https://serverfault.com/questions/23322 ... pts/397637
The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.
The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.
Code: Select all
#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'
#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)
#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }
#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name
#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2
#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}
#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')
#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }
#Add the new IPs to firewall rule
$w| %{
if ($ar.RemoteAddresses -eq '*') {
$ar.remoteaddresses = $_.Name
}else{
$ar.remoteaddresses += ',' + $_.Name
}
}
#Write to logfile
if ($w.length -gt 1) {
$w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}
Log: Security.! wrote: ↑2021-05-15 21:18https://serverfault.com/questions/23322 ... pts/397637
The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.
gMqD3.jpgCode: Select all
#Checks for IP addresses that used incorrect password more than 10 times #within 24 hours and blocks them using a firewall rule 'BlockAttackers' #Check only last 24 hours $DT = [DateTime]::Now.AddHours(-24) #Select Ip addresses that has audit failure $l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} } #Get ip adresses, that have more than 10 wrong logins $g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name #Get firewall object $fw = New-Object -ComObject hnetcfg.fwpolicy2 #Get firewall rule named 'BlockAttackers' (must be created manually) $ar = $fw.rules | where {$_.name -eq 'BlockAttackers'} #Split the existing IPs into an array so we can search it for existing IPs $arRemote = $ar.RemoteAddresses -split(',') #Only collect IPs that aren't already in the firewall rule $w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') } #Add the new IPs to firewall rule $w| %{ if ($ar.RemoteAddresses -eq '*') { $ar.remoteaddresses = $_.Name }else{ $ar.remoteaddresses += ',' + $_.Name } } #Write to logfile if ($w.length -gt 1) { $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'} }
vxbEK.jpg
Source: Microsoft Windows security auditing.
That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.
The task triggered now but the .PS1 file didn't run. Trying to execute it this way instead of directly pointing to the file:! wrote: ↑2021-05-16 00:57Screenshot_20210516-005423~2.png! wrote: ↑2021-05-15 21:18https://serverfault.com/questions/23322 ... pts/397637
The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.
gMqD3.jpgCode: Select all
#Checks for IP addresses that used incorrect password more than 10 times #within 24 hours and blocks them using a firewall rule 'BlockAttackers' #Check only last 24 hours $DT = [DateTime]::Now.AddHours(-24) #Select Ip addresses that has audit failure $l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} } #Get ip adresses, that have more than 10 wrong logins $g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name #Get firewall object $fw = New-Object -ComObject hnetcfg.fwpolicy2 #Get firewall rule named 'BlockAttackers' (must be created manually) $ar = $fw.rules | where {$_.name -eq 'BlockAttackers'} #Split the existing IPs into an array so we can search it for existing IPs $arRemote = $ar.RemoteAddresses -split(',') #Only collect IPs that aren't already in the firewall rule $w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') } #Add the new IPs to firewall rule $w| %{ if ($ar.RemoteAddresses -eq '*') { $ar.remoteaddresses = $_.Name }else{ $ar.remoteaddresses += ',' + $_.Name } } #Write to logfile if ($w.length -gt 1) { $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'} }
vxbEK.jpg
Log: Security.
Source: Microsoft Windows security auditing.
That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.
Didn't run. Trying to put the command in a .BAT file instead. I think I locked Windows to not allow running .PS1 files. The task itself triggers fine though.! wrote: ↑2021-05-16 01:53The task triggered now but the .PS1 file didn't run. Trying to execute it this way instead of directly pointing to the file:! wrote: ↑2021-05-16 00:57Screenshot_20210516-005423~2.png! wrote: ↑2021-05-15 21:18https://serverfault.com/questions/23322 ... pts/397637
The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.
gMqD3.jpgCode: Select all
#Checks for IP addresses that used incorrect password more than 10 times #within 24 hours and blocks them using a firewall rule 'BlockAttackers' #Check only last 24 hours $DT = [DateTime]::Now.AddHours(-24) #Select Ip addresses that has audit failure $l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} } #Get ip adresses, that have more than 10 wrong logins $g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name #Get firewall object $fw = New-Object -ComObject hnetcfg.fwpolicy2 #Get firewall rule named 'BlockAttackers' (must be created manually) $ar = $fw.rules | where {$_.name -eq 'BlockAttackers'} #Split the existing IPs into an array so we can search it for existing IPs $arRemote = $ar.RemoteAddresses -split(',') #Only collect IPs that aren't already in the firewall rule $w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') } #Add the new IPs to firewall rule $w| %{ if ($ar.RemoteAddresses -eq '*') { $ar.remoteaddresses = $_.Name }else{ $ar.remoteaddresses += ',' + $_.Name } } #Write to logfile if ($w.length -gt 1) { $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'} }
vxbEK.jpg
Log: Security.
Source: Microsoft Windows security auditing.
That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.
Screenshot_20210516-015031~2.png
Cool! It works now!! wrote: ↑2021-05-16 02:00Didn't run. Trying to put the command in a .BAT file instead. I think I locked Windows to not allow running .PS1 files. The task itself triggers fine though.! wrote: ↑2021-05-16 01:53The task triggered now but the .PS1 file didn't run. Trying to execute it this way instead of directly pointing to the file:! wrote: ↑2021-05-16 00:57Screenshot_20210516-005423~2.png! wrote: ↑2021-05-15 21:18https://serverfault.com/questions/23322 ... pts/397637
The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.
gMqD3.jpgCode: Select all
#Checks for IP addresses that used incorrect password more than 10 times #within 24 hours and blocks them using a firewall rule 'BlockAttackers' #Check only last 24 hours $DT = [DateTime]::Now.AddHours(-24) #Select Ip addresses that has audit failure $l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} } #Get ip adresses, that have more than 10 wrong logins $g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name #Get firewall object $fw = New-Object -ComObject hnetcfg.fwpolicy2 #Get firewall rule named 'BlockAttackers' (must be created manually) $ar = $fw.rules | where {$_.name -eq 'BlockAttackers'} #Split the existing IPs into an array so we can search it for existing IPs $arRemote = $ar.RemoteAddresses -split(',') #Only collect IPs that aren't already in the firewall rule $w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') } #Add the new IPs to firewall rule $w| %{ if ($ar.RemoteAddresses -eq '*') { $ar.remoteaddresses = $_.Name }else{ $ar.remoteaddresses += ',' + $_.Name } } #Write to logfile if ($w.length -gt 1) { $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'} }
vxbEK.jpg
Log: Security.
Source: Microsoft Windows security auditing.
That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.
Screenshot_20210516-015031~2.png
There was an IP from Russia that did a "test" login, to see if it is active, after that, a lot of login tried started from Europe, probably infected servers that are controlled by this person. I don't remember the IP though, can't be bothered to save these stuff without a computer. So far I added ~33 IPs in the firewall block list, they seemed to have stopped. Probably will be seeing another "test" login soon.