Does fail2ban do Windows?
Can anyone recommend a fail2ban-like tool for a Windows OS? I've got a couple of Windows Media servers that get hammered with brute force authentication attempts. I would like to plug these authentication failures into some kind of blocking tool.
Solution 1:
I know of no tool that will do this "out of the box". I wrote a script to do something like this with failed OpenSSH logons on Windows, but I can't share it with you because it "belongs" to the Customer for whom I wrote it.
Having said that, it was a simple VBScript program that had an event log sink to watch for new failed logons and, if enough happened in a time window, add an IP route (using the "route" command) to route traffic to the offending IP address to a "MS Loopback Adapter" on the system.
For other types of logs, it would be a fairly trivial matter to write. Since I didn't have IPtables on Windows, the loopback adapter seemed like the next best thing. (You can't do a "route x.x.x.x mask 255.255.255.255 127.0.0.1" on Windows-- you need an adapter to route the traffic to, because the 127.0.0.1 loopback isn't a "real" interface on Windows.)
(If you want something like this written, contact me out-of-band and we can discuss the specifics of such an arrangement.)
Edit:
I decided to write something to do this and I've released it under a Free license.
Solution 2:
Check out this project - ts_block
I'm using it and thus far its terrific (Windows Server 2008 R2 RDS, system is behind a firewall but I didn't feel like using an ssl vpn gateway to the server)
Solution 3:
wail2ban claims to be a Windows port of fail2ban
Solution 4:
I found a tool called RdpGuard (https://rdpguard.com) that starts at $79 and appears like it might work. I haven't tested it yet, but might give it a go for my SMTP solution.
Solution 5:
I recently installed IPBan on Windows Server 2019:
https://github.com/digitalruby/ipban
And it's radically decreased number of failed RDP logins: