Added SSL RDP Logins support (Checked only on 2012R2)

DailyBan.ps1

@@ -0,0 +1,79 @@
+################################################################################
+# Script that looks up log for failed rdp ssl logins and permaban if amount 
+# exceeded. Added this due to a bunch of rate limited rdp-ssl bruteforce 
+# attempts that can be detected only on a long run
+#
+# TODO: stats/logs/etc
+################################################################################
+
+$wail2banInstall = ""+(Get-Location)+"\"
+$ConfigFile      = $wail2banInstall+"wail2ban_config.ini" # Using only whitelist from config
+$Period          = 86400000                               # Depth of log to analyze in milliseconds
+$Fails           = 20                                     # Number of fails per $Period for permanent ban
+
+
+$WhiteList = @()
+switch -regex -file $ConfigFile {
+    "^\[(.+)\]$" {
+		$Header = $matches[1].Trim()
+    }
+    "^\s*([^#].+?)\s*=\s*(.*)" {
+		$Match1 = $matches[1]
+		$Match2 = $matches[2]
+
+		switch ($Header) { 
+		"Whitelist" { $WhiteList += $Match1; }		
+		}	
+    }
+} 
+
+$WhiteList += (Get-NetIPAddress -AddressFamily IPv4).IPAddress
+
+#Convert subnet Slash (e.g. 26, for /26) to netmask (e.g. 255.255.255.192)
+function netmask($MaskLength) { 
+	$IPAddress =  [UInt32]([Convert]::ToUInt32($(("1" * $MaskLength).PadRight(32, "0")), 2))
+	$DottedIP = $( For ($i = 3; $i -gt -1; $i--) {
+	  $Remainder = $IPAddress % [Math]::Pow(256, $i)
+	  ($IPAddress - $Remainder) / [Math]::Pow(256, $i)
+	  $IPAddress = $Remainder
+	 } )
+
+	Return [String]::Join('.', $DottedIP)
+}
+
+#check if IP is whitelisted
+function whitelisted($IP) { 
+	foreach ($white in $Whitelist) {
+		if ($IP -eq $white) { $Whitelisted = "Uniquely listed."; break} 
+		if ($white.contains("/")) { 
+			$Mask =  netmask($white.Split("/")[1])
+			$subnet = $white.Split("/")[0]
+			if ((([net.ipaddress]$IP).Address          -Band ([net.ipaddress]$Mask).Address ) 	-eq`
+				(([net.ipaddress]$subnet).Address -Band ([net.ipaddress]$Mask).Address )) { 
+				$Whitelisted = "Contained in subnet $white"; break;
+			}
+		}
+	}
+	return $Whitelisted
+} 
+
+
+$Events = Get-WinEvent -FilterXPath "*[System[EventID=140 and TimeCreated[timediff(@SystemTime) <= $Period]]]" -LogName Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
+$Failed = $Events.Properties.Value | Group-Object | Sort-Object Count | Select-Object Count,Name
+$Failed= $Failed | ?{$_.Count -gt $Fails}
+$Failed = $Failed.Name
+$Rule = Get-NetFirewallRule -DisplayName "Wail2ban persistent" -ErrorAction SilentlyContinue
+if (!$Rule) {$Rule = New-NetFirewallRule -DisplayName "Wail2ban persistent" -Action Block -Direction Inbound -Enabled False -Profile Any}
+$Exisitng = ($Rule | Get-NetFirewallAddressFilter).RemoteAddress
+$TotalList = $Failed+$Exisitng | Sort -Unique
+$ApplyList=@()
+foreach ($ip in $TotalList){
+	if ($ip -notmatch "Any") {
+		$res=whitelisted($ip); if(!$res){$ApplyList+=$ip}
+	}
+}
+if ($ApplyList.Count -gt 0){
+	$Rule | Set-NetFirewallRule -RemoteAddress $ApplyList -Enabled true
+}else{
+	$Rule | Set-NetFirewallRule -RemoteAddress "Any" -Enabled false
+}

README.md

@@ -20,6 +20,7 @@ installation
 Installing wail2ban is a case of a view simple tasks: 
 
  * copy all the repository files to a location on the client machine, e.g. `C:\scripts\wail2ban`
+ * Import RdpCoreTS_EventLog.reg and restart if you want to trigger on Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational failed login attempts.
  * Using Task Scheduler, import the `start wail2ban onstartup.xml` file to automatically create a scheduled task to start the script when the machine boots. 
  * Initiate the script by running the `start wail2ban.bat` file. This is what the scheduled task starts. 
 

start_dailyban.bat

@@ -0,0 +1,2 @@
+cd c:\scripts\wail2ban\
+start powershell -executionpolicy bypass -file .\DailyBan.ps1

start_wail2ban.bat

@@ -1,2 +1,2 @@
 cd c:\scripts\wail2ban\
-start powershell .\wail2ban.ps1
+start powershell -executionpolicy bypass -file .\wail2ban.ps1

wail2ban.ps1

@@ -50,7 +50,7 @@ $BannedIPLog	 = $wail2banInstall+"bannedIPLog.ini"
 $RecordEventLog     = "Application"     # Where we store our own event messages
 $FirewallRulePrefix = "wail2ban block:" # What we name our Rules
 
-$EventTypes = "Application,Security,System"	  #Event logs we allow to be processed
+$EventTypes = "Application,Security,System,Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"	  #Event logs we allow to be processed
 
 New-Variable -Name RegexIP -Force -Value ([regex]'(?<First>2[0-4]\d|25[0-5]|[01]?\d\d?)\.(?<Second>2[0-4]\d|25[0-5]|[01]?\d\d?)\.(?<Third>2[0-4]\d|25[0-5]|[01]?\d\d?)\.(?<Fourth>2[0-4]\d|25[0-5]|[01]?\d\d?)')
 
@@ -97,10 +97,7 @@ switch -regex -file $ConfigFile {
 
 
 #We also want to whitelist this machine's NICs.
-$SelfList = @() 
-foreach ($listing in ((ipconfig | findstr [0-9].\.))) {
-	if ($listing -match "Address" ){ 	$SelfList += $listing.Split()[-1] }
-} 
+$SelfList = (Get-NetIPAddress -AddressFamily IPv4).IPAddress
 
 ################################################################################
 # Functions

wail2ban_config.ini

@@ -4,6 +4,8 @@
 4625=RDP Logins
 [Application]
 18456=MSSQL Logins
+[Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational]
+140=SSL RDP Logins
 [Whitelist]
 # Add your whitelist here, in the format `IP = Comment`
 # Supports plain IPs , e.g. `12.34.56.78  = My Machine`