Anyone who has a system that is accessible on the Internet has likely had their fair share of brute force attempts. Utilizing something like Fail2ban is great because it blocks those type of attacks, providing some level of security. The downfall about Fail2ban is that it was developed for *nix systems so it does no good for a Windows system. Searching the web for Windows variant returns varying degrees of success and features, ultimately lacking what I was looking for. With that, I developed my own version, which I call Invoke-Fail2Ban.
My variant of the tool contains the following features:
- Configurable threshold of failed login attempts and how long an IP should be blocked
- IP whitelisting
- Logging blocked IPs to Windows event log with customizable event source and ID
- Logging blocked and whitelisted IPs to a queryable SQL database
- Customizable ban timeout
- Option for mass and quick removal of all banned IPs
To use the tool, head over to my Github (https://github.com/wiredpulse/Invoke-Fail2Ban) and download the repo.
Once the repo is downloaded, unzip it to a suitable location. Navigate to the Invoke-Fail2Ban-master folder and open the Invoke-Fail2ban.ps1 using your favorite text editor. Adjust configuration options just after the initial comment, as desired. The configuration options include the following:
- $fails = 4 (default)
- Number of fails before an IP is banned
- $cycleDuration = 5 (default)
- Number of minutes between checking for failures
- $endTime = 2 (default)
- Number of days worth of logs to checked for failures against
- $banLength = 7 (default)
- Number of days to ban an IP once banned
- $eventSource = Invoke-Fail2Ban (default)
- Event source name within the Application log to log the ban to
- $eventID = 1337 (default)
- Event log ID within the Application log to log events under
When configurations are complete, save the script and execute it in an elevated PowerShell window. The script will run until it is stopped, providing output and status to the screen.
Additional screenshots of the execution and options can be found on the Github page.