• This repository has been archived on 07/Nov/2020
  • Stars
    star
    264
  • Rank 155,103 (Top 4 %)
  • Language
    PowerShell
  • License
    BSD 3-Clause "New...
  • Created over 12 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

fail2ban, for windows.

wail2ban

No Maintenance Intended

Saddest Whale

wail2ban is a windows port of the basic functionality of fail2ban, and combining elements of ts_block.

overview

wail2ban is a system that takes incoming failed access events for a customly configurable set of known event ids, and given sufficient failed attacks in a period of time, creates temporary firewall rules to block access.

installation

Installing wail2ban is a case of a view simple tasks:

  • copy all the repository files to a location on the client machine, e.g. C:\scripts\wail2ban
  • Using Task Scheduler, import the start wail2ban onstartup.xml file to automatically create a scheduled task to start the script when the machine boots.
  • Initiate the script by running the start wail2ban.bat file. This is what the scheduled task starts.

commandline execution

wail2ban has write-debug things through it, just uncomment the $DebugPreference line to enable. This will output nice things to CMD, if running ad-hoc.

There are also a number of options that can be run against the script to control it:

  • -config : dumps a parsed output of the configuration file to standard out, including timing and whitelist configurations.
  • -jail : shows the current set of banned IPs on the machine
  • -jailbreak: unbans every IP currently banned by the script.

technical overview

Event logs for various software packages are configured to produce messages when failed connections occur. The contents of the events usually contain an IP, an a message something along the lines of "This IP failed to connect to your server."

Typical examples of this include:

  • Security Event ID 4625, "Windows Security Auditing".
  • An account failed to log in. ... Source Network Address: 11.22.33.44

Database products also include these kind of events, such as:

  • Application Event ID 18456, "Microsoft SQL Server".
  • Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 11.22.33.44]

These events are produced any time someone mistypes a password, or similar.

The issue occurs when automated brute-force entry systems attempt to access systems multiple times a second.

what wail2ban does

wail2ban is a real-time event sink for these messages. As messages come in, wail2ban takes note of the time of the attempt and the IP used in the attempt. Given enough attempts in a specific period of time, wail2ban will generate a firewall rule to block all access to the client machine for a certain period of time.

In a default setup, if an IP attempts 5 failed passwords in a 2 minute period, they get banned from attempting again for a period of time.

How long? Well, that depends on how many times they've been banned before!

There is a file called BannnedIPLog.ini that will keep a count of how many times an IP has been banned.

The punishment time is based on the function y=5^x, where x is the amount of times it has been banned, and y is the amount of minutes it's banned for.

This allows for scaling of bans, but prevent permenant bans, which may cause issues in the future as IPs are reassigned around the blagosphere.

There is also a $MAX_BANDURATION in place, which means that an IP cannot be banned for more than 3 months. Given the ban duration function gives values of years at the 10th increment, it's better to cap things out.

failsafes

As with all automated systems, there can be some false-positives.

Whitelists - this script can be configured with a whitelist of IPs that it will never ban, such as a company IP block.

Self-list - the script automatically adds a set of IPs to the whitelist that it knows as not to ban, based on the configured static IPs on the host machine. That is, it will ignore attempts from itself (or event logs which list it's own IP in the message).

Timeouts - IPs are only banned for specific period of time. After this time, they are removed from the firewall by the script. The timeouts are parsed once a new failed attempt is captured by the system. This may mean that IPs are unbanned after their exact unlock time, but for sufficiently attacked systems, this difference is not a major issue.

Jailbreak - a configuration called -jailbreak can be run against the script at any time to immediately remove all banned IPs. All their counters are reset, and it is as if the IP never tried to attack the machine.

htmlgen

I've added a script that will grep the wail2ban log file, and generate some nice statistics, and show the top banned IPs by country. Sample Report

If you want to enable this, grok the main wail2ban.ps1 script for the call to wail2ban_htmlgen.ps1, and enable it (remove the comment)

limitations

There can be improvements relating to the service-like execution of this script, so it's always running. This can be acheieved using something like non-sucking service manager, but that is left as an exercise for the reader.

Update 2020: There have been several on and off repo communications saying this code is still useful! I don't have any way to test the following, but hopefully the following may help:

  • Thanks to Marco Jonas, BLOCK_TYPE is set to netsh, which I presume still exists.
  • Thanks to Gl0, you can add SSL RDP Login support with this patch
  • Thanks to kentuckytech, add -executionpolicy bypass -file to the .bat file if you require a bypass.

More Repositories

1

ih

🧢 A very persuasive package, for creating embroidery patterns.
Python
67
star
2

emojificate

πŸ™ƒ Turn text with emoji into text with accessible emoji
Python
64
star
3

git-deploy

A git extension for seeing your Cloud Build deployment
Python
14
star
4

wat-references

🀯 The whys to the wats
Shell
11
star
5

ih-aas

ih, as a service.
Python
9
star
6

glasnt

Python
8
star
7

old_ebooks

Not actively used. See https://github.com/glasnt/ebooks_aas
Ruby
4
star
8

dynamic-datasette

HCL
4
star
9

cloudrun-python-examples

Examples of Python web servers as Cloud Run services
Python
4
star
10

qr

🧡 generate qr code cross-stitch charts
Python
3
star
11

pyvideo-speakers

a short visualisation script for pyvideo data
Python
3
star
12

words

3
star
13

curlyboi

πŸπŸ’›πŸ§‘β€οΈπŸ’œπŸ’š
Python
2
star
14

dceu2022-sprints-work

Jupyter Notebook
2
star
15

pycon2020-tutorial

JavaScript
2
star
16

boilerplates

βš—οΈ
Python
2
star
17

tinychartbot

🧺
Python
2
star
18

ebooks_aas

eBooks, as a service.
Python
2
star
19

glasnt.github.io

HTML
1
star
20

cloudrun-ruby-examples

Examples of Ruby web servers as Cloud Run services.
Ruby
1
star
21

machiavelli

Graphing and data visualization tool.
Ruby
1
star
22

hachiavelli

Machiavelli, but in Haskell
JavaScript
1
star
23

twingle_old

Tingle For Windows
PowerShell
1
star
24

ih-aag

ih, as a GUI
Python
1
star
25

blog

musings
HTML
1
star
26

pull_request_target_demo

Python
1
star
27

talks

Presentations and whatnot
JavaScript
1
star
28

puff

TILs about the Cloud ☁️
Python
1
star
29

shecodes-tutorial

1
star
30

twingle

PowerShell
1
star
31

gday-cloud-run

Australian-friendly Hello Cloud Run
HTML
1
star
32

foods

HTML
1
star
33

expect-fail

Demos of unit tests with "expect failure" tests.
JavaScript
1
star