<a href="https://github.com/devnulli/EvlWatcher" rel="nofollow">https://github.com/devnulli/EvlWatcher</a><p>README…<p>It's basically a fail2ban for windows. Its goals are also mainly what we love about fail2ban:<p>pre-configured
no-initial-ducking-around-with-scripts-or-config-files
install-and-forget
You can download it here ( v2.1.5 - April 2022 ) .<p>Also, we love issues!<p>If anyone needs something or has questions about something, please feel free to open an issue. We are especially happy to get issues about log-entry samples we don't react on, or ideas of how we can support more protocols.<p>A bit more detailed description of what EvlWatcher does.<p>Scenario: there are those bad people out there, hammering your service (RDP and whatnot) with brute force attempts.<p>You can see them and their IPs clearly in the Windows Event-Log.<p>You have searched the web and yea, there are plenty of tools, scripts, and all that, to read the event-log and automatically ban the attackers IP.<p>You however, are lazy. You need something like fail2ban, with a preconfigured set of rules to just RUN right away and it works.<p>But then, it still needs enough flexibility for you to completely configure it, should you wish to do so.
EvlWatcher does that. It scans the Windows-Event-Log, and reacts.<p>It works by installing a service that scans the event log for unsuccessful login attempts. When one of its rules are violated (e.g. trying to log in without correct credentials, more than 5 times in 2 minutes), it will place that poor bastard into a generic firewall rule, and thereby ban the attacker for 2 hours.<p>Also, when someone is repeatedly trying, there is a permanent ban list for that, where people defaultly land on when they've had three strikes.<p>You can, of course, adjust the rules to your liking. They are basically a consisting of an event source, and a Regex to extract an IP, its pretty simple.