Not writing firewall rules on Windows Server 2012R2.

[4DSecurity]

Have set up a rule for smtp brute force attacks which is working fine. The Fail2Ban4Win log file shows every IP address is picked up but no matter what I try it will not write to the firewall. I have it installed as a service, and isDryRun is set to flse (in fact, I have removed that line from the config file now so it should be set to false by default.

Config file below:
{
"maxAllowedFailures": 2,
"failureWindow": "1.00:00:00",
"banPeriod": "1.00:00:00",
"banSubnetBits": 8,
"banRepeatedOffenseCoefficient": 1,
"banRepeatedOffenseMax": 4,
"neverBanSubnets": ["67.210.32.33/32", "172.11.57.29/32"],
"neverBanReservedSubnets": true,
"unbanAllOnStartup": false,
"eventLogSelectors": [
{
"logName": "Application",
"source": "MSExchangeFrontEndTransport",
"eventId": 1035,
"ipAddressEventDataIndex": 3,
"maxAllowedFailures": 2
}
]
}

Logfile below:
Info - 2025-11-20T00:01:17.477+00:00 - EventLogListenerImpl - Listening for Event Log records from the "Application" log with event ID 1035 and "source MSExchangeFrontEndTransport"
Info - 2025-11-20T00:07:21.452+00:00 - EventLogListenerImpl - Authentication failure detected from 177.135.67.189 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T00:07:34.672+00:00 - EventLogListenerImpl - Authentication failure detected from 186.5.178.229 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T00:08:07.205+00:00 - EventLogListenerImpl - Authentication failure detected from 46.163.189.191 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T00:17:16.321+00:00 - EventLogListenerImpl - Listening for Event Log records from the "Application" log with event ID 1035 and "source MSExchangeFrontEndTransport"
Info - 2025-11-20T00:18:29.716+00:00 - EventLogListenerImpl - Authentication failure detected from 201.173.250.31 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T00:18:42.029+00:00 - EventLogListenerImpl - Authentication failure detected from 149.54.51.82 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T00:18:54.139+00:00 - EventLogListenerImpl - Authentication failure detected from 177.236.146.244 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T00:19:12.734+00:00 - EventLogListenerImpl - Authentication failure detected from 98.161.232.9 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T00:19:32.375+00:00 - EventLogListenerImpl - Authentication failure detected from 47.24.76.30 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T00:39:02.166+00:00 - EventLogListenerImpl - Authentication failure detected from 128.185.242.74 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T00:39:16.292+00:00 - EventLogListenerImpl - Authentication failure detected from 177.159.99.95 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T00:39:31.324+00:00 - EventLogListenerImpl - Authentication failure detected from 5.128.93.196 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T00:39:49.668+00:00 - EventLogListenerImpl - Authentication failure detected from 112.232.252.106 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T01:18:44.888+00:00 - EventLogListenerImpl - Authentication failure detected from 195.62.50.36 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T01:19:01.420+00:00 - EventLogListenerImpl - Authentication failure detected from 36.135.107.57 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T01:19:26.796+00:00 - EventLogListenerImpl - Authentication failure detected from 125.19.182.118 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T01:19:39.609+00:00 - EventLogListenerImpl - Authentication failure detected from 186.201.54.90 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T01:54:31.582+00:00 - EventLogListenerImpl - Authentication failure detected from 71.6.199.23 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T01:58:58.179+00:00 - EventLogListenerImpl - Authentication failure detected from 221.149.233.243 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T01:59:29.571+00:00 - EventLogListenerImpl - Authentication failure detected from 94.19.168.104 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T01:59:40.196+00:00 - EventLogListenerImpl - Authentication failure detected from 65.20.132.172 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:10:15.307+00:00 - EventLogListenerImpl - Authentication failure detected from 154.127.90.34 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:10:44.262+00:00 - EventLogListenerImpl - Authentication failure detected from 61.145.163.164 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:15:02.864+00:00 - EventLogListenerImpl - Authentication failure detected from 39.152.138.178 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:15:27.521+00:00 - EventLogListenerImpl - Authentication failure detected from 152.52.246.178 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:15:39.678+00:00 - EventLogListenerImpl - Authentication failure detected from 112.25.205.74 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:15:50.101+00:00 - EventLogListenerImpl - Authentication failure detected from 197.219.210.86 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:37:41.460+00:00 - EventLogListenerImpl - Authentication failure detected from 14.55.31.157 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:37:53.023+00:00 - EventLogListenerImpl - Authentication failure detected from 14.212.198.51 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:38:33.447+00:00 - EventLogListenerImpl - Authentication failure detected from 88.84.209.146 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:38:48.604+00:00 - EventLogListenerImpl - Authentication failure detected from 190.117.96.174 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:39:13.402+00:00 - EventLogListenerImpl - Authentication failure detected from 182.95.115.38 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:39:34.310+00:00 - EventLogListenerImpl - Authentication failure detected from 27.24.141.95 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:39:54.842+00:00 - EventLogListenerImpl - Authentication failure detected from 117.71.53.210 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:40:08.843+00:00 - EventLogListenerImpl - Authentication failure detected from 200.107.163.195 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:40:24.234+00:00 - EventLogListenerImpl - Authentication failure detected from 223.197.145.33 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T02:40:40.625+00:00 - EventLogListenerImpl - Authentication failure detected from 58.16.201.52 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T03:10:23.396+00:00 - EventLogListenerImpl - Authentication failure detected from 220.246.40.63 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T03:10:49.506+00:00 - EventLogListenerImpl - Authentication failure detected from 