I’ve had an thought to write down a easy PowerShell script to routinely block (blacklist) IP addresses, on which RDP brute-force makes an attempt or steady RDP assaults are detected, in Windows Firewall. The thought is as follows: the PowerShell script analyzes the system occasion log and if there have been greater than 5 failed makes an attempt to authenticate by way of RDP from the identical IP tackle within the final three hours, the IP tackle is routinely added to Windows Firewall blocking rule.
So, there’s a small workplace community. To entry it, an RDP port is forwarded by means of NAT to one of many workplace computer systems by way of the Internet gateway working Linux (TCP 15221 is answering from the skin, and the default RDP port 3389 is forwarded inside). From time to time, recognized consumer accounts are locked by the because of failed makes an attempt to authenticate on the pc by way of RDP. Our activity is to routinely block IP addresses used to brute pressure our RDP server.
First of all, create a firewall rule on the pc to dam inbound RDP connections from the desired IP addresses:
New-WebFirewallRule -ShowName "BlockRDPBruteForce" –RemoteAddress 22.214.171.124 -Direction Inbound -Protocol TCP –LocalPort 3389 -Action Block
We will additional add the IP addresses, on which RDP brute-force makes an attempt are detected, to this rule firewall.
You can write a further permitting rule in order that the PowerShell script received’t block the IP addresses or subnets you want.
Then you’ll have to acquire the checklist of IP addresses, on which greater than 5 failed authentication makes an attempt have been detected for the final Three hours, from the Windows occasion log. To do it, discover the occasions with the EventID 4625 (failed entry try — An account failed to go online and LogonType = Three, verify the article ) within the Security log. In the occasions you could have discovered, discover the IP tackle of the consumer attempting to attach and be sure that it appeared within the occasion log greater than 5 occasions.
I’m utilizing the next PowerShell code to pick the IP addresses of attackers from the checklist of occasions for the final Three hours (you may change the time interval):
$