How can I configure Win2ban for brute force attacks against Copssh ?

  • Protecting Copssh against brute force attacks is enabled as default. 
  • Start services win2ban_winlogbeat and win2ban_fail2ban 

 

Sample /var/log/fail2ban.log

2018-04-05 23:54:28,411 fail2ban.server         : INFO    --------------------------------------------------
2018-04-05 23:54:28,411 fail2ban.server         : INFO    Starting Fail2ban v0.10.2
2018-04-05 23:54:28,442 fail2ban.database       : INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-04-05 23:54:28,446 fail2ban.jail           : INFO    Creating new jail 'copssh'
2018-04-05 23:54:28,447 fail2ban.jail           : INFO    Jail 'copssh' uses poller {}
2018-04-05 23:54:28,447 fail2ban.jail           : INFO    Initiated 'polling' backend
2018-04-05 23:54:28,448 fail2ban.filter         : INFO      maxLines: 1
2018-04-05 23:54:28,467 fail2ban.server         : INFO    Jail copssh is not a JournalFilter instance
2018-04-05 23:54:28,468 fail2ban.filter         : INFO    Added logfile: '/winlogbeat/logs/eventlog' (pos = 19020, hash = c54619552ccd10f356c0810faec6cdba)
2018-04-05 23:54:28,468 fail2ban.filter         : INFO      maxRetry: 2
2018-04-05 23:54:28,469 fail2ban.filter         : INFO      encoding: UTF-8
2018-04-05 23:54:28,469 fail2ban.actions        : INFO      banTime: 600
2018-04-05 23:54:28,470 fail2ban.filter         : INFO      findtime: 600
2018-04-05 23:54:28,472 fail2ban.jail           : INFO    Jail 'copssh' started
2018-04-05 23:55:20,525 fail2ban.filter         : INFO     Found 192.168.122.13 - 2018-04-05 23:55:19
2018-04-05 23:55:23,787 fail2ban.filter         : INFO     Found 192.168.122.13 - 2018-04-05 23:55:22
2018-04-05 23:55:23,953 fail2ban.actions        : NOTICE   Ban 192.168.122.13
2018-04-05 23:58:22,875 fail2ban.actions        : NOTICE   Unban 192.168.122.13
2018-04-06 00:54:57,531 fail2ban.server         : INFO    Shutdown in progress...
2018-04-06 00:54:57,531 fail2ban.server         : INFO    Stopping all jails
2018-04-06 00:54:57,532 fail2ban.filter         : INFO    Removed logfile: '/winlogbeat/logs/eventlog'
2018-04-06 00:54:58,328 fail2ban.jail           : INFO    Jail 'copssh' stopped
2018-04-06 00:54:58,332 fail2ban.database       : INFO    Connection to database closed.
2018-04-06 00:54:58,333 fail2ban.server         : INFO    Exiting Fail2ban