Tech talk, cold comfort.

! · 2021-04-19 08:19 »

It was FTP login tries. I checked log files. It's all good because FTP root is empty but still annoying to see these. It's not a lot of hits so I can't bothered to block the IPs. I'm dying without a computer.

! · 2021-05-12 20:30 »

Got another try today, someone "TEST"... well, here is your test mother fucker, I blocked the entire range!

: Screenshot_20210512-202759~2.png (149.28 KiB) Viewed 14517 times

! · 2021-05-15 21:18 »

https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.

Code: Select all

#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}

: gMqD3.jpg (38.26 KiB) Viewed 14509 times

: vxbEK.jpg (29.9 KiB) Viewed 14509 times

! · 2021-05-16 00:57 »

! wrote: ↑

2021-05-15 21:18

https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.

Code: Select all

#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}

gMqD3.jpg
vxbEK.jpg

: Screenshot_20210516-005423~2.png (28.25 KiB) Viewed 14508 times

Log: Security.
Source: Microsoft Windows security auditing.

That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.

! · 2021-05-16 01:53 »

! wrote: ↑
2021-05-16 00:57
! wrote: ↑
2021-05-15 21:18
https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.
Code: Select all
#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}
gMqD3.jpg
vxbEK.jpg
Screenshot_20210516-005423~2.png
Log: Security.
Source: Microsoft Windows security auditing.

That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.

The task triggered now but the .PS1 file didn't run. Trying to execute it this way instead of directly pointing to the file:

: Screenshot_20210516-015031~2.png (7.96 KiB) Viewed 14505 times

! · 2021-05-16 02:00 »

! wrote: ↑
2021-05-16 01:53
! wrote: ↑
2021-05-16 00:57
! wrote: ↑
2021-05-15 21:18
https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.
Code: Select all
#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}
gMqD3.jpg
vxbEK.jpg
Screenshot_20210516-005423~2.png
Log: Security.
Source: Microsoft Windows security auditing.

That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.
The task triggered now but the .PS1 file didn't run. Trying to execute it this way instead of directly pointing to the file:

Screenshot_20210516-015031~2.png

Didn't run. Trying to put the command in a .BAT file instead. I think I locked Windows to not allow running .PS1 files. The task itself triggers fine though.

! · 2021-05-16 02:20 »

! wrote: ↑
2021-05-16 02:00
! wrote: ↑
2021-05-16 01:53
! wrote: ↑
2021-05-16 00:57
! wrote: ↑
2021-05-15 21:18
https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.
Code: Select all
#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}
gMqD3.jpg
vxbEK.jpg
Screenshot_20210516-005423~2.png
Log: Security.
Source: Microsoft Windows security auditing.

That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.
The task triggered now but the .PS1 file didn't run. Trying to execute it this way instead of directly pointing to the file:

Screenshot_20210516-015031~2.png
Didn't run. Trying to put the command in a .BAT file instead. I think I locked Windows to not allow running .PS1 files. The task itself triggers fine though.

Cool! It works now!

! · 2021-05-16 02:39 »

This script is so cool! I set it to block in the first failed login try. I'll probably catch a looot of infected IPs now in this list. Too bad the Windows log doesn't go back more than 30 days I think. This removed such a big headache from me.

! · 2021-05-16 21:05 »

Hahaha this works great! Although, it seems that the event triggers late, so each IP manages to get a few tries in the first few seconds but should be fine.

: Screenshot_20210516-210345~2.png (192.77 KiB) Viewed 14497 times

! · 2021-05-18 23:04 »

There was an IP from Russia that did a "test" login, to see if it is active, after that, a lot of login tried started from Europe, probably infected servers that are controlled by this person. I don't remember the IP though, can't be bothered to save these stuff without a computer. So far I added ~33 IPs in the firewall block list, they seemed to have stopped. Probably will be seeing another "test" login soon.