-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Could you support custom IP reporting? #37
Comments
@snblackout i moved this issue here |
i've got a question about the custom reporting, yea, i can add that no problem, but it would be nicer if the webapi would just dump events to the eventlog. if that was the case, it would just be a new task in the config.xml . if thats not possible, i guess i could add additional sources like databases or even apis. about that windows defender - you're right it really sucks. ill have to sign it. |
@devnulli I just started using this and did not know that you could customize the config.xml to read in custom event logs. I will take a look at that for sure and see if I can make something work. Thanks! |
Im glad you like it. Let me know if you still need custom reporting after youre finished. You can use the console App to Test your custom Task |
hey, @snblackout, did it work? greetings, Mike |
Hello @devnulli I haven't tried it yet, but it is on my list. Sorry can't get to it that quickly with other things pending. I do have a question though, I was looking through the config, and there is settings that suggest an IP could become perma-banned automatically. I have a server, which is in the AWS realm of IP block, that is really getting hammered and it's a long list of IP that are temp banned, but I haven't seen any of them move to perma-banned yet. Is am I ok assuming something may not be working to autoban? |
Hi, I will test that. I think that it works, and you don't get perma bans because the IPs are so diverse. But I will add the count to the log entries so you can better reflect what happens on your servers. Also, when you are really highly hammered, its recommendable that you dont use permanent bans, because they will grow very fast and never be removed. Normally, it's just fine to ban attackers temporarily. |
The restarting of the service could be it then, because I was reading on here of a memory leak so people were restarting the service daily to prevent that. Yeah having some reporting in the logs or some way to track a certain IP better over time would be better. I'm ok with temporary bans, just seeing the list being so huge and none of them getting perma banned made me question after seeing in the config that if a IP keeps repeating this because of brute force, just perma ban it. |
the memory leak has already been fixed, there is no need to restart anymore. the other thing will be added in a new issue. this issue about custom ip reporting will also remain open (at least for a while) |
Oh, great, I'll remove my restart task then. Thanks! |
Just realized that's the beta, which I don't have installed, only the latest release. So the memory leak isn't in the latest official release? |
@snblackout |
Thank you @shimuldn After 16 days of it running on the AWS server, and seeing IP ranges starting with 185.* in the hundreds on entries it seemed, those have finally fallen off. My guess is those were coming from a particular individuals hacking attempt and realized the timeouts were happening from the firewall block and may have backed off for now or toned it down to see if an opportunity would arise again. Now this server is matching other servers I'm monitoring for the amount of temp banned IPs at one given time. |
@snblackout can i close that, or do you still need custom IP reporting? |
@devnulli You can close it. I have yet to dive into the config. Sorry for delay. |
Could you even potentially support custom IP reporting? Possibly EvlWatcher could scan the local database for entries that have been added from other services, like WebAPI that has detection if IP is trying to brute it's way, it could add entries into the database table, then EvlWatcher could occasionally scan that table for increases in the count of the trouble IP and act on it?
By the way, I just found your solution. Sucks regarding the Windows Defender, I had to allow the setup program to get it installed and even just to allow the file to remain to do the MD5 scan on it. I'm hoping to test this more and send some money your way for your hard work. I always saw the Failed Audit entries in the event log for RDP and didn't know what to do, thought of writing my own, but look you did it! 👍
Originally posted by @snblackout in #36 (comment)
The text was updated successfully, but these errors were encountered: