Builds on and automates Nathan Studebaker's brute force attack detection and blacklisting on Windows Server with powershell script. See: https://blog.watchpointdata.com/rdp-brute-force-attack-detection-and-blacklisting-with-powershell. Like Fail2Ban or DenyHosts but for Microsoft Windows. Bans, blocks and blacklists IP addresses with multiple fa…
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
config
work
EZWinBan.iss
README.md
process.ps1

README.md

EZWinBan

EZWinBan builds on and automates Nathan Studebaker's brute force attack detection and blacklisting on Windows Server with powershell script. See: https://blog.watchpointdata.com/rdp-brute-force-attack-detection-and-blacklisting-with-powershell. Like Fail2Ban or DenyHosts, but for Microsoft Windows.

My driver behind enhancing this script (and building an easy to use installer with InnoSetup) was preventing AD account lockouts (EventCode 4740) due to brute force or purposeful denial of service attacks against known AD accounts. It has proven to be quite effective for this task.

EZWinBan is a Powershell script that is triggered via Scheduled Task. It parses events (code 4625) from the Windows "Security" log every 1 minute, extracts the IP address from each event, counts the number of login failures from each IP, notes any that are over the threshold, checks IPs against the whitelist, and adds offending IP addresses to the scope of a Windows firewall rule. History and expiry is maintained in text files; once daily, IPs whose bans have expired are removed (based on the contents of the historical text files).

Although EZWinBan is awesome, if you are looking for a more mature and robust approach to IP banning on Windows, IPBan is worth a look.

Features

  • Easy to get started - run the installer and begin banning problematic IPs in seconds
  • Works on Windows Server 2008+
  • Automatically ban IPs that repeatedly fail to login to various Microsoft services (anything that logs EventCode 4625 to the "Security" log upon login failure) - examples include: IIS virtual SMTP server, Remote Desktop Services (RDS/RDP), SMB/CIFS, etc.
  • Configurable settings: ban time (how long IPs remain banned), number of authentication failures resulting in a ban, time span (interval) to "look back" for failed logins in the event log
  • Ability to whitelist IPs and/or subnets
  • Tiny foot print - less than 1 MB installed
  • Simple solution - easy to understand and customize (based on built-in Windows components like PowerShell, Windows Firewall, and Task Scheduler)

Usage (basic)

  • Download and run the installer - this creates a EZWinBan folder in %programfiles%, a firewall rule that EZWinBan will manipulate, and a Scheduled Task that runs EZWinBan (process.ps1).

Usage (advanced)

  • Additional configuration is possible using the files in %programfiles%\EZWinBan\config

    • settings.ini
      • How many DAYS IPs remain banned (LOCKOUTDURATION)
      • How many failed login attempts trigger a ban (FAILEDLOGINTHRESHOLD)
      • How many MINUTES EZWinBan "looks back" in the event log for failed logins (LOGLOOKBACKINTERVAL) - useful for "slow" attacks where login failures do not occur within the 1 minute intervals that EZWinBan runs
    • whitelist.txt
      • Add IP addresses and/or subnets that should never be banned - see comments in the file for formatting
  • EZWinBan runs every 1 minute by default (via Scheduled Task) - wait ~1 minute and check %programfiles%\EZWinBan\work and you should see a "work file" created and named after the current date. That indicates that EZWinBan is being executed properly. If you open Windows Firewall and access the rule called "EZWinBan," you should see IP addresses under the Scope tab that match those written to the work file.

  • To remove EZWinBan, simply uninstall it from Apps or Programs and Features.

  • You can customize/rebuild the EZWinBan installer as needed using Inno Setup and the included .iss file.

  • It is advisable to disable NTLM on your Windows servers as well (assuming you are not using it) - see Network Security: Restrict NTLM: Incoming NTLM Traffic

Useful diagnostic commands

Get a list of banned IPs from the firewall rule

((New-Object -ComObject hnetcfg.fwpolicy2).rules | where {$_.name -eq 'EZWinBan'}).remoteaddresses -split(',')

Get a list of banned IPs from the work files

Should match "banned IPs from the firewall rule," minus 255.255.255.254/255.255.255.255

get-content -path $env:programfiles'\EZWinBan\work\*.log' | Get-Unique

Get the count of banned IPs from the firewall rule

If no IPs are banned this shows as 1 because of the "placeholder" IP, 255.255.255.254/255.255.255.255

((New-Object -ComObject hnetcfg.fwpolicy2).rules | where {$_.name -eq 'EZWinBan'}).remoteaddresses -split(',') | measure-object

Get the count of banned IPs from the work files

Should match ("count of banned IPs from the firewall rules" - 1)

get-content -path $env:programfiles'\EZWinBan\work\*.log' | Get-Unique | measure-object

List IPs with login failures from the Security event log for the last 15 minutes

Get-WinEvent -FilterHashtable @{LogName="Security";ID="4625";StartTime=(Get-Date).AddMinutes(-15)} -ErrorAction SilentlyContinue | ForEach { ([xml]$_.ToXml()).Event.EventData.Data[19] } | select-object '#text'

Show top /8 subnets blocked in the firewall rule

$blockedIPs=((New-Object -ComObject hnetcfg.fwpolicy2).rules | where {$_.name -eq 'EZWinBan'}).remoteaddresses -split(',')
$blockedIPs.split(".",2) | where-object {!($_.contains("."))} | group-object | sort-object

Limitations and To Do

  • Banned IP expiry interval is in days only (not hours, minutes, etc.)
  • Banned IP expiry is calendar day based and not based on when IPs are banned. For example, if an IP is banned at 11:59 PM, it could be unbanned at 12:00 AM (technially the next day but only 1 minute later)
  • No history or logging, except the work files (which are deleted as bans expire)

Acknowledgements

Nathan Studebaker: RDP Brute Force Attack Detection and Blacklisting with Powershell - Genius approach and implementation to Powershell-based event log (EventCode 4740) analysis and lockout (Windows firewall).

Joel Sallow: Check a list of IP's against a list of subnets - quick and easy ip/subnet comparison code (Powershell).

Jordan Russell and Martijn Laan: Inno Setup - Best installer creation tool ever!

Others, as cited inline in process.ps1