win2ban - Fail2Ban for Windows with Winlogbeat eventlog shipper

win2ban is a Fail2ban implementation for Windows systems. It is a packaging of Fail2ban, Python, Cygwin, Winlogbeat and many other related tools to make it a complete and ready-to-use solution for brute-force attack protection.

Fail2ban is a generic intrusion prevention system, featuring multiple blocking techniques and preconfigured for a variety of server applications. It operates by monitoring log files for selected entries and running scripts based on them. Winlogbeat reads from one or more event logs using Windows APIs, filters the events based on user-configured criteria, then sends the event data to the configured outputs. Cygwin is a Linux-like environment for Windows. It consists of a DLL (Cygwin1.dll), which emulates substantial Linux API functionality, and a collection of tools.

form.antibot { display: none !important; } You must have JavaScript enabled to use this form.

About Itefix Labs

Itefix provides a virtual test lab in where you can try our products with full functionality. At the moment we have 6 hosts (Windows 7, 2008 R2, 2012 R2, 10, 2016 and 2019). Our lab has no Internet access.

Itefix software is available for download via a URL on the desktop. You have also access to some popular 3rd party software to test client scenarios.

Select platform: *

Confirmation *

I understand that lab resources are provided for testing Itefix solutions and I apply for instant access for one hour. *

NB! It may take up to one minute to prepare your lab computer. An access link will be displayed at the top of the window.

Leave this field blank

USD 29.00

The product is an installer for 64-bit systems.

Quantity is the number of computers to install the product on.

Volume pricing 29

Volume pricing with maintenance durations (7-days is the default). Prices are in USD.


Quantity	7 days	1 year	2 years	3 years
1	29	71	120	158
2	48	117	199	261
3	67	163	277	364
4	86	210	355	466
5	104	256	433	569
10	199	487	824	1083
15	293	718	1216	1596
20	387	949	1607	2110
25	481	1179	1998	2624
30	576	1410	2389	3137
40	764	1872	3171	4165
50	953	2334	3953	5192
75	1424	3489	5909	7760
100	1895	4643	7865	10329

Installation

Supported platforms: Vista/2008(R2)/7/8/2012(R2)/2016

win2ban comes as a zip archive containing a Nullsoft Installer package. Unzip the downloaded file and run the installer :

Click Next at Welcome-page
View license agreement.
Specify an installation location.
Select components to install. You can choose not to install Winlogbeat if there is no need for making eventlog entries available for processing via Fail2ban in your case.
Installation starts and installs Fail2ban and optional Winlogbeat as services (win2ban_fail2ban and win2ban_winlogbeat)

Usage

Fail2ban configuration files are located at etc/fail2ban. Win2ban is ready-to-protect against RDP/Network login or Copssh SSH attacks out of the box. Otherwise, you need to develop/implement your jails according to your needs. The file jail.local is configured with a proper set of default parameters for Windows usage. The file windows-firewall.local in the action.d directory contains ban/unban commands for the Windows firewall. It is also possible to configure the server using commands sent to it by fail2ban-client. A shell environment can be initiated by running win2ban-shell.cmd located at the root of the installation directory.

Fail2ban log example (var/log/fail2ban.log):

