win2ban - Fail2Ban for Windows with Winlogbeat eventlog shipper

win2ban is a Fail2ban implementation for Windows systems. It is a packaging of Fail2ban, Python, Cygwin, Winlogbeat and many other related tools to make it a complete and ready-to-use solution for brute-force attack protection.

Fail2ban is a generic intrusion prevention system, featuring multiple blocking techniques and preconfigured for a variety of server applications. It operates by monitoring log files for selected entries and running scripts based on them. Winlogbeat reads from one or more event logs using Windows APIs, filters the events based on user-configured criteria, then sends the event data to the configured outputs. Cygwin is a Linux-like environment for Windows. It consists of a DLL (Cygwin1.dll), which emulates substantial Linux API functionality, and a collection of tools.

win2ban update - 1.1.0	27/10/2018
win2ban update - 1.0.1	06/04/2018
Introducing win2ban - Fail2ban for Windows	28/03/2018

Itefix provides a virtual test lab in where you can try our products with full functionality. At the moment we have 7 hosts (Windows 7, Windows 2008 R2, Windows 2012 R2, Windows 10, Windows 2016, Windows 2019 and Lubuntu 16.04 for Unix scenarios). Our lab has no Internet access. All lab computers are refreshed every three hours.

Itefix software is available via a URL on the desktop. You have also access to some popular 3rd party software to test client scenarios. Download the software to lab computers which share the same network, so it is possible to experiment with multiple hosts. A network diagram showing the connectivity is available via the URL.

Our lab has also a Lubuntu 16.04 desktop to test Unix/X windows scenarios. In the case you need to login via ssh from an other test computer, you can use following credentials: user lab1user, pwd user1lab

USD 29.00

The product is a bundle containing installers for 32- and 64-bit systems.

Quantity is the number of computers to install the product on.

Volume pricing 29

Volume pricing with maintenance durations (30-days is the default). Prices are in USD.


Quantity	30 days	1 year	2 years	3 years
1	29	71	120	158
2	48	117	199	261
3	67	163	277	364
4	86	210	355	466
5	104	256	433	569
10	199	487	824	1083
15	293	718	1216	1596
20	387	949	1607	2110
25	481	1179	1998	2624
30	576	1410	2389	3137
40	764	1872	3171	4165
50	953	2334	3953	5192
75	1424	3489	5909	7760
100	1895	4643	7865	10329

Installation

Supported platforms: Vista/2008(R2)/7/8/2012(R2)/2016

win2ban comes as a zip archive containing a Nullsoft Installer package. Unzip the downloaded file and run the installer :

Click Next at Welcome-page
View license agreement.
Specify an installation location.
Select components to install. You can choose not to install Winlogbeat if there is no need for making eventlog entries available for processing via Fail2ban in your case.
Installation starts and installs Fail2ban and optional Winlogbeat as services (win2ban_fail2ban and win2ban_winlogbeat)

Usage

Fail2ban configuration files are located at etc/fail2ban. You need to develop/implement your jails according to your needs. The file jail.local is configured with a proper set of default parameters for Windows usage. The file windows-firewall.local in the action.d directory contains ban/unban commands for the Windows firewall. It is also possible to configure the server using commands sent to it by fail2ban-client. A shell environment can be initiated by running win2ban-shell.cmd located at the root of the installation directory. See also our FAQs for more examples:

A simple fail2ban example:

Log file tmp/test.log:

Problem: 1.2.3.4 2018-03-26 22:37:16
Problem: 1.2.3.4 2018-03-26 22:41:12
Problem: 5.6.7.8 2018-03-26 22:41:16

File etc/fail2ban/jail.local:

[DEFAULT]
maxretry = 1
findtime = 6000
bantime = 180
banaction = windows-firewall
backend = polling

[test]
enabled  = true
filter   = test
logpath  = /tmp/test.log

File etc/fail2ban/filter.d/test.local:

[Definition]
failregex   = ^Problem: <HOST>\s*$
ignoreregex =

Fail2ban log example (var/log/fail2ban.log):

