I am considering putting this to sleep

[devnulli]

I've been thinking about the future of EvlWatcher and would be interested in hearing the community's thoughts.

EvlWatcher was originally created to address a problem that many Windows administrators faced: protecting publicly exposed services, especially RDP, from constant brute-force attacks. At the time, a "Fail2Ban for Windows" approach filled a gap that Windows itself did not address very well.

Over the years, however, my perspective has shifted. While EvlWatcher is effective at detecting and blocking repeated authentication failures, it does not solve what I increasingly see as the real problem: exposing RDP directly to the public Internet in the first place.

A publicly reachable RDP service remains publicly reachable regardless of how quickly attackers are banned. Brute-force attacks are only one category of threat. Future protocol vulnerabilities, authentication bypasses, and other attack vectors cannot be mitigated by log-based IP blocking.

Today, the prevailing security recommendation is generally to avoid public RDP exposure altogether and instead use VPNs, Remote Desktop Gateways, Zero Trust solutions, or other controlled-access approaches.

Because of this, I've started wondering whether continuing active development of EvlWatcher still makes sense, or whether the project has largely fulfilled its purpose and should eventually transition into maintenance or archive status.

[devnulli]

PS: personally, i stopped exposing rdp / using evlwatcher over 6 years ago, and thinking of Bluekeep etc.. would never recommend that anymore... so im also kindof tired of keeping it up tbh...

[Alysko]

I agree with you. If a Windows Server/RDS environment is already in place, adding an RD Gateway usually does not add significant cost or complexity.

A VPN can also be free or very inexpensive, and setting one up does not necessarily require advanced skills.

Compared to exposing RDP directly to the Internet, both options are relatively simple and much safer.

[rdebath]

Evlwatcher and similar tools (Fail2ban) have never been considered a large security barrier. They have always been a very minor improvement in security with a larger improvement in administrator annoyance. Usually, the kiddies are looking for users that are known targets or don't exist, so there is no real risk to the connection attempts. The good result is a clean up of the logs for actual errors and more real events in limited "space".

IMO your feeling about publicly reachable RDP servers is actually "Windows servers", windows has some very old code in it and much of that was written when Microsoft did not care at all about security, that combined with other "large target" effects means that putting Windows on the internet is more risky that other options.

Even now that they have a security group, it's not necessarily secure by design so there is still a risk of them being reactive rather than proactive.

But, the reason RDP is "not recommended" is that Microsoft considers it's security fragile due to use of passwords, however, Windows can be configured to not allow bare passwords with RDP. The other way to fix this is to ensure only specific users with known good passwords are allowed to connect remotely (another available policy, or just disable the others).

In line with all this I usually define "permanent" as something like a week, enough time for either (a) they've given up or (b) the total clutter is low enough that it doesn't bother me. In EvlWatcher it means I occasionally clear the banlist.

I've also used fail2ban on work machines as a placebo to monitor services that "Cyber audit" services want to enforce use of "MFA" to prevent brute forcing of certificates ... yeah.

So if you feel it's less useful now, perhaps you should consider a pivot more towards other services. Such as the logs for "VPNs, Remote Desktop Gateways, Zero Trust solutions, or other controlled-access approaches". Or bans on HTTP 404/403/401 for service webservers that should never have those errors.

Say by having a GUI that gives the ability to fetch rules for other services from here (a github/github.io repo) and "install" them.
Or by checking the firewall and matching it to available rules to "recommend" some of those more.

Oh, and I notice you're paying a few € for the codesigning, there are some "free for opensource" services available now.

[devnulli]

@rdebath
about the codesigning, that one i have is 25€/year and i get more coffee than that for evlwatcher. so thats not an issue.
but being curios for some other projects im in, could you elaborate on that? mine is from eurocert

and yeah.
that moddable approach is interesting, would make evlwatcher more IDSish, and be interesting thing to do, but - still not sure what the purpose could be, being on the clientside lessens that opportunities a lot more, a serious reverse proxy could do most of that better... especially with scaling, load balancing,... blah . nah. i think its time to put it to maintenance mode and finally face the fact that i dont even run windows servers anymore 😄

[Alysko]

In any case, thank you for creating this tool, which was very useful to me when I was starting out.
I’d love to be able to stop using Windows servers!
Luckily, I’ve got Zabbix, Wazuh and others to keep me entertained.

[rdebath]

They usually sign stuff with their key, so your name doesn't appear.
The easier one is supposed to be:
https://signpath.org/
This works too, but takes longer? worse in some way?, however, they sometimes let you put your name on the signature:
https://ossign.org/

This one is NOT what you want: https://docs.sigstore.dev/ it's more like my repo which gives you a tool for internal usage and manual checking; theirs is prettier and has a public log & root.
NB: For anyone watching, Microsoft do a pretty normal signing process at $10/Month for 5k signatures ($120/year) given Microsoft's normal MO you should probably consider that the upper limit of "fairish" pricing.