While fail2ban is a Linux-centric solution, Windows administrators face similar brute force attacks - particularly on services like RDP, SMB, and Windows Media Servers. The core challenge remains: automatically parsing authentication logs and dynamically blocking malicious IPs.
Windows actually has built-in capabilities that can be leveraged:
# PowerShell to query failed login attempts
Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=4625
} -MaxEvents 50 | Format-Table -Property TimeCreated,Message
Combine this with the Windows Firewall:
# Block an IP in Windows Firewall
netsh advfirewall firewall add rule name="BlockRDPBruteForce" dir=in action=block remoteip=192.168.1.100 protocol=TCP localport=3389
For those wanting a more fail2ban-like experience:
- EvlWatcher: Open-source tool that monitors Event Viewer logs
- Windows Firewall with Advanced Security: Can be scripted with PowerShell
- OSSEC: Cross-platform HIDS with Windows agent
Here's a basic PowerShell script that mimics fail2ban functionality:
# Fail2ban-style protection for Windows
$maxAttempts = 5
$lookbackMinutes = 60
$securityLog = Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=4625
StartTime=(Get-Date).AddMinutes(-$lookbackMinutes)
}
$failedLogins = $securityLog | Group-Object -Property {$_.Properties[19].Value}
foreach ($ip in $failedLogins) {
if ($ip.Count -ge $maxAttempts) {
$ruleName = "AutoBlock_$($ip.Name)_$(Get-Date -Format 'yyyyMMdd')"
netsh advfirewall firewall add rule name=$ruleName dir=in action=block remoteip=$($ip.Name)
Write-Host "Blocked $($ip.Name) with $($ip.Count) failed attempts"
}
}
For production environments:
- Set up proper logging rotation
- Create whitelists for trusted IPs
- Consider integrating with SIEM solutions
- Implement email/SMS alerts for critical blocks
Regularly review your blocked IPs:
# List all active block rules
netsh advfirewall firewall show rule name=all | Where-Object {$_ -match "AutoBlock"}
Remember to periodically clean up old rules to prevent firewall bloat.
While Linux administrators have long relied on fail2ban to automatically block malicious IPs after repeated authentication failures, Windows environments traditionally lacked native equivalents. This creates significant exposure for services like Windows Media Servers facing brute force attacks.
These tools provide similar functionality to fail2ban:
- Windows Event Forwarding + PowerShell - Native solution using built-in Windows features
- EvlWatcher - Open-source tool parsing Windows Event Logs
- IPBan - Commercial product with advanced features
For those preferring a custom approach, here's a basic implementation:
# Parse Security logs for failed logins
$FailedLogins = Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4625
StartTime = (Get-Date).AddHours(-1)
}
# Extract offending IPs
$BadIPs = $FailedLogins | ForEach-Object {
($_.Properties[19].Value -split ':')[0]
} | Group-Object | Where-Object {$_.Count -gt 5} | Select-Object -ExpandProperty Name
# Add firewall rules
foreach ($IP in $BadIPs) {
New-NetFirewallRule -DisplayName "BlockBruteForce_$IP" -Direction Inbound
-Action Block -RemoteAddress $IP -Protocol Any -Enabled True
}
This open-source tool offers more robust monitoring:
# Sample configuration (evlwatcher.ini)
[BruteForce]
Enabled = true
LogType = Security
EventID = 4625
Threshold = 5
TimeFrame = 3600
BlockTime = 86400
Action = netsh advfirewall firewall add rule name="EVL_Block_%IP%" dir=in action=block remoteip=%IP%
- Combine with geo-IP blocking for known hostile regions
- Implement temporary rather than permanent blocks
- Monitor for false positives affecting legitimate users
- Consider rate-limiting as alternative to complete blocking
For large deployments, commercial solutions like ManageEngine ADAudit Plus or Quest Change Auditor provide:
- Centralized monitoring across multiple servers
- Detailed reporting and alerting
- Integration with SIEM systems
- Automated remediation workflows