Block IP if logon failed X number of times

If you have a public facing server relying only on windows firewall protection, you probably will see windows security log full of attempts to login using different username and password.

For IIS 6.0, you can write a script to block an IP from connection if it failed 10 or more times within the last 24 hours.

See the full discussion here.

I have refactored the script to be more readable and easy to troubleshoot.

   1: # check only last 24 hours

   2: $cutoffDateTime = [DateTime]::Now.AddDays(-1) 

   3:  

   4: # select Ip addresses that has audit failure 

   5: $l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $cutoffDateTime | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} } 

   6:  

   7: # get ip adresses, that have more than 10 wrong logins

   8: $suspectIPs = $l | group-object -property IpAddress  | where {$_.Count -gt 10} | Select -property Name 

   9:  

  10: write-host "Suspicious IPs:"

  11: $suspectIPs | foreach {write-host $_}

  12:  

  13: # get firewall object

  14: $fw = New-Object -ComObject hnetcfg.fwpolicy2 

  15:  

  16: # get firewall rule named 'BlockAuditFailure' (must be created manually)

  17: $ar = $fw.rules | where {$_.name -eq 'BlockAuditFailure'} 

  18:  

  19: #split the existing IPs into an array so we can easily search for existing IPs

  20: $blockedIPs = $ar.RemoteAddresses -split(',') 

  21:  

  22: write-host "Current Blocked IPs:"

  23: $blockedIPs | foreach {write-host $_}

  24:  

  25: # get ip addresses that are not already in firewal rule. 

  26: # Include the subnet mask which is automatically added to the firewall remote IP declaration.

  27: $IPsToBlock = $suspectIPs | where {$_.Name.Length -gt 1 -and  !($blockedIPs -contains $_.Name + '/255.255.255.255') } 

  28:  

  29: write-host "IPs to Block:"

  30: $IPsToBlock | foreach {write-host $_}

  31:  

  32: # add IPs to firewall rule

  33: $IPsToBlock | %{$ar.remoteaddresses += ',' + $_.Name} 

  34:  

  35: #split the existing IPs into an array so we can easily search for existing IPs

  36: $upToDateBlockedIPs = $ar.RemoteAddresses -split(',') 

  37:  

  38: write-host "Up-To-Date Blocked IPs:"

  39: $upToDateBlockedIPs | foreach {write-host $_}

For IIS 7.0, you can install Dynamic IP Restrictions Extension, but it deals with DOS attacks primarily.

The other option is to have a smart hardware firewall which already does this for you.

Reference: http://serverfault.com/questions/233222/ban-ip-address-based-on-x-number-of-unsuccessful-login-attempts

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s