maxRetry: 2
2018-04-06 15:31:41,236 fail2ban.filter         [4040]: INFO      encoding: UTF-8
2018-04-06 15:31:41,237 fail2ban.actions        [4040]: INFO      banTime: 600
2018-04-06 15:31:41,237 fail2ban.filter         [4040]: INFO      findtime: 600
2018-04-06 15:31:41,239 fail2ban.jail           [4040]: INFO    Creating new jail 'win2ban-network-logon'
2018-04-06 15:31:41,239 fail2ban.jail           [4040]: INFO    Jail 'win2ban-network-logon' uses poller {}
2018-04-06 15:31:41,239 fail2ban.jail           [4040]: INFO    Initiated 'polling' backend
2018-04-06 15:31:41,242 fail2ban.filter         [4040]: INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1)
2018-04-06 15:31:41,243 fail2ban.filter         [4040]: INFO      maxRetry: 2
2018-04-06 15:31:41,243 fail2ban.filter         [4040]: INFO      encoding: UTF-8
2018-04-06 15:31:41,243 fail2ban.actions        [4040]: INFO      banTime: 600
2018-04-06 15:31:41,244 fail2ban.filter         [4040]: INFO      findtime: 600
2018-04-06 15:31:41,246 fail2ban.jail           [4040]: INFO    Jail 'copssh' started
2018-04-06 15:31:41,248 fail2ban.jail           [4040]: INFO    Jail 'win2ban-network-logon' started
2018-04-06 15:32:32,709 fail2ban.filter         [4040]: INFO    [win2ban-network-logon] Found 192.168.122.13 - 2018-04-06 15:32:29
2018-04-06 15:32:39,423 fail2ban.filter         [4040]: INFO    [win2ban-network-logon] Found 192.168.122.13 - 2018-04-06 15:32:36
2018-04-06 15:32:40,189 fail2ban.actions        [4040]: NOTICE  [win2ban-network-logon] Ban 192.168.122.13
2018-04-06 15:42:37,563 fail2ban.actions        [4040]: NOTICE  [win2ban-network-logon] Unban 192.168.122.13

How can I configure Win2ban for brute force attacks against Copssh ?

  • Install Win2ban to a separate directory  
  • Enable jail copssh in etc/fail2ban/jail.local:
[DEFAULT]
backend = polling
maxretry = 2
findtime = 600
bantime = 600
banaction = windows-firewall

[copssh]
enabled  = true
filter   = copssh-sshd
logpath  = /winlogbeat/logs/eventlog

   

  • Start services win2ban_winlogbeat and win2ban_fail2ban

Log files:

Winlogbeat - winlogbeat/logs directory

Fail2ban - var/log directory

Sample /var/log/fail2ban.log: 

2018-04-05 23:54:28,411 fail2ban.server         [424]: INFO    --------------------------------------------------
2018-04-05 23:54:28,411 fail2ban.server         [424]: INFO    Starting Fail2ban v0.10.2
2018-04-05 23:54:28,442 fail2ban.database       [424]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-04-05 23:54:28,446 fail2ban.jail           [424]: INFO    Creating new jail 'copssh'
2018-04-05 23:54:28,447 fail2ban.jail           [424]: INFO    Jail 'copssh' uses poller {}
2018-04-05 23:54:28,447 fail2ban.jail           [424]: INFO    Initiated 'polling' backend
2018-04-05 23:54:28,448 fail2ban.filter         [424]: INFO      maxLines: 1
2018-04-05 23:54:28,467 fail2ban.server         [424]: INFO    Jail copssh is not a JournalFilter instance
2018-04-05 23:54:28,468 fail2ban.filter         [424]: INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 19020, hash = c54619552ccd10f356c0810faec6cdba)
2018-04-05 23:54:28,468 fail2ban.filter         [424]: INFO      maxRetry: 2
2018-04-05 23:54:28,469 fail2ban.filter         [424]: INFO      encoding: UTF-8
2018-04-05 23:54:28,469 fail2ban.actions        [424]: INFO      banTime: 600
2018-04-05 23:54:28,470 fail2ban.filter         [424]: INFO      findtime: 600
2018-04-05 23:54:28,472 fail2ban.jail           [424]: INFO    Jail 'copssh' started
2018-04-05 23:55:20,525 fail2ban.filter         [424]: INFO    [copssh] Found 192.168.122.13 - 2018-04-05 23:55:19
2018-04-05 23:55:23,787 fail2ban.filter         [424]: INFO    [copssh] Found 192.168.122.13 - 2018-04-05 23:55:22
2018-04-05 23:55:23,953 fail2ban.actions        [424]: NOTICE  [copssh] Ban 192.168.122.13
2018-04-05 23:58:22,875 fail2ban.actions        [424]: NOTICE  [copssh] Unban 192.168.122.13
2018-04-06 00:54:57,531 fail2ban.server         [424]: INFO    Shutdown in progress...
2018-04-06 00:54:57,531 fail2ban.server         [424]: INFO    Stopping all jails
2018-04-06 00:54:57,532 fail2ban.filter         [424]: INFO    Removed logfile: '/winlogbeat/logs/eventlog'
2018-04-06 00:54:58,328 fail2ban.jail           [424]: INFO    Jail 'copssh' stopped
2018-04-06 00:54:58,332 fail2ban.database       [424]: INFO    Connection to database closed.
2018-04-06 00:54:58,333 fail2ban.server         [424]: INFO    Exiting Fail2ban