2021-05-09 20:02:21,048 fail2ban.server         : INFO    --------------------------------------------------
2021-05-09 20:02:21,048 fail2ban.server         : INFO    Starting Fail2ban v0.10.4
2021-05-09 20:02:21,155 fail2ban.database       : INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2021-05-09 20:02:21,168 fail2ban.database       : WARNING New database created. Version '2'
2021-05-09 20:02:21,170 fail2ban.jail           : INFO    Creating new jail 'win2ban-network-logon'
2021-05-09 20:02:21,171 fail2ban.jail           : INFO    Jail 'win2ban-network-logon' uses poller {}
2021-05-09 20:02:21,171 fail2ban.jail           : INFO    Initiated 'polling' backend
2021-05-09 20:02:21,177 fail2ban.filter         : INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 5acf97560c9b8014a621577ff3b4bda5)
2021-05-09 20:02:21,177 fail2ban.filter         : INFO      maxRetry: 2
2021-05-09 20:02:21,178 fail2ban.filter         : INFO      encoding: UTF-8
2021-05-09 20:02:21,179 fail2ban.filter         : INFO      findtime: 600
2021-05-09 20:02:21,179 fail2ban.actions        : INFO      banTime: 600
2021-05-09 20:02:21,180 fail2ban.jail           : INFO    Creating new jail 'copssh'
2021-05-09 20:02:21,181 fail2ban.jail           : INFO    Jail 'copssh' uses poller {}
2021-05-09 20:02:21,181 fail2ban.jail           : INFO    Initiated 'polling' backend
2021-05-09 20:02:21,182 fail2ban.filter         : INFO      maxLines: 1
2021-05-09 20:02:21,201 fail2ban.server         : INFO    Jail copssh is not a JournalFilter instance
2021-05-09 20:02:21,203 fail2ban.filter         : INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 0, hash = 5acf97560c9b8014a621577ff3b4bda5)
2021-05-09 20:02:21,203 fail2ban.filter         : INFO      maxRetry: 2
2021-05-09 20:02:21,203 fail2ban.filter         : INFO      encoding: UTF-8
2021-05-09 20:02:21,204 fail2ban.filter         : INFO      findtime: 600
2021-05-09 20:02:21,204 fail2ban.actions        : INFO      banTime: 600
2021-05-09 20:02:21,211 fail2ban.jail           : INFO    Jail 'win2ban-network-logon' started
2021-05-09 20:02:21,213 fail2ban.jail           : INFO    Jail 'copssh' started
2021-05-09 20:04:52,886 fail2ban.filter         : INFO     Found 192.168.100.22 - 2021-05-09 20:04:49
2021-05-09 20:05:03,081 fail2ban.filter         : INFO     Found 192.168.100.22 - 2021-05-09 20:05:00
2021-05-09 20:05:03,299 fail2ban.actions        : NOTICE   Ban 192.168.100.22

If you have selected to install winlogbeat, it can be configured via winlogbeat/win2ban.yml. By default it is configured to output related event log entries last 72 hours from application, system and security eventlogs, to the logfile winlogbeat\logs\eventlog with the following format:

string: '%{} %{} %{}'

example output:

2018-03-24T10:22:09.000Z 1704 Security policy in the Group policy objects has been applied successfully.

Some good references for fail2ban/winlogbeat usage:

Official Fail2ban Website

Man pages: fail2ban jail.conf fail2ban-client fail2ban-regex fail2ban-server

Linode.com - Use Fail2ban to Secure Your Server

Winlogbeat reference

How can I configure Win2ban for brute force attacks against Copssh ?

How can I configure Win2ban for Windows Remote desktop/Network logons?

How can I unban IP-address(es) manually

How can I verify if a ban rule is in effect for a specific jail ?

How to handle large log files effectively ?

Win2ban 1.1.1

Release date:

09/05/2021

Changelog

Elastic Winlogbeat 6.8.15
Cygwin 3.2.0-1

component name	component version	component license	component source
Fail2ban	0.10.4	Fail2ban license	Source code for Fail2ban
Python	2.7.14	Python license
Cygwin	3.2.0	Cygwin license (GPL/LGPL)	Source code for Cygwin
Elastic Winlogbeat	6.8.15	Winlogbeat license
Win2ban	1.1.1	Itefix EULA

Win2ban 1.1.0

Release date:

27/10/2018

Changelog

Fail2ban 0.10.4
Elastic Winlogbeat 6.4.2
Cygwin 2.11.1

component name	component version	component license	component source
Fail2ban	0.10.4	Fail2ban license	Source code for Fail2ban
Python	2.7.14	Python license
Cygwin	2.11.1	Cygwin license (GPL/LGPL)	Source code for Cygwin
Elastic Winlogbeat	6.4.2	Winlogbeat license
Win2ban	1.1.0	Itefix EULA

Search form

win2ban - Fail2Ban for Windows

Volume pricing 29

Installation

Usage

Win2ban 1.1.1

Win2ban 1.1.0