- Solutions
- Backup/synchronization
- Git
- Log files
- Nagios ® World
- Nagwin - Nagios for Windows
- winrpe - Nagios NRPE for Windows
- Nagios NRPE Plugins for Windows
- Security
- Tools
- Online services
- Support
- Store
- Login
win2ban - Fail2Ban for Windows
win2ban is a Fail2ban implementation for Windows systems. It is a packaging of Fail2ban, Python, Cygwin, Winlogbeat and many other related tools to make it a complete and ready-to-use solution for brute-force attack protection.
Fail2ban is a generic intrusion prevention system, featuring multiple blocking techniques and preconfigured for a variety of server applications. It operates by monitoring log files for selected entries and running scripts based on them. Winlogbeat reads from one or more event logs using Windows APIs, filters the events based on user-configured criteria, then sends the event data to the configured outputs. Cygwin is a Linux-like environment for Windows. It consists of a DLL (Cygwin1.dll), which emulates substantial Linux API functionality, and a collection of tools.
Installation
Supported platforms: Vista/2008(R2)/7/8/2012(R2)/2016
win2ban comes as a zip archive containing a Nullsoft Installer package. Unzip the downloaded file and run the installer :
- Click Next at Welcome-page
- View license agreement.
- Specify an installation location.
- Select components to install. You can choose not to install Winlogbeat if there is no need for making eventlog entries available for processing via Fail2ban in your case.
- Installation starts and installs Fail2ban and optional Winlogbeat as services (win2ban_fail2ban and win2ban_winlogbeat)
Usage
Fail2ban configuration files are located at etc/fail2ban. You need to develop/implement your jails according to your needs. The file jail.local is configured with a proper set of default parameters for Windows usage. The file windows-firewall.local in the action.d directory contains ban/unban commands for the Windows firewall. It is also possible to configure the server using commands sent to it by fail2ban-client. A shell environment can be initiated by running win2ban-shell.cmd located at the root of the installation directory. See also our FAQs for more examples:
- How can I configure Win2ban for Windows Remote desktop/Network logons?
- How can I configure Win2ban for brute force attacks against Copssh ?
A simple fail2ban example:
Log file tmp/test.log: Problem: 1.2.3.4 2018-03-26 22:37:16 Problem: 1.2.3.4 2018-03-26 22:41:12 Problem: 5.6.7.8 2018-03-26 22:41:16
|
File etc/fail2ban/jail.local: maxretry = 1 findtime = 6000 bantime = 180 banaction = windows-firewall backend = polling enabled = true filter = test logpath = /tmp/test.log |
File etc/fail2ban/filter.d/test.local: failregex = ^Problem: <HOST>\s*$ ignoreregex = |
Fail2ban log example (var/log/fail2ban.log):
2018-03-26 22:36:42,176 fail2ban.server : INFO -------------------------------------------------- 2018-03-26 22:36:42,176 fail2ban.server : INFO Starting Fail2ban v0.10.2 2018-03-26 22:36:42,176 fail2ban.server : INFO Daemon started 2018-03-26 22:36:42,209 fail2ban.database : INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2018-03-26 22:36:42,212 fail2ban.jail : INFO Creating new jail 'test' 2018-03-26 22:36:42,212 fail2ban.jail : INFO Jail 'test' uses poller {} 2018-03-26 22:36:42,213 fail2ban.jail : INFO Initiated 'polling' backend 2018-03-26 22:36:42,215 fail2ban.filter : INFO Added logfile: '/tmp/test.log' (pos = 761, hash = ab6aa4af41e46cc1dfbb26a99bc80bd0) 2018-03-26 22:36:42,216 fail2ban.filter : INFO maxRetry: 1 2018-03-26 22:36:42,216 fail2ban.filter : INFO encoding: UTF-8 2018-03-26 22:36:42,217 fail2ban.actions : INFO banTime: 180 2018-03-26 22:36:42,217 fail2ban.filter : INFO findtime: 6000 2018-03-26 22:36:42,220 fail2ban.jail : INFO Jail 'test' started 2018-03-26 22:37:28,483 fail2ban.filter : INFO Found 1.2.3.4 - 2018-03-26 22:37:12 2018-03-26 22:37:28,483 fail2ban.filter : INFO Found 1.2.3.4 - 2018-03-26 22:37:16 2018-03-26 22:37:29,220 fail2ban.actions : NOTICE Ban 1.2.3.4 2018-03-26 22:40:16,358 fail2ban.actions : NOTICE Unban 1.2.3.4 2018-03-26 22:42:07,750 fail2ban.filter : INFO Found 1.2.3.4 - 2018-03-26 22:41:12 2018-03-26 22:42:07,750 fail2ban.filter : INFO Found 5.6.7.8 - 2018-03-26 22:41:16 2018-03-26 22:42:07,766 fail2ban.actions : NOTICE Ban 1.2.3.4 2018-03-26 22:42:07,891 fail2ban.actions : NOTICE Ban 5.6.7.8 2018-03-26 22:44:13,826 fail2ban.actions : NOTICE Unban 1.2.3.4 2018-03-26 22:44:18,041 fail2ban.actions : NOTICE Unban 5.6.7.8 2018-03-27 00:01:10,808 fail2ban.server : INFO Shutdown in progress... 2018-03-27 00:01:10,808 fail2ban.server : INFO Stopping all jails 2018-03-27 00:01:10,808 fail2ban.filter : INFO Removed logfile: '/tmp/test.log' 2018-03-27 00:01:11,245 fail2ban.jail : INFO Jail 'test' stopped 2018-03-27 00:01:11,245 fail2ban.database : INFO Connection to database closed. 2018-03-27 00:01:11,245 fail2ban.server : INFO Exiting Fail2ban 2018-03-27 09:00:07,232 fail2ban.server : INFO --------------------------------------------------
If you have selected to install winlogbeat, it can be configured via winlogbeat/win2ban.yml. By default it is configured to output event log entries last 72 hours from application, system and security eventlogs, to the logfile winlogbeat\logs\eventlog with the following format:
string: '%{} %{} %{}'
example output:
2018-03-24T10:22:09.000Z 1704 Security policy in the Group policy objects has been applied successfully.
Some good references for fail2ban/winlogbeat usage:
Man pages: fail2ban jail.conf fail2ban-client fail2ban-regex fail2ban-server
Linode.com - Use Fail2ban to Secure Your Server
This package contains components with following terms of licensing:
Component | Product | Licensing |
Fail2ban | 0.10.4 | Fail2ban license Source code for Duplicity is available here. |
Python | 2.7.14 | Python license |
Cygwin and GNU tools | 2.11.1 | CYGWIN license Source code for Cygwin and GNU Tools are available here. |
Elastic Winlogbeat | 6.4.2 | Winlogbeat license |
win2ban |
1.1.0 |