How they do
A common method is brute force, attackers attempt combinations of the accepted character set in order to find a specific combination that gains access to the authorized area.
Every attack leave traces into log files...
WinFail2Ban is able to parse many type of log (example: FTP log file, Event Viewer..).
Analyzing multiple log files could be heavily and time consuming, moreover is difficult to correlate same attacker IP address on multiple sources.
If somebody is trying to attack your server, you'll probably would like to be notified...
If you like automatism, you can block attacker IP address with a Firewall rule.
We're trying to generate an engine that manage local firewall rules and also remote firewall rules (PIX/Iptables).