PowerShell version of Fail2Ban

This script monitors a Windows system for attempted brute force authentications. After the defined number of failures have occured, the script will create a firewall rule to block the IP for a defined period of time. Additionally, when an IP is banned, the event is written to the system's event log under and stored in a queryable SQL DB. The IP(s) of the system that is running the script are automatically whitelisted with the ability to add additional IPs to the whitelist.

Usage

1. Download repo and unzip repo
2. Edit script with your favorite text editor and adjust configs just after initial comment, as desired
3. Save scrip and execute it
4. Follow the options (see screenshots below)
   

Configurable options

• Configurable threshold of failed login attempts and how long an IP should be blocked
  
• IP whitelisting
  
• Logging blocked IPs to Windows event log with customizable event source and ID
  
• Logging blocked and whitelisted IPs to a queryable SQL database
  
• Customizable ban timeout
  
• Option for mass and quick removal of all banned IPs before a ban expiration occurs
  
  
  

Screenshots

Running the script

Configuring the Whitelist (single IP or CIDR blocks)

Monitoring and banning

Banned IP in Event Log

Banned IP firewall rule(begins with "ban")

Retrieving banned IPs through the script

Retrieving banned IPs within the SQL DB

Removing all banned IPs before their expiration