111.26.106.119 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T03:11:09.367+00:00 - EventLogListenerImpl - Authentication failure detected from 152.52.199.126 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T03:22:07.978+00:00 - EventLogListenerImpl - Authentication failure detected from 67.172.244.235 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T03:22:22.204+00:00 - EventLogListenerImpl - Authentication failure detected from 183.6.43.236 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T03:22:35.432+00:00 - EventLogListenerImpl - Authentication failure detected from 182.95.52.206 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T03:22:52.133+00:00 - EventLogListenerImpl - Authentication failure detected from 118.26.153.102 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T03:40:50.776+00:00 - EventLogListenerImpl - Authentication failure detected from 96.85.104.2 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T03:40:56.308+00:00 - EventLogListenerImpl - Authentication failure detected from 31.173.29.136 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T04:00:50.473+00:00 - EventLogListenerImpl - Authentication failure detected from 41.239.148.173 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T04:42:24.811+00:00 - EventLogListenerImpl - Authentication failure detected from 80.88.102.128 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T04:42:43.952+00:00 - EventLogListenerImpl - Authentication failure detected from 119.204.125.124 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T04:42:57.312+00:00 - EventLogListenerImpl - Authentication failure detected from 45.238.2.7 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T04:43:08.047+00:00 - EventLogListenerImpl - Authentication failure detected from 203.252.10.3 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T04:43:20.798+00:00 - EventLogListenerImpl - Authentication failure detected from 182.95.176.194 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T04:58:28.402+00:00 - EventLogListenerImpl - Authentication failure detected from 2.135.33.209 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T04:59:03.466+00:00 - EventLogListenerImpl - Authentication failure detected from 122.224.154.166 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T04:59:26.124+00:00 - EventLogListenerImpl - Authentication failure detected from 200.216.172.182 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T04:59:41.593+00:00 - EventLogListenerImpl - Authentication failure detected from 59.8.91.187 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T05:40:51.814+00:00 - EventLogListenerImpl - Authentication failure detected from 182.239.80.51 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T05:41:05.253+00:00 - EventLogListenerImpl - Authentication failure detected from 124.133.10.66 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T05:41:32.754+00:00 - EventLogListenerImpl - Authentication failure detected from 119.126.90.69 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:32:13.802+00:00 - EventLogListenerImpl - Authentication failure detected from 103.69.9.16 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:32:28.771+00:00 - EventLogListenerImpl - Authentication failure detected from 128.185.192.166 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:32:45.241+00:00 - EventLogListenerImpl - Authentication failure detected from 85.236.187.43 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:33:03.789+00:00 - EventLogListenerImpl - Authentication failure detected from 189.109.154.54 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:33:17.243+00:00 - EventLogListenerImpl - Authentication failure detected from 201.61.40.117 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:53:49.348+00:00 - EventLogListenerImpl - Authentication failure detected from 111.194.231.252 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:54:09.005+00:00 - EventLogListenerImpl - Authentication failure detected from 50.188.204.213 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:54:23.428+00:00 - EventLogListenerImpl - Authentication failure detected from 49.124.153.15 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:54:37.616+00:00 - EventLogListenerImpl - Authentication failure detected from 221.145.5.14 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:54:51.132+00:00 - EventLogListenerImpl - Authentication failure detected from 175.207.215.60 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:55:03.523+00:00 - EventLogListenerImpl - Authentication failure detected from 37.28.177.141 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T06:55:16.212+00:00 - EventLogListenerImpl - Authentication failure detected from 196.190.43.167 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:09:17.140+00:00 - EventLogListenerImpl - Authentication failure detected from 49.124.152.150 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:09:51.532+00:00 - EventLogListenerImpl - Authentication failure detected from 203.198.173.145 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:10:08.643+00:00 - EventLogListenerImpl - Authentication failure detected from 179.125.124.14 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:10:19.612+00:00 - EventLogListenerImpl - Authentication failure detected from 87.229.254.207 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:10:43.754+00:00 - EventLogListenerImpl - Authentication failure detected from 185.214.169.10 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:13:20.242+00:00 - EventLogListenerImpl - Authentication failure detected from 180.218.110.248 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:13:36.633+00:00 - EventLogListenerImpl - Authentication failure detected from 178.250.191.189 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:13:53.962+00:00 - EventLogListenerImpl - Authentication failure detected from 110.25.109.53 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:14:03.337+00:00 - EventLogListenerImpl - Authentication failure detected from 178.178.222.47 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:14:08.806+00:00 - EventLogListenerImpl - Authentication failure detected from 59.22.68.213 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:14:19.979+00:00 - EventLogListenerImpl - Authentication failure detected from 59.96.62.29 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:14:31.276+00:00 - EventLogListenerImpl - Authentication failure detected from 125.19.248.170 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:57:56.964+00:00 - EventLogListenerImpl - Authentication failure detected from 80.216.181.233 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T08:58:46.185+00:00 - EventLogListenerImpl - Authentication failure detected from 45.250.249.12 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T09:09:53.824+00:00 - EventLogListenerImpl - Authentication failure detected from 65.20.250.63 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T09:41:19.224+00:00 - EventLogListenerImpl - Authentication failure detected from 115.77.111.2 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T09:41:41.491+00:00 - EventLogListenerImpl - Authentication failure detected from 121.6.81.59 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T09:42:01.585+00:00 - EventLogListenerImpl - Authentication failure detected from 182.95.58.114 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T09:42:14.305+00:00 - EventLogListenerImpl - Authentication failure detected from 58.222.188.154 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T09:42:27.196+00:00 - EventLogListenerImpl - Authentication failure detected from 62.140.234.114 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T10:29:42.327+00:00 - EventLogListenerImpl - Authentication failure detected from 111.26.167.240 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T10:29:57.593+00:00 - EventLogListenerImpl - Authentication failure detected from 197.219.228.242 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T10:30:42.330+00:00 - EventLogListenerImpl - Authentication failure detected from 152.52.244.46 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T11:06:54.651+00:00 - EventLogListenerImpl - Authentication failure detected from 78.186.54.65 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T11:07:03.542+00:00 - EventLogListenerImpl - Authentication failure detected from 31.41.84.98 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T11:07:17.386+00:00 - EventLogListenerImpl - Authentication failure detected from 58.35.120.169 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T11:07:30.152+00:00 - EventLogListenerImpl - Authentication failure detected from 27.123.104.142 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T11:07:51.513+00:00 - EventLogListenerImpl - Authentication failure detected from 50.223.176.171 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T11:23:51.151+00:00 - EventLogListenerImpl - Authentication failure detected from 14.203.9.130 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T11:24:19.683+00:00 - EventLogListenerImpl - Authentication failure detected from 103.248.30.205 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T11:33:46.572+00:00 - EventLogListenerImpl - Authentication failure detected from 65.20.149.93 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T11:33:52.119+00:00 - EventLogListenerImpl - Authentication failure detected from 75.97.190.237 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T12:16:50.954+00:00 - EventLogListenerImpl - Listening for Event Log records from the "Application" log with event ID 1035 and "source MSExchangeFrontEndTransport"
Info - 2025-11-20T12:34:09.601+00:00 - EventLogListenerImpl - Authentication failure detected from 92.124.133.35 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T12:34:24.133+00:00 - EventLogListenerImpl - Authentication failure detected from 122.175.193.134 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T12:34:37.476+00:00 - EventLogListenerImpl - Authentication failure detected from 89.67.37.219 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T13:06:42.349+00:00 - EventLogListenerImpl - Authentication failure detected from 220.94.238.64 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T13:06:54.631+00:00 - EventLogListenerImpl - Authentication failure detected from 201.173.216.68 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T13:07:07.381+00:00 - EventLogListenerImpl - Authentication failure detected from 218.238.15.224 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T13:07:17.678+00:00 - EventLogListenerImpl - Authentication failure detected from 201.15.149.254 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T13:07:31.146+00:00 - EventLogListenerImpl - Authentication failure detected from 120.224.56.242 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T13:07:42.209+00:00 - EventLogListenerImpl - Authentication failure detected from 125.20.253.86 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T13:07:58.303+00:00 - EventLogListenerImpl - Authentication failure detected from 77.95.56.101 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T13:29:13.102+00:00 - EventLogListenerImpl - Authentication failure detected from 36.135.107.57 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T13:29:51.462+00:00 - EventLogListenerImpl - Authentication failure detected from 95.79.108.51 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T13:30:03.196+00:00 - EventLogListenerImpl - Authentication failure detected from 115.147.10.33 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T13:36:49.837+00:00 - EventLogListenerImpl - Listening for Event Log records from the "Application" log with event ID 1035 and "source MSExchangeFrontEndTransport"
Info - 2025-11-20T13:42:36.493+00:00 - EventLogListenerImpl - Listening for Event Log records from the "Application" log with event ID 1035 and "source MSExchangeFrontEndTransport"
Info - 2025-11-20T14:00:03.462+00:00 - EventLogListenerImpl - Authentication failure detected from 128.185.242.74 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T14:00:13.009+00:00 - EventLogListenerImpl - Authentication failure detected from 125.19.253.154 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T14:00:23.275+00:00 - EventLogListenerImpl - Authentication failure detected from 177.135.223.123 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T14:00:45.212+00:00 - EventLogListenerImpl - Authentication failure detected from 77.85.43.156 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T14:00:54.337+00:00 - EventLogListenerImpl - Authentication failure detected from 78.81.213.111 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T14:31:09.181+00:00 - EventLogListenerImpl - Authentication failure detected from 203.193.147.37 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T14:31:19.384+00:00 - EventLogListenerImpl - Authentication failure detected from 31.148.174.234 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T14:31:39.056+00:00 - EventLogListenerImpl - Authentication failure detected from 103.107.36.18 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T14:32:00.009+00:00 - EventLogListenerImpl - Authentication failure detected from 49.124.151.57 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T14:32:10.978+00:00 - EventLogListenerImpl - Authentication failure detected from 46.146.47.227 (log="Application", event=1035, source="MSExchangeFrontEndTransport")
Info - 2025-11-20T14:32:21.447+00:00 - EventLogListenerImpl - Authentication failure detected from 46.8.240.26 (log="Application", event=1035, source="MSExchangeFrontEndTransport")

