Hi, thanks for releasing this application, it looks promising.
I just installed via the MSI installer on a Windows 2003 server.
The installer appeared to run, but gave no confirmation message after completing.
However, looking in "Services" I saw "ts_block" was there, but not started.
I also took a look in the registry, and there were no keys created under HKLM/Software/Policies/Wellbury LLC/* with "Wellbury LLC" absent there.
I'd edited the .vbs script in Program Files to add the blackhole IP 192.168.168.28 ( which doesn't exist, but is on the subnet )
I then started the service and tested it with the "administrator" username over RDP
Later, I saw the event log to the effect that my IP had been blocked for 5 minutes.
However, I could still keep trying to login, with no block appearing in place for "administrator" or any other username and I logged in via my usual username instead.
So, the issue is, the application was installed from MSI, service started, log entries created, but no block appears to actually occur.
Note, when I enabled the DEBUGGING mode, I saw in the log the blackhole IP was 192.168.168.118, different from the one I set in the script.
If I ping that address, it returns a response, so perhaps that's the issue?
Note also, ROUTE and NETSH are available in the path.
Thanks for the reply,
I did notice I'd set the blackhole IP incorrectly, putting the value where the registry key name is meant to be.
I tried hard coding it as the return value from the get BlackHoleIP() function and it came up correctly in the debug log, but same result with user not blocked.
What's the expected behaviour when a user attempts access from a blocked IP?
Other than that, the script is default.
OK, I tried again with the default file, just DEBUGGING = 1,
The issue persists.
file contents are here: https://gist.github.com/2943569
I installed the .ADM file under the domain group policy objects, enabled and set the default values.
Unfortunately it still doesn't work :-(
Ok, and even after a complete uninstall / reinstall and reapplying the ADM settings, service is up and running, logs suggest it's blocking IP, but I can access RDP login screen no problem... oh well.
I ran another test
Failed RDP login past limit
Logged in successfully
Saw my IP address was blocked in the Event Log "Blocked 202.89.152.[x] until 6/18/2012 8:24:41 PM" ([x] = final octet)
Ran cmd > route print
No sign of my IP in the list of routed IPs there.
Yes, I'm accessing over RDP, using Gnome-RDP from a linux box over to Win2K3,
Note, I also tried with debugging mode on and testing mode on with 10 test IP addresses, none of those were visible in route print either?
Looking at the ts_block service, I see the run parameter is
"C:\Program Files\ts_block\nssm.exe" run
In task manager, there's no sign of wscript.exe running.
Is that correct?
Perhaps the service should be passing the vbs file to the above run parameter?
On Windows server 2003 R2 32bits:
All work great but I don't have this registry key (HKLM/Software/Policies/Wellbury LLC/) in the computer.
Great soft utility Evan!
@davidwhthomas: 'wscript.exe' isn't by ts_block (because script execution would halt while modal windows were displayed on the service desktop). The command-line you're seeing for 'nssm.exe' in the ts_block service parameters is accurate. cscript.exe is used to execute the script and, based on the presence of Event Log messages coming from the script I'd say it's running.
It's unclear to me why the entries that are supposed to be created by route.exe aren't being created properly on the machine you're testing on. All I can think is that route.exe isn't in the PATH for the ts_block service.
Were I you I'd probably use "Process Monitor" to watch the cscript.exe process running ts_block and observe the command-lines passed to child route.exe processes that it creates.
Tried to block bruteforce with your tool and stucked.
It ran perfectly but didn't block anything. I thought it's because of my copy of windows is russian.
I opened event viewer/security and there was only 'audit success'. It's a case!
Looks like win 2003 have defaults to only log successful tries. Opened gpedit.msc, coumputer/windows/local/audit/login → success and failure.
And result appeared just after 5 seconds :)
Logging bad attempt from 220.127.116.11, attempt # 1
Logging bad attempt from 18.104.22.168, attempt # 2
Logging bad attempt from 22.214.171.124, attempt # 3
Logging bad attempt from 126.96.36.199, attempt # 4
Logging bad attempt from 188.8.131.52, attempt # 5
Executing route add 184.108.40.206 mask 255.255.255.255 192.168.254.1
Event Log - Event ID: 256, Type: INFORMATION - Blocked 220.127.116.11 until 02.08.2
I think you shoul add this to readme because it's not obvious.
I'm glad to hear that it is working for you and on a Russian version of Windows.
I will make a note to include details about auditing in the README file.
Thankyou for sharing this program.
How do I verify TS_Block is running. I installed the TS_BLock, applied the .adm file and use the nssm to create a service on a Windows 2003 server. But the event log is still filling up with failure logins. I tried to use nssm again, and it tells me that service is aready installed. What settings for Block Attempts, Block Duration, Block Timeout do you recommend?
@kimala you should stop service and start ts_block.vbs manually to debug it's settings.
Thank you for sharing your coding talent and time to help stop brute force attacks.
I fumbled around a bit to get it installed on my Windows 2003 Server -- so I'm sharing my experience and adding some notes in hope to make things a little easier for others to install for their needs.
Installation of Service
I would be cool to know if there are any other logs or way to know it's working.
I had over 50 successful blocks revealed in the Event Log -> Application. Thanks!!!
I'm closing this due to inactivity