/EvlWatcher

a "fail2ban" style modular log file analyzer for windows

Primary LanguageC#MIT LicenseMIT

What's EvlWatcher?

It's basically a fail2ban for windows. Its goals are also mainly what we love about fail2ban:

  • pre-configured
  • no-initial-fucking-around-with-scripts-or-config-files
  • install-and-forget

You can download it here ( v2.1.62 - May 2024 ) .

Also, we love issues!

If anyone needs something or has questions about something, please feel free to open an issue. We are especially happy to get issues about log-entry samples we don't react on, or ideas of how we can support more protocols.

A bit more detailed description of what EvlWatcher does.

Scenario: there are those bad people out there, hammering your service (RDP and whatnot) with brute force attempts.

  • You can see them and their IPs clearly in the Windows Event-Log.
  • You have searched the web and yea, there are plenty of tools, scripts, and all that, to read the event-log and automatically ban the attackers IP.
  • You however, are lazy. You need something like fail2ban, with a preconfigured set of rules to just RUN right away and it works.
  • But then, it still needs enough flexibility for you to completely configure it, should you wish to do so.

EvlWatcher does that. It scans the Windows-Event-Log, and reacts.

It works by installing a service that scans the event log for unsuccessful login attempts. When one of its rules are violated (e.g. trying to log in without correct credentials, more than 5 times in 2 minutes), it will place that poor bastard into a generic firewall rule, and thereby ban the attacker for 2 hours.

Also, when someone is repeatedly trying, there is a permanent ban list for that, where people defaultly land on when they've had three strikes.

You can, of course, adjust the rules to your liking. They are basically a consisting of an event source, and a Regex to extract an IP, its pretty simple.

Installation

Run the setup executable. It is not required that you remove previous versions of EvlWatcher, the installer will take care of that.

Silent installation

By the way, when you run the setup executable with the /S parameter, it will install silently (e.g. no UI). This can be used for remote or mass roll-outs of EvlWatcher, i.e via group policy.

After you have installed EvlWatcher

You now have 2 things installed,

  • a Windows Service that will immediately start running (called EvlWatcher) with its default configuration file
  • a management Console (in the binary directory)

The Service

You can see it in your Services as "EvlWatcher". It is set to local system and auto start - meaning it cannot communicate over the network and will always run.

The service makes a firewall rule called EvlWatcher. And updates it every 30 seconds, based on your event log. Simple as that. Just one thing: Its normal when the rule is disabled. When there are no IPs banned, its automatically disabled. Dont worry, EvlWatcher will enable it as soon as there is the first ban victim.

The Configuration

You can see it as config.xml in the binary directory. It's made to cover all sorts of brute force attacks out of the box, but can also be expanded. Just take a look inside, if you want.

The Console (EvlWatcherConsole.exe).

You can use the console to see how your service is doing. The console can be found in the start menu, or in the installation folder.

The service keeps running, no matter if you have the console open or closed..

There are several tabs in the console.

Overview Tab

Shows you which IPS are currently banned or whitelisted

image

Live Tab

Shows you what the service is doing and what it is currently thinking about.

image

Global Settings Tab

image

Rule Tester Tab

When you find something you want automatically banned, you can use this tab to help you compose a rule for it. You copy your Windows Event-Log XML here and try to find a Regex for it. When you hit the "test button", and an IP can be extracted, you've found a new rule.

Once you did that, you can either build a new ban task in your config, or post an issue here, so we add it to the config globally.

Note: When you copy past regex into a xml, you must escape brackets with < and >

image

Community

If you want to support EvlWatcher practically

  • Please feel free to contribute
  • We always need good devs and testers to support us.
  • Please, if you have an MSSQL Server or FTP or whatever open to the webs, help up to also cover that with EvlWatcher, by providing us Events.

Gitter

If you want to support EvlWatcher monetarily

EvlWatcher doesnt have a lot of expenses, except the initial cost of code-signing, which were already covered by donations, and about 25€ / year for keeping up the certificate. Therefore, we don't really need much monetary support.

But if you want to say thanks, I would be happy if you would buy me a coffee or a beer here:

Buy Me a Coffee at ko-fi.com

Or you could just donate to your favorite charity.

Apart from that, EvlWatcher is, and will always be, completely free.

Cya..

Mike