{"id":20630781,"url":"https://github.com/backslashspace/windows-ssh-fail2ban","last_synced_at":"2025-04-15T18:24:05.949Z","repository":{"id":122952333,"uuid":"576621839","full_name":"backslashspace/Windows-SSH-Fail2Ban","owner":"backslashspace","description":"SSH Brute-Force protection for Windows","archived":false,"fork":false,"pushed_at":"2024-03-16T22:38:58.000Z","size":527,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-28T23:22:03.694Z","etag":null,"topics":["cli","harden","hardening","protection","security","ssh","ssh-bruteforce","sshd","sshd-hardening"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/backslashspace.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-12-10T12:45:20.000Z","updated_at":"2024-10-08T08:13:53.000Z","dependencies_parsed_at":"2024-03-17T00:45:17.459Z","dependency_job_id":null,"html_url":"https://github.com/backslashspace/Windows-SSH-Fail2Ban","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/backslashspace%2FWindows-SSH-Fail2Ban","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/backslashspace%2FWindows-SSH-Fail2Ban/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/backslashspace%2FWindows-SSH-Fail2Ban/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/backslashspace%2FWindows-SSH-Fail2Ban/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/backslashspace","download_url":"https://codeload.github.com/backslashspace/Windows-SSH-Fail2Ban/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249127020,"owners_count":21216904,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","harden","hardening","protection","security","ssh","ssh-bruteforce","sshd","sshd-hardening"],"created_at":"2024-11-16T14:09:31.485Z","updated_at":"2025-04-15T18:24:05.931Z","avatar_url":"https://github.com/backslashspace.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"___\n# Windows Fail2Ban: SSH Brute-Force protection \n\nJust like the original [Fail2Ban](https://github.com/fail2ban/fail2ban), this configurable and easy to use solution works by scanning\nlogs, in this case the Windows event log from the [Win32-OpenSSH](https://github.com/PowerShell/Win32-OpenSSH) service and bans IPs with\ntoo many failed authentication attempts, whether with passwords or public/private key authentication. It does this by updating firewall rules\nto reject new connections from those IPs for a configurable amount of time.\u003cbr /\u003e\u003cbr /\u003e\n[IPv4 \u0026 IPv6 are supported]\n\nThis program is able to reduce the rate of incorrect authentication\nattempts, but cannot eliminate the risk presented by weak authentication.\nMake sure to configure your sshd service securely, this might help:\n\nFor a SSH audit: [sshaudit.com](https://www.sshaudit.com/)                      \nsshd config reverence: [linux.die.net](https://linux.die.net/man/5/ssh_config)\n\n___\n\n## Installation\n\nThe installation is straight forward and only takes a couple clicks:\n\n- Download the latest installer from the [releases](https://github.com/backslashspace/Windows-SSH-Fail2Ban/releases) and execute it\n- Follow the installation instructions\n- Done\n\n### What the installer does\n1. The installer will extract the following files to `C:\\Program Files\\OpenSSH-Fail2Ban\\`:\n\n  - `F2B-SRV.exe`: the service application\n  - `F2B-CLI.exe`: the commandline interface\n  - `config.txt`: _the config file_\n\n2. `C:\\Program Files\\OpenSSH-Fail2Ban\\` will be added to the System Path variable, making `F2B-CLI.exe` globally accessible in the command line.\n\n3. `F2B-SRV.exe` will be registered as a Windows Service with the name `OpenSSH Fail2Ban` and is configured by default to start at boot.\n___\n\n## Feature \u0026 capabilities\nThe solution consists of two components: the service and the command line application.\nThe command line application has the same functionality plus management \nfeatures for banned IPs, 'trusted' IPs and IPs ban history.\n\n### F2B-SRV \u0026 config: How it works\n\nBy default the program will check every 5 seconds (`LogScanIntervall=5/s`) the last hour (`LogScanTime=1/h`) of the sshd log, and will ban every IP that exceeds 10 failed attempts (`FailTrigger=10`). \nBy default, if the server and client are unable to exchange their banners or fail to negotiate a key exchange algorithm, this will be counted as a failed attempt, which can be deactivated (`CountBannerError=true`, \n`CatchNegotiationErrors=true`).\nFurthermore, automatic permanent bans are deactivated (`PermBan=false`) by default.\n\nThe ban duration can be configured like the following:\u003cbr /\u003e\n`BanTime=1/h,3/h,1/d,7/d,14/d,1/M,3/M`\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;(More or less values are possible)\u003cbr /\u003e\nForexample, this will result in the first ban being 1 hour long, the third 1 day and the 7th 3 months long, after 7 times the last configured time will be used (3 months in this example), if `PermBan` is set to true, the IP will be permanently banned.\nAlternatively if `BanTime=off` \u0026 `PermBan=true`the IP will be permanently banned on the first offense.\n\nA misconfiguration will not result in a crash, but in a fallback to the default value of the invalid setting and an error message in the event log.\n\nWhen a ban is triggered, the program will block the IP based on its \nhistory for the configured amount of time and adds it to its database, \nautomatic unbans are handled by the Windows Task Scheduler, which \nupdates the firewall \u0026 database.\n\nFurthermore, every ban is logged in the Windows event log under `OpenSSH-Fail2Ban` with the following information: \n- banned IP\n- failed authentication method / used username*s\n- assigned ban ID\n- times banned before\n- ban duration\n- ban time\n- unban time\n\n#### `F2B-CLI` The command line\n\nYou can display all possible commands via `F2B-CLI /help`\n\n- `/Help` Shows all possible commands and format\n- `/About` Shows the Application version and link to this page\n- `/Start` Starts the service with formatted output in the current terminal session\n\n- `/Show` with following parameters:\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; `Banned` Shows a formatted list which contains the ban ID, IP, ban date \u0026 unban date\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; `Trusted` Shows a formatted list with all configured 'Trusted' IPs\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; `History` Shows a formatted list which contains all IPs that have been banned and how often\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; `History x.x.x.x` Shows the ban history of given IP x.x.x.x\n\n- `/Add` with following parameters:\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; `Banned x.x.x.x` Bans IP x.x.x.x permanently and adds it to the database\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; `Trusted x.x.x.x` Adds IP x.x.x.x to the list of trusted IPs (IP will be ignored by the service)\n\n- `/Remove` with following parameters:\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; `Trusted x.x.x.x` Removes IP x.x.x.x from the list of trusted IPs (when 'all' instead of an IP is used, all IPs are targeted)\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; `History x.x.x.x` Removes history of IP x.x.x.x (can be used with 'all')\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; `Banned x.x.x.x` Unbans IP x.x.x.x \u0026 removes it from the database (can be used with 'all')\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; `Banned x.x.x.x /S` Unbans IP x.x.x.x \u0026 prevents a reban if the IP happens to be in the log scan time (can be used with 'all')\n\n\nThis information is stored in the Registry under `HKEY_LOCAL_MACHINE\\SOFTWARE\\OpenSSH-Fail2Ban`\n\n___\nWritten in C# 10.0 and running on .Net Framework 4.8\u003cbr /\u003e\nRam usage ~15 MB\u003cbr /\u003e\nTested with OpenSSH V8.9.1.0p1\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbackslashspace%2Fwindows-ssh-fail2ban","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbackslashspace%2Fwindows-ssh-fail2ban","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbackslashspace%2Fwindows-ssh-fail2ban/lists"}