← All downloads Security

wIP2Ban – brute-force protection for Windows

Lean Windows service that evaluates successful and rejected logon attempts from your server's various log sources in real time and automatically blocks IP addresses with too many failed attempts in the Windows Firewall.

Download now
Screenshot of wIP2Ban – the Thresholds tab with detection settings and live log

Description & documentation

wIP2Ban is a lean Windows service that evaluates successful and rejected logon attempts from your server's various log sources in real time and automatically blocks IP addresses with too many failed attempts in the Windows Firewall. Inspired by the Linux classic fail2ban – but built for Windows servers, without third-party frameworks and with a graphical interface.

How it works

The service watches login sources with the native Windows EventLogWatcher (push-based, i.e. without polling overhead). As soon as an IP address exceeds the configured threshold of failed attempts within a defined time window, wIP2Ban creates a block rule directly via the Windows Firewall. Once the block period expires, the rule is automatically removed again.

Protection against locking yourself out is built in: loopback, RFC1918 networks, link-local addresses and IPv6 unique-local addresses are never blocked as a matter of principle. Additional networks of your own can be entered as a CIDR whitelist.

What wIP2Ban monitors

  • Windows logons – all logon types via the Security event log (RDP, SMB, console, network logon)
  • RDP – direct detection of NLA authentication failures, even when they don't appear in the Security log
  • OpenSSH – failed SSH logons from the OpenSSH/Operational log
  • Microsoft SQL Server – login failures (event 18456) including client IP
  • WinRM / PowerShell Remoting – authentication failures via the WinRM log
  • IIS – HTTP 401 errors from the W3C logs
  • IIS FTP – failed FTP logons (sc-status 530)
  • Any custom log files – generic watcher with a user-defined regex, for applications that write their own logs
Screenshot of wIP2Ban – the Sources tab with all enableable log sources, whitelist and custom regex watchers
The “Sources” tab: all enableable login sources, IIS/FTP log paths, CIDR whitelist and custom regex watchers.

Features at a glance

  • Automatic blocking with configurable look-back time, threshold and block duration
  • Whitelist protection for loopback, local networks and custom CIDR ranges (IPv4 & IPv6)
  • Self-contained build – a single EXE with no dependency on an installed .NET runtime
  • Graphical interface with live log, status display and immediate saving of every configuration change
  • Clean Windows service – no polling, low CPU load, automatic restart after a crash
  • Built-in log rotation from 5 MB
  • Fully localised in German

Why wIP2Ban?

  • Native for Windows – no WSL, no Cygwin, no containers
  • Resource-friendly – push-based instead of polling, negligible load even on small servers
  • Ready to use immediately – the installer registers the service with the right permissions, all default sources are active
  • Extensible – add your own log files via regex, without changing the code

System requirements

  • Windows 10 / Windows 11 / Windows Server 2016 or newer
  • Administrator rights for installation and operation (required for firewall management and reading the Security event log)

Download

File: wip2ban.zip

Free for private and commercial use. No warranty for freedom from defects.

Download wip2ban.zip

← Back to all downloads