Jump to content
faldo

RDP antihammer/blacklist generator

Recommended Posts

Hi,
I thought i'd share a small script that scans your Windows Eventlog and generates a blacklist/firewall block rule of IPs that tries to hammer your RDP connection with wrong credentials. Yes, i know it's not best practice to have RDP open to the internet but sometimes it's just more practical. I havn't had time to create a loop in the script itself but you can run it in windows scheduler with a 10 minute recurrence.

This is a quick and dirty solution and for those that like the idea, please feel free to improve/tidy the code.

#RequireAdmin
#include <Date.au3>
#include <array.au3>
#include <File.au3>

Global $IpListFile = @scriptdir &"\RdpBlockIP.txt"
Global $LogFile = @scriptdir &"\RdpBlockLog.txt"
Global $EventlogOutput = @scriptdir &"\EventlogOutput.xml"
Global $FailedAttepts = IniRead(@scriptdir &"\RdpBlock.ini", "Settings", "FailedAttempts", "3")
Global $WithinMinutes = IniRead(@scriptdir &"\RdpBlock.ini", "Settings", "WithinMinutes", "720")
Global $Whitelist = IniRead(@scriptdir &"\RdpBlock.ini", "Settings", "Whitelist", "192.168.0")

Global $LogArray[0][2]
Global $BlacklistArray[0]

RunWait(@ComSpec & " /c " & 'wevtutil qe "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational" "/q:*[System [(EventID=140)]]" /c:2000 /rd:true /f:xml>'&$EventlogOutput , "", @SW_HIDE)
$FileArray = FileReadToArray ( $EventlogOutput )
FileDelete($EventlogOutput)


;Fill $LogArray with last hours logs
$FirstStamp = 0
For $i = 0 to UBound($FileArray) -1
    $LineArray = StringSplit ( $FileArray[$i], ">" )
    $IP = StringTrimRight($LineArray[29], 6)
    $StampArray = StringSplit($LineArray[16], "'")
    $StampArray = StringSplit($StampArray[2], "T")
    $Date = $StampArray[1]
    $TimeArray = StringSplit($StampArray[2], ".")
    $Time = $TimeArray[1]

    $sFill = $IP&"|"&$Date&" "&$Time
    If $FirstStamp = 0 then $FirstStamp = $Date&" "&$Time
    If _DateDiff('n', $Date&" "&$Time, $FirstStamp) = $WithinMinutes then ExitLoop
    _ArrayAdd($LogArray,$sFill)
Next


For $i = 0 to Ubound($LogArray)-1
    $SarchIP = _ArrayFindAll ( $LogArray, $LogArray[$i][0])
    If StringInStr($Whitelist, $LogArray[$i][0]) Then
    Else
        If Ubound($SarchIP) >= $FailedAttepts Then _ArrayAdd($BlacklistArray, $LogArray[$i][0])
    EndIf
Next

;Unless first run, include IPs from file
If FileExists ($IpListFile) then
    ;Concatenate old with new array of IPs and delete duplicates
    $FileArray = FileReadToArray ( $IpListFile )
    $FileIpCount = Ubound($FileArray)
    _ArrayConcatenate ( $FileArray, $BlacklistArray)
    $IpUniqueArray = _ArrayUnique ( $FileArray)
    If $IpUniqueArray[0] - $FileIpCount > 0 then _FileWriteLog($LogFile, 'Adding '& $IpUniqueArray[0] - $FileIpCount & ' addresses to current list ('&$FileIpCount&'), now '&$IpUniqueArray[0]&' in total.' )

    ;Write IP list to file
    _ArraySort ($IpUniqueArray, 0, 1, $IpUniqueArray[0])
    $IpList = _ArrayExtract ( $IpUniqueArray , 1 , $IpUniqueArray[0])
    FileDelete($IpListFile)
    _FileWriteFromArray($IpListFile, $IpList)
Else
    $IpUniqueArray = _ArrayUnique ($BlacklistArray)
    _ArraySort ($IpUniqueArray, 0, 1, $IpUniqueArray[0])
    _FileWriteLog($LogFile, 'Adding '& $IpUniqueArray[0]& ' addresses to list of RDP blacklist.')
    $IpList = _ArrayExtract ( $IpUniqueArray , 1 , $IpUniqueArray[0])
    _FileWriteFromArray($IpListFile, $IpList)
EndIf

;Delete old FW rules
RunWait(@ComSpec & " /c " & 'netsh advfirewall firewall show rule status=enabled name=all | find "RdpBlacklist" > '&@ScriptDir&'\output.txt' , "", @SW_HIDE)
$Output = FileRead ( @ScriptDir&'\output.txt')
FileDelete(@ScriptDir&'\output.txt')
$Output = StringReplace($Output, "Rule Name:", "")
$Output = StringReplace($Output, " ", "")
$RulesArray = StringSplit($Output, @LF)
For $d = 1 to $RulesArray[0]-1
    RunWait(@ComSpec & " /c " & 'netsh advfirewall firewall delete rule name='&$RulesArray[$d] , "", @SW_HIDE)
Next

;Create FW rules with max 100 IPs per rule (native limit)
For $i = 1 to $IpUniqueArray[0] Step 100
    If $i+99 > $IpUniqueArray[0] then
        $SplitIpArray = _ArrayExtract ( $IpUniqueArray , $i, $IpUniqueArray[0] )
        $IpString = _ArrayToString($SplitIpArray, ",")
        If $IpString > "" then RunWait(@ComSpec & " /c " & 'netsh advfirewall firewall add rule name="RdpBlacklist'&StringFormat("%04d", $i)&'-'&StringFormat("%04d", $IpUniqueArray[0])&'" dir=in interface=any action=block remoteip='&$IpString, "", @SW_HIDE)
    Else
        $SplitIpArray = _ArrayExtract ( $IpUniqueArray , $i, $i+99)
        $IpString = _ArrayToString($SplitIpArray, ",")
        If $IpString > "" then RunWait(@ComSpec & " /c " & 'netsh advfirewall firewall add rule name="RdpBlacklist'&StringFormat("%04d", $i)&'-'&StringFormat("%04d", $i+99)&'" dir=in interface=any action=block remoteip='&$IpString, "", @SW_HIDE)
    EndIf
Next

The script operates with a simple ini file called RdpBlock.ini that you can create yourself or just download the attached one.

[Settings]
FailedAttempts=5
WithinMinutes=10
Whitelist=

RdpBlock.ini

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...