Shoot the breeze, anything goes.
User avatar
!
30%
Posts: 3259
Joined: 2013-02-25 18:36

2021-04-19 08:19 »

It was FTP login tries. I checked log files. It's all good because FTP root is empty but still annoying to see these. It's not a lot of hits so I can't bothered to block the IPs. I'm dying without a computer. 😭🤢 :sick: :cry:

User avatar
!
30%
Posts: 3259
Joined: 2013-02-25 18:36

2021-05-12 20:30 »

Got another try today, someone "TEST"... well, here is your test mother fucker, I blocked the entire range! :lol: :sick: :mrgreen:
Screenshot_20210512-202759~2.png
Screenshot_20210512-202759~2.png (149.28 KiB) Viewed 4648 times

User avatar
!
30%
Posts: 3259
Joined: 2013-02-25 18:36

2021-05-15 21:18 »

https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.

Code: Select all

#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}
gMqD3.jpg
gMqD3.jpg (38.26 KiB) Viewed 4640 times
vxbEK.jpg
vxbEK.jpg (29.9 KiB) Viewed 4640 times

User avatar
!
30%
Posts: 3259
Joined: 2013-02-25 18:36

2021-05-16 00:57 »

! wrote:
2021-05-15 21:18
https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.

Code: Select all

#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}
gMqD3.jpg
vxbEK.jpg
Screenshot_20210516-005423~2.png
Screenshot_20210516-005423~2.png (28.25 KiB) Viewed 4639 times
Log: Security.
Source: Microsoft Windows security auditing.

That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.

User avatar
!
30%
Posts: 3259
Joined: 2013-02-25 18:36

2021-05-16 01:53 »

! wrote:
2021-05-16 00:57
! wrote:
2021-05-15 21:18
https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.

Code: Select all

#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}
gMqD3.jpg
vxbEK.jpg
Screenshot_20210516-005423~2.png
Log: Security.
Source: Microsoft Windows security auditing.

That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.
The task triggered now but the .PS1 file didn't run. Trying to execute it this way instead of directly pointing to the file:
Screenshot_20210516-015031~2.png
Screenshot_20210516-015031~2.png (7.96 KiB) Viewed 4636 times

User avatar
!
30%
Posts: 3259
Joined: 2013-02-25 18:36

2021-05-16 02:00 »

! wrote:
2021-05-16 01:53
! wrote:
2021-05-16 00:57
! wrote:
2021-05-15 21:18
https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.

Code: Select all

#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}
gMqD3.jpg
vxbEK.jpg
Screenshot_20210516-005423~2.png
Log: Security.
Source: Microsoft Windows security auditing.

That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.
The task triggered now but the .PS1 file didn't run. Trying to execute it this way instead of directly pointing to the file:

Screenshot_20210516-015031~2.png
Didn't run. Trying to put the command in a .BAT file instead. I think I locked Windows to not allow running .PS1 files. The task itself triggers fine though.

User avatar
!
30%
Posts: 3259
Joined: 2013-02-25 18:36

2021-05-16 02:20 »

! wrote:
2021-05-16 02:00
! wrote:
2021-05-16 01:53
! wrote:
2021-05-16 00:57
! wrote:
2021-05-15 21:18
https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.

Code: Select all

#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}
gMqD3.jpg
vxbEK.jpg
Screenshot_20210516-005423~2.png
Log: Security.
Source: Microsoft Windows security auditing.

That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.
The task triggered now but the .PS1 file didn't run. Trying to execute it this way instead of directly pointing to the file:

Screenshot_20210516-015031~2.png
Didn't run. Trying to put the command in a .BAT file instead. I think I locked Windows to not allow running .PS1 files. The task itself triggers fine though.
Cool! It works now! :thumbup: :clap: :smile:

User avatar
!
30%
Posts: 3259
Joined: 2013-02-25 18:36

2021-05-16 02:39 »

This script is so cool! I set it to block in the first failed login try. I'll probably catch a looot of infected IPs now in this list. Too bad the Windows log doesn't go back more than 30 days I think. This removed such a big headache from me. :sick:

User avatar
!
30%
Posts: 3259
Joined: 2013-02-25 18:36

2021-05-16 21:05 »

Hahaha this works great! Although, it seems that the event triggers late, so each IP manages to get a few tries in the first few seconds but should be fine.
Screenshot_20210516-210345~2.png
Screenshot_20210516-210345~2.png (192.77 KiB) Viewed 4628 times

User avatar
!
30%
Posts: 3259
Joined: 2013-02-25 18:36

2021-05-18 23:04 »

There was an IP from Russia that did a "test" login, to see if it is active, after that, a lot of login tried started from Europe, probably infected servers that are controlled by this person. I don't remember the IP though, can't be bothered to save these stuff without a computer. So far I added ~33 IPs in the firewall block list, they seemed to have stopped. Probably will be seeing another "test" login soon. :sick: :mrgreen: :mrgreen:

Post Reply