<img src="https://raw.githubusercontent.com/Aldaviva/Fail2Ban4Win/master/Fail2Ban4Win/pifmgr_37.ico" height="32" alt="Fail2Ban4Win logo" /> Fail2Ban4Win

Fail2Ban4Win is a background service that temporarily blocks IP ranges in Windows Firewall when enough authentication errors appear in Event Log in a given time period for those IP ranges.

You can customize the duration of the ban, the type of Event Log events to detect, and other options. The example configuration file will set Fail2Ban4Win to ban a /24 subnet for 24 hours after 10 failures to authenticate to Remote Desktop Services, sshd, or both.

<!-- MarkdownTOC autolink="true" bracket="round" autoanchor="false" levels="1,2,3" style="ordered" -->

1. Behavior
2. Requirements
3. Installation
   1. Upgrade
4. Configuration
   1. Logging
   2. Handling a new event
5. Running
6. Monitoring
   1. GUI
   2. PowerShell
7. Uninstallation
8. Acknowledgments

<!-- /MarkdownTOC -->

Behavior

1. Fail2Ban4Win runs in the background as a Windows Service.
2. Configuration comes from a JSON file in the installation directory.
3. Fail2Ban4Win listens for Windows Event Log events from various logs and event IDs.
4. When a matching event is logged by your server software, Fail2Ban4Win extracts the client's IP address from the event data. The IP address is aggregated into a /24 subnet IP range.
5. Fail2Ban4Win keeps track of how many times each subnet (not each IP address) has triggered any auth failure events over the last 24 hours.
6. When a given subnet has failed to authenticate 10 cumulative times in the last 24 hours across all Event Log selectors, a Windows Firewall rule is created to block incoming traffic from that subnet on all ports.
7. After being banned for 1 day, the firewall rule is deleted and the subnet is allowed to fail 10 more times before being banned a second time.
8. Each time a subnet is repeatedly banned, the ban duration increases by 1 day, up to a maximum of a 4 day ban, after which each subsequent ban will always be 4 days.
9. When Fail2Ban4Win restarts, it deletes all firewall rules it created and starts from scratch. This allows it to fail open.

You can customize most of the above specifics to suit your banning needs.

Requirements

• Windows 7 SP1, Windows Server 2008 R2 SP1, or later
• .NET Framework 4.7.2 or later, which are included in Windows 10 1803 (April 2018 Update), Windows Server 2019, and later
• Use Windows Firewall, as opposed to a third-party firewall solution

Installation

1. Download the latest release. You have artifact options to choose from:
   • Fail2Ban4Win.zip — Single big EXE file
   • Fail2Ban4Win-unpacked.zip — Folder full of DLLs, which may reduce antivirus false positives
   <div>The file structure is the only difference. Both artifacts are otherwise equivalent and have the same behavior, features, and bugs.</div>
2. Extract the contents of the ZIP file to a directory like C:\Program Files (x86)\Fail2Ban4Win\.
3. Open an elevated PowerShell window (run it as administrator).
4. Allow PowerShell scripts to run until you close the window.

   Set-ExecutionPolicy RemoteSigned -Scope Process -Force
   

5. Register Fail2Ban4Win as a service.

   & 'C:\Program Files (x86)\Fail2Ban4Win\Install service.ps1'
   

6. Configure the service in the next section before starting it.

Upgrade

1. Download the latest release, as described above.
2. Extract the ZIP file to the installation directory.

[!CAUTION] Don't overwrite config files like configuration.json or NLog.config.

3. Restart the service using services.msc (GUI), Restart-Service Fail2Ban4Win (PowerShell), or net stop Fail2Ban4Win & net start Fail2Ban4Win (Command Prompt).

Configuration

The provided example configuration file has selectors for Remote Desktop Services, Cygwin OpenSSH sshd (updated in 1.3.1), and Windows OpenSSH sshd (updated in 1.3.1). It also has some example values for neverBanSubnets and other properties that you can replace with your own values.

[!IMPORTANT]
Be aware that isDryRun is set to true in the example configuration to avoid accidentally blocking traffic until you're ready.

1. Open the configuration.json file from the Fail2Ban4Win installation directory in a text editor. (You may need to start the editor elevated depending on your file permissions.)
2. Set any of the following properties. |Property name|Default when omitted|Description| |---|---|---| |isDryRun|false|Firewall rules will only be created or deleted when this is false.| |maxAllowedFailures|9|If an IP range (of size banSubnetBits) exceeds this number of failures during the failureWindow, it will be banned. By default, the 10^th failure is a ban.| |failureWindow|1.00:00:00 (1 day)|How long to consider auth failures. By default, 10 failures in 1 day results in a ban. The format is d.hh:mm:ss.| |banPeriod|1.00:00:00 (1 day)|After enough failures, the IP range will be banned by adding a Windows Firewall block rule, which will then be removed after this period of time. The format is d.hh:mm:ss. By default, a ban lasts 1 day.| |banSubnetBits|0|Optional CIDR subnet aggregation size when both counting failures and blocking traffic. The example value of 8 bits blocks the /24 subnet, or 255.255.255.0. You can restrict blocking only to the exact IP address by setting this to 0, which is equivalent to /32.| |banRepeatedOffenseCoefficient|0.0|How much of the banPeriod to add on subsequent offenses (optional). The default banPeriod of 1 day and example coefficient of 1.0 results in a 1 day ban for first offenders, 2 days for 2^nd offenders, 3 days for 3^rd offenders, and 4 days for 4^th offenders or greater. Changing this coefficient from 1.0 to 2.0 would result in successive ban durations of 1 day, 3 days, 5 days, and 7 days instead. Defaults to all subsequent bans having the same duration as initial bans.| |banRepeatedOffenseMax|4|An optional limit on how many repeated offenses can be used to calculate ban duration. By default, the 5^th offense and subsequent bans will be capped at the same duration as the 4^th offense ban, which is 4 days.| |neverBanSubnets|[]|Optional whitelist of IP ranges that should never be banned, regardless of how many auth failures they generate. Each item can be a single IP address, like 67.210.32.33, or a range, like 67.210.32.0/24.| |neverBanReservedSubnets|true|By default, IP addresses in the reserved blocks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 will not be banned, to avoid unintentionally blocking LAN access. To allow all three ranges to be banned, change this to false. To then selectively prevent some of those ranges from getting banned, you may add them to the