As you can see, it all works well but just not writing the firewall rules. Tried a script I found online to reset firewall log access permissions but no change after that.

Am I missing anything?

[Aldaviva]

Hi @4DSecurity, thanks for reporting this and for providing the configuration and logs.

Based on the logs above, it looks like there weren't enough failures (3) for any given subnet to trigger a ban, because the IP addresses were all very spread out and none were in the same /24 subnet AKA 255.255.255.0 AKA a.b.c.0-255 range.

Here are some ideas:

• wait for more failures from repeated IP addresses, or at least those in the same /24 subnet as previous failures
• to detect failures from and ban subnets bigger than /24, you can increase banSubnetBits from 8 to a larger size like 16, which would aggregate and ban with a /16 subnet instead (be aware that this can affect more innocent IP addresses)
• to ban subnets after fewer failures, you can reduce maxAllowedFailures further than you already did, such as 1 for a "two strikes and you're out" policy
• remember that failure counts leading up to a ban are kept in memory instead of being durably persisted, so restarting the Fail2Ban4Win service will reset those counters back to 0 for all subnets that have had some failures but not yet enough to create a ban; this means that leaving it running longer without restarts can help keep those counters running as more failures accumulate

[4DSecurity]

Thanks for extremely fast reply, and for the info, I will try some changes and see how I get on.