Does fail2ban do Windows?

Question

Can anyone recommend a fail2ban-like tool for a Windows OS? I've got a couple of Windows Media servers that get hammered with brute force authentication attempts. I would like to plug these authentication failures into some kind of blocking tool.

score 34 · Accepted Answer · edited Apr 13 '17 at 12:14

I know of no tool that will do this "out of the box". I wrote a script to do something like this with failed OpenSSH logons on Windows, but I can't share it with you because it "belongs" to the Customer for whom I wrote it.

Having said that, it was a simple VBScript program that had an event log sink to watch for new failed logons and, if enough happened in a time window, add an IP route (using the "route" command) to route traffic to the offending IP address to a "MS Loopback Adapter" on the system.

For other types of logs, it would be a fairly trivial matter to write. Since I didn't have IPtables on Windows, the loopback adapter seemed like the next best thing. (You can't do a "route x.x.x.x mask 255.255.255.255 127.0.0.1" on Windows-- you need an adapter to route the traffic to, because the 127.0.0.1 loopback isn't a "real" interface on Windows.)

(If you want something like this written, contact me out-of-band and we can discuss the specifics of such an arrangement.)

Edit:

I decided to write something to do this and I've released it under a Free license.

score 6 · Answer 2 · answered Feb 11 '20 at 22:28

6

I recently installed IPBan on Windows Server 2019:
https://github.com/digitalruby/ipban

And it's radically decreased number of failed RDP logins:

answered Feb 11 '20 at 22:28

Slavik

228

KERR · Answer 3 · 2021-04-25T05:42:00.503

3

EvlWatcher

What's EvlWatcher?

It's basically a fail2ban for windows. Its goals are also mainly what we love about fail2ban:

pre-configured
no-initial-fucking-around-with-scripts-or-config-files
install-and-forget

edited Apr 25 '21 at 05:42

answered Apr 25 '21 at 05:22

KERR

454
5
10

score 3 · Answer 4 · edited Dec 16 '11 at 09:49

3

Check out this project - ts_block

I'm using it and thus far its terrific (Windows Server 2008 R2 RDS, system is behind a firewall but I didn't feel like using an ssl vpn gateway to the server)

edited Dec 16 '11 at 09:49

pauska

19,766

answered Dec 15 '11 at 18:17

chris dolese

39

score 1 · Answer 5 · answered Nov 17 '16 at 20:50

1

wail2ban claims to be a Windows port of fail2ban

answered Nov 17 '16 at 20:50

Anse

111

score 1 · Answer 6 · answered Jul 14 '17 at 19:20

1

I found a tool called RdpGuard (https://rdpguard.com) that starts at $79 and appears like it might work. I haven't tested it yet, but might give it a go for my SMTP solution.

answered Jul 14 '17 at 19:20

Zhong Zhang

11

itefix · Answer 7 · 2023-03-28T11:19:44.620

1

You may check Win2ban which is a Fail2ban implementation for Windows systems. It is a packaging of Fail2ban, Python, Cygwin, Winlogbeat and many other related tools to make it a complete and ready-to-use solution for brute-force attack protection.

NB! We are the developer of the solution.

edited Mar 28 '23 at 11:19

answered Mar 28 '18 at 21:15

itefix

111

score 0 · Answer 8 · answered Jun 18 '09 at 15:33

It doesn't look like fail2ban runs on windows at all, as it requires iptables which is only available on Linux.

However, I would suggest that you block everything and white-list only the IPs/names you want to be able to connect to the server(s) in question, if at all possible.

score 0 · Answer 9 · answered Oct 18 '13 at 18:39

0

Another option that I've found is QaaSWall, I haven't tested it yet, but I will be in the next day or so.

answered Oct 18 '13 at 18:39

Matt Bear

874

Does fail2ban do Windows?

9 Answers9

I decided to write something to do this and I've released it under a Free license.

Linked

Related