Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

IP not blocked on Windows Server 2003 #3

Closed
davidwhthomas opened this Issue · 19 comments

6 participants

@davidwhthomas

Hi, thanks for releasing this application, it looks promising.

I just installed via the MSI installer on a Windows 2003 server.

The installer appeared to run, but gave no confirmation message after completing.

However, looking in "Services" I saw "ts_block" was there, but not started.

I also took a look in the registry, and there were no keys created under HKLM/Software/Policies/Wellbury LLC/* with "Wellbury LLC" absent there.

I'd edited the .vbs script in Program Files to add the blackhole IP 192.168.168.28 ( which doesn't exist, but is on the subnet )

I then started the service and tested it with the "administrator" username over RDP

Later, I saw the event log to the effect that my IP had been blocked for 5 minutes.

However, I could still keep trying to login, with no block appearing in place for "administrator" or any other username and I logged in via my usual username instead.

So, the issue is, the application was installed from MSI, service started, log entries created, but no block appears to actually occur.

thanks,

DT

@davidwhthomas

Note, when I enabled the DEBUGGING mode, I saw in the log the blackhole IP was 192.168.168.118, different from the one I set in the script.

If I ping that address, it returns a response, so perhaps that's the issue?

Note also, ROUTE and NETSH are available in the path.

@EvanAnderson
@davidwhthomas

Thanks for the reply,

I did notice I'd set the blackhole IP incorrectly, putting the value where the registry key name is meant to be.

I tried hard coding it as the return value from the get BlackHoleIP() function and it came up correctly in the debug log, but same result with user not blocked.

What's the expected behaviour when a user attempts access from a blocked IP?

Other than that, the script is default.

@davidwhthomas

OK, I tried again with the default file, just DEBUGGING = 1,
The issue persists.

file contents are here: https://gist.github.com/2943569

Thanks again,

DT

@davidwhthomas

I installed the .ADM file under the domain group policy objects, enabled and set the default values.
Unfortunately it still doesn't work :-(

@davidwhthomas

Ok, and even after a complete uninstall / reinstall and reapplying the ADM settings, service is up and running, logs suggest it's blocking IP, but I can access RDP login screen no problem... oh well.

@EvanAnderson
@davidwhthomas

Thanks Evan,

I ran another test

Failed RDP login past limit
Logged in successfully
Saw my IP address was blocked in the Event Log "Blocked 202.89.152.[x] until 6/18/2012 8:24:41 PM" ([x] = final octet)
Ran cmd > route print
No sign of my IP in the list of routed IPs there.

Yes, I'm accessing over RDP, using Gnome-RDP from a linux box over to Win2K3,

Note, I also tried with debugging mode on and testing mode on with 10 test IP addresses, none of those were visible in route print either?

regards,

David

@davidwhthomas

Looking at the ts_block service, I see the run parameter is

"C:\Program Files\ts_block\nssm.exe" run

In task manager, there's no sign of wscript.exe running.

Is that correct?

Perhaps the service should be passing the vbs file to the above run parameter?

@israelt

On Windows server 2003 R2 32bits:

  • I install Microsoft Loopback network interface: http://support.microsoft.com/kb/842561
  • I set up it with IP 99.99.99.99 and mask 255.255.255.0 and without gateway
  • Install and start ts_block service

All work great but I don't have this registry key (HKLM/Software/Policies/Wellbury LLC/) in the computer.

Great soft utility Evan!

@EvanAnderson
@EvanAnderson

@davidwhthomas: 'wscript.exe' isn't by ts_block (because script execution would halt while modal windows were displayed on the service desktop). The command-line you're seeing for 'nssm.exe' in the ts_block service parameters is accurate. cscript.exe is used to execute the script and, based on the presence of Event Log messages coming from the script I'd say it's running.

It's unclear to me why the entries that are supposed to be created by route.exe aren't being created properly on the machine you're testing on. All I can think is that route.exe isn't in the PATH for the ts_block service.

Were I you I'd probably use "Process Monitor" to watch the cscript.exe process running ts_block and observe the command-lines passed to child route.exe processes that it creates.

@EvanAnderson EvanAnderson was assigned
@b1rdex

Hey there.

Tried to block bruteforce with your tool and stucked.
It ran perfectly but didn't block anything. I thought it's because of my copy of windows is russian.

I opened event viewer/security and there was only 'audit success'. It's a case!
Looks like win 2003 have defaults to only log successful tries. Opened gpedit.msc, coumputer/windows/local/audit/login → success and failure.

And result appeared just after 5 seconds :)

Logging bad attempt from 31.185.0.11, attempt # 1
Logging bad attempt from 31.185.0.11, attempt # 2
Logging bad attempt from 31.185.0.11, attempt # 3
Logging bad attempt from 31.185.0.11, attempt # 4
Logging bad attempt from 31.185.0.11, attempt # 5
Executing route add 31.185.0.11 mask 255.255.255.255 192.168.254.1
Event Log - Event ID: 256, Type: INFORMATION - Blocked 31.185.0.11 until 02.08.2
012 11:45:46

I think you shoul add this to readme because it's not obvious.

@EvanAnderson

I'm glad to hear that it is working for you and on a Russian version of Windows.

I will make a note to include details about auditing in the README file.

@kimala

Hi,
Thankyou for sharing this program.
How do I verify TS_Block is running. I installed the TS_BLock, applied the .adm file and use the nssm to create a service on a Windows 2003 server. But the event log is still filling up with failure logins. I tried to use nssm again, and it tells me that service is aready installed. What settings for Block Attempts, Block Duration, Block Timeout do you recommend?

Kim

@b1rdex

@kimala you should stop service and start ts_block.vbs manually to debug it's settings.

@jaredgerber

Evan:

Thank you for sharing your coding talent and time to help stop brute force attacks.

I fumbled around a bit to get it installed on my Windows 2003 Server -- so I'm sharing my experience and adding some notes in hope to make things a little easier for others to install for their needs.

Prerequisites:

  • I made sure the prerequisite route.exe, netsh.exe & eventcreate.exe were present.

Installation of Service

  • i installed the MSI by right clicking and clicking install
  • I found the service and when I tried to run it, it failed to start (ts_block.adm not loaded yet)

Loading TS_Block.adm

  • I had to research GPOE in order to get it installed on my server
  • After it was installed, I used Start->Run the gpedit.msc
  • Added ts_block.adm Template to the - Local Computer Policy -> Computer Configuration -> Administrative Templates.
  • Once added, I updated the Black-hole IP address to 1 less than my default gateway which was not in use
  • I updated the other settings as well
  • i tried starting the service AND IT STARTED!!! :-)

Logging

  • I enabled Failure audit logging here: - Admin Settings -> Local Security Settings -> Security Settings -> Local Policies -> Audit Policy -> Audit Login Events
  • After 2 hours, I found 5 failures in a row, then it stopped -- instead of hundreds of failures - So I'm assuming it worked!!! Yay!!!!
  • I tried the Route Print, but I didn't see anything new there

I would be cool to know if there are any other logs or way to know it's working.

Thanks again,

Jared

@jaredgerber

Evan:

I had over 50 successful blocks revealed in the Event Log -> Application. Thanks!!!

Jared

@EvanAnderson

I'm closing this due to inactivity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.