Does fail2ban do Windows?

Can anyone recommend a fail2ban-like tool for a Windows OS? I've got a couple of Windows Media servers that get hammered with brute force authentication attempts. I would like to plug these authentication failures into some kind of blocking tool.


Solution 1:

I know of no tool that will do this "out of the box". I wrote a script to do something like this with failed OpenSSH logons on Windows, but I can't share it with you because it "belongs" to the Customer for whom I wrote it.

Having said that, it was a simple VBScript program that had an event log sink to watch for new failed logons and, if enough happened in a time window, add an IP route (using the "route" command) to route traffic to the offending IP address to a "MS Loopback Adapter" on the system.

For other types of logs, it would be a fairly trivial matter to write. Since I didn't have IPtables on Windows, the loopback adapter seemed like the next best thing. (You can't do a "route x.x.x.x mask 255.255.255.255 127.0.0.1" on Windows-- you need an adapter to route the traffic to, because the 127.0.0.1 loopback isn't a "real" interface on Windows.)

(If you want something like this written, contact me out-of-band and we can discuss the specifics of such an arrangement.)

Edit:

I decided to write something to do this and I've released it under a Free license.

Solution 2:

Check out this project - ts_block

I'm using it and thus far its terrific (Windows Server 2008 R2 RDS, system is behind a firewall but I didn't feel like using an ssl vpn gateway to the server)

Solution 3:

wail2ban claims to be a Windows port of fail2ban

Solution 4:

I found a tool called RdpGuard (https://rdpguard.com) that starts at $79 and appears like it might work. I haven't tested it yet, but might give it a go for my SMTP solution.

Solution 5:

I recently installed IPBan on Windows Server 2019:
https://github.com/digitalruby/ipban

And it's radically decreased number of failed RDP logins:
Failed RDP logons