2018-03-26 22:36:42,176 fail2ban.server         [3056]: INFO    --------------------------------------------------
2018-03-26 22:36:42,176 fail2ban.server         [3056]: INFO    Starting Fail2ban v0.10.2
2018-03-26 22:36:42,176 fail2ban.server         [3056]: INFO    Daemon started
2018-03-26 22:36:42,209 fail2ban.database       [3056]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-03-26 22:36:42,212 fail2ban.jail           [3056]: INFO    Creating new jail 'test'
2018-03-26 22:36:42,212 fail2ban.jail           [3056]: INFO    Jail 'test' uses poller {}
2018-03-26 22:36:42,213 fail2ban.jail           [3056]: INFO    Initiated 'polling' backend
2018-03-26 22:36:42,215 fail2ban.filter         [3056]: INFO    Added logfile: '/tmp/test.log' (pos = 761, hash = ab6aa4af41e46cc1dfbb26a99bc80bd0)
2018-03-26 22:36:42,216 fail2ban.filter         [3056]: INFO      maxRetry: 1
2018-03-26 22:36:42,216 fail2ban.filter         [3056]: INFO      encoding: UTF-8
2018-03-26 22:36:42,217 fail2ban.actions        [3056]: INFO      banTime: 180
2018-03-26 22:36:42,217 fail2ban.filter         [3056]: INFO      findtime: 6000
2018-03-26 22:36:42,220 fail2ban.jail           [3056]: INFO    Jail 'test' started
2018-03-26 22:37:28,483 fail2ban.filter         [3056]: INFO    [test] Found 1.2.3.4 - 2018-03-26 22:37:12
2018-03-26 22:37:28,483 fail2ban.filter         [3056]: INFO    [test] Found 1.2.3.4 - 2018-03-26 22:37:16
2018-03-26 22:37:29,220 fail2ban.actions        [3056]: NOTICE  [test] Ban 1.2.3.4
2018-03-26 22:40:16,358 fail2ban.actions        [3056]: NOTICE  [test] Unban 1.2.3.4
2018-03-26 22:42:07,750 fail2ban.filter         [3056]: INFO    [test] Found 1.2.3.4 - 2018-03-26 22:41:12
2018-03-26 22:42:07,750 fail2ban.filter         [3056]: INFO    [test] Found 5.6.7.8 - 2018-03-26 22:41:16
2018-03-26 22:42:07,766 fail2ban.actions        [3056]: NOTICE  [test] Ban 1.2.3.4
2018-03-26 22:42:07,891 fail2ban.actions        [3056]: NOTICE  [test] Ban 5.6.7.8
2018-03-26 22:44:13,826 fail2ban.actions        [3056]: NOTICE  [test] Unban 1.2.3.4
2018-03-26 22:44:18,041 fail2ban.actions        [3056]: NOTICE  [test] Unban 5.6.7.8
2018-03-27 00:01:10,808 fail2ban.server         [3056]: INFO    Shutdown in progress...
2018-03-27 00:01:10,808 fail2ban.server         [3056]: INFO    Stopping all jails
2018-03-27 00:01:10,808 fail2ban.filter         [3056]: INFO    Removed logfile: '/tmp/test.log'
2018-03-27 00:01:11,245 fail2ban.jail           [3056]: INFO    Jail 'test' stopped
2018-03-27 00:01:11,245 fail2ban.database       [3056]: INFO    Connection to database closed.
2018-03-27 00:01:11,245 fail2ban.server         [3056]: INFO    Exiting Fail2ban
2018-03-27 09:00:07,232 fail2ban.server         [3692]: INFO    --------------------------------------------------

If you have selected to install winlogbeat, it can be configured via winlogbeat/win2ban.yml. By default it is configured to output event log entries last 72 hours from application, system and security eventlogs, to the logfile winlogbeat\logs\eventlog with the following format:

string: '%{[@timestamp]} %{[event_id]} %{[message]}'

example output:

2018-03-24T10:22:09.000Z 1704 Security policy in the Group policy objects has been applied successfully.

Some good references for fail2ban/winlogbeat usage:

Official Fail2ban Website

Man pages: fail2ban jail.conf fail2ban-client fail2ban-regex fail2ban-server

Linode.com - Use Fail2ban to Secure Your Server

Winlogbeat reference

How to handle large log files effectively ?

Try to append the option tail to the logpath parameter of your jail definition. Win2ban will then start to read from the end of the file instead of from the beginnning. Visit Fail2ban man page https://www.systutorials.com/docs/linux/man/5-jail.conf and search for tail for more information.

How can I configure Win2ban for Windows Remote desktop/Network logons?

Install Win2ban to a separate directory
locate the win2ban.yml file in the winlogbeat directory and make sure that the Event log shipper is configured to ship related events:

  - name: Security

    ignore_older: 72h

    event_id: 4625

Add the jail win2ban-network-logon to etc/fail2ban/jail.local:

[DEFAULT]
backend = polling
maxretry = 2
findtime = 600
bantime = 600
banaction = windows-firewall

.....

[win2ban-network-logon]
enabled  = true
filter   = win2ban-network-logon
logpath  = /winlogbeat/logs/eventlog

Create the file etc/fail2ban/filter.d/win2ban-network-logon.local with the following content:

# Fail2Ban filter for win2ban-network-logon

[Definition]
prefregex = ^ \d+ \{"AuthenticationPackageName":"NTLM".+<F-CONTENT>"IpAddress.+</F-CONTENT>\}$

# LogonType = 3: network login, 2: local login
failregex = ^"IpAddress":"<HOST>".+"LogonType":"3".+$

ignoreregex =

Start services win2ban_winlogbeat and win2ban_fail2ban

Log files:

Winlogbeat - winlogbeat/logs directory

Fail2ban - var/log directory

Sample /var/log/fail2ban.log:

2018-04-06 15:31:41,113 fail2ban.server         [4040]: INFO    Starting Fail2ban v0.10.2
2018-04-06 15:31:41,193 fail2ban.database       [4040]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-04-06 15:31:41,197 fail2ban.jail           [4040]: INFO    Creating new jail 'copssh'
2018-04-06 15:31:41,205 fail2ban.jail           [4040]: INFO    Jail 'copssh' uses poller {}
2018-04-06 15:31:41,205 fail2ban.jail           [4040]: INFO    Initiated 'polling' backend
2018-04-06 15:31:41,207 fail2ban.filter         [4040]: INFO      maxLines: 1
2018-04-06 15:31:41,233 fail2ban.server         [4040]: INFO    Jail copssh is not a JournalFilter instance
2018-04-06 15:31:41,235 fail2ban.filter         [4040]: INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 36044, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1)
2018-04-06 15:31:41,236 fail2ban.filter         [4040]: INFO      maxRetry: 2
2018-04-06 15:31:41,236 fail2ban.filter         [4040]: INFO      encoding: UTF-8
2018-04-06 15:31:41,237 fail2ban.actions        [4040]: INFO      banTime: 600
2018-04-06 15:31:41,237 fail2ban.filter         [4040]: INFO      findtime: 600
2018-04-06 15:31:41,239 fail2ban.jail           [4040]: INFO    Creating new jail 'win2ban-network-logon'
2018-04-06 15:31:41,239 fail2ban.jail           [4040]: INFO    Jail 'win2ban-network-logon' uses poller {}
2018-04-06 15:31:41,239 fail2ban.jail           [4040]: INFO    Initiated 'polling' backend
2018-04-06 15:31:41,242 fail2ban.filter         [4040]: INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 4bd8f42a7d4b980d2921fe03ed7ffaf1)
2018-04-06 15:31:41,243 fail2ban.filter         [4040]: INFO      maxRetry: 2
2018-04-06 15:31:41,243 fail2ban.filter         [4040]: INFO      encoding: UTF-8
2018-04-06 15:31:41,243 fail2ban.actions        [4040]: INFO      banTime: 600
2018-04-06 15:31:41,244 fail2ban.filter         [4040]: INFO      findtime: 600
2018-04-06 15:31:41,246 fail2ban.jail           [4040]: INFO    Jail 'copssh' started
2018-04-06 15:31:41,248 fail2ban.jail           [4040]: INFO    Jail 'win2ban-network-logon' started
2018-04-06 15:32:32,709 fail2ban.filter         [4040]: INFO    [win2ban-network-logon] Found 192.168.122.13 - 2018-04-06 15:32:29
2018-04-06 15:32:39,423 fail2ban.filter         [4040]: INFO    [win2ban-network-logon] Found 192.168.122.13 - 2018-04-06 15:32:36
2018-04-06 15:32:40,189 fail2ban.actions        [4040]: NOTICE  [win2ban-network-logon] Ban 192.168.122.13
2018-04-06 15:42:37,563 fail2ban.actions        [4040]: NOTICE  [win2ban-network-logon] Unban 192.168.122.13

How can I configure Win2ban for brute force attacks against Copssh ?

Install Win2ban to a separate directory

Enable jail copssh in etc/fail2ban/jail.local:

[DEFAULT]
backend = polling
maxretry = 2
findtime = 600
bantime = 600
banaction = windows-firewall

[copssh]
enabled  = true
filter   = copssh-sshd
logpath  = /winlogbeat/logs/eventlog

Start services win2ban_winlogbeat and win2ban_fail2ban