Installation
Supported platforms: Vista/2008(R2)/7/8/2012(R2)/2016
win2ban comes as a zip archive containing a Nullsoft Installer package. Unzip the downloaded file and run the installer :
- Click Next at Welcome-page
- View license agreement.
- Specify an installation location.
- Select components to install. You can choose not to install Winlogbeat if there is no need for making eventlog entries available for processing via Fail2ban in your case.
- Installation starts and installs Fail2ban and optional Winlogbeat as services (win2ban_fail2ban and win2ban_winlogbeat)
Usage
Fail2ban configuration files are located at etc/fail2ban. Win2ban is ready-to-protect against RDP/Network login or Copssh SSH attacks out of the box. Otherwise, you need to develop/implement your jails according to your needs. The file jail.local is configured with a proper set of default parameters for Windows usage. The file windows-firewall.local in the action.d directory contains ban/unban commands for the Windows firewall. It is also possible to configure the server using commands sent to it by fail2ban-client. A shell environment can be initiated by running win2ban-shell.cmd located at the root of the installation directory.
Fail2ban log example (var/log/fail2ban.log):
2021-05-09 20:02:21,048 fail2ban.server : INFO --------------------------------------------------
2021-05-09 20:02:21,048 fail2ban.server : INFO Starting Fail2ban v0.10.4
2021-05-09 20:02:21,155 fail2ban.database : INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2021-05-09 20:02:21,168 fail2ban.database : WARNING New database created. Version '2'
2021-05-09 20:02:21,170 fail2ban.jail : INFO Creating new jail 'win2ban-network-logon'
2021-05-09 20:02:21,171 fail2ban.jail : INFO Jail 'win2ban-network-logon' uses poller {}
2021-05-09 20:02:21,171 fail2ban.jail : INFO Initiated 'polling' backend
2021-05-09 20:02:21,177 fail2ban.filter : INFO Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 5acf97560c9b8014a621577ff3b4bda5)
2021-05-09 20:02:21,177 fail2ban.filter : INFO maxRetry: 2
2021-05-09 20:02:21,178 fail2ban.filter : INFO encoding: UTF-8
2021-05-09 20:02:21,179 fail2ban.filter : INFO findtime: 600
2021-05-09 20:02:21,179 fail2ban.actions : INFO banTime: 600
2021-05-09 20:02:21,180 fail2ban.jail : INFO Creating new jail 'copssh'
2021-05-09 20:02:21,181 fail2ban.jail : INFO Jail 'copssh' uses poller {}
2021-05-09 20:02:21,181 fail2ban.jail : INFO Initiated 'polling' backend
2021-05-09 20:02:21,182 fail2ban.filter : INFO maxLines: 1
2021-05-09 20:02:21,201 fail2ban.server : INFO Jail copssh is not a JournalFilter instance
2021-05-09 20:02:21,203 fail2ban.filter : INFO Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 5acf97560c9b8014a621577ff3b4bda5)
2021-05-09 20:02:21,203 fail2ban.filter : INFO maxRetry: 2
2021-05-09 20:02:21,203 fail2ban.filter : INFO encoding: UTF-8
2021-05-09 20:02:21,204 fail2ban.filter : INFO findtime: 600
2021-05-09 20:02:21,204 fail2ban.actions : INFO banTime: 600
2021-05-09 20:02:21,211 fail2ban.jail : INFO Jail 'win2ban-network-logon' started
2021-05-09 20:02:21,213 fail2ban.jail : INFO Jail 'copssh' started
2021-05-09 20:04:52,886 fail2ban.filter : INFO Found 192.168.100.22 - 2021-05-09 20:04:49
2021-05-09 20:05:03,081 fail2ban.filter : INFO Found 192.168.100.22 - 2021-05-09 20:05:00
2021-05-09 20:05:03,299 fail2ban.actions : NOTICE Ban 192.168.100.22
If you have selected to install winlogbeat, it can be configured via winlogbeat/win2ban.yml. By default it is configured to output related event log entries last 72 hours from application, system and security eventlogs, to the logfile winlogbeat\logs\eventlog with the following format:
string: '%{} %{} %{}'
example output:
2018-03-24T10:22:09.000Z 1704 Security policy in the Group policy objects has been applied successfully.
Some good references for fail2ban/winlogbeat usage:
Man pages: fail2ban jail.conf fail2ban-client fail2ban-regex fail2ban-server
Linode.com - Use Fail2ban to Secure Your Server