PowerShell version of Fail2Ban
This script monitors a Windows system for attempted brute force authentications. After the defined number of failures have occured, the script will create a firewall rule to block the IP for a defined period of time. Additionally, when an IP is banned, the event is written to the system's event log under and stored in a queryable SQL DB. The IP(s) of the system that is running the script are automatically whitelisted with the ability to add additional IPs to the whitelist.
Usage
- Download repo and unzip repo
- Edit script with your favorite text editor and adjust configs just after initial comment, as desired
- Save scrip and execute it
- Follow the options (see screenshots below)
Configurable options
- Configurable threshold of failed login attempts and how long an IP should be blocked
- IP whitelisting
- Logging blocked IPs to Windows event log with customizable event source and ID
- Logging blocked and whitelisted IPs to a queryable SQL database
- Customizable ban timeout
- Option for mass and quick removal of all banned IPs before a ban expiration occurs
Screenshots
Running the script
Configuring the Whitelist (single IP or CIDR blocks)
Monitoring and banning
Banned IP in Event Log
Banned IP firewall rule(begins with "ban")
Retrieving banned IPs through the script
Retrieving banned IPs within the SQL DB
Removing all banned IPs before their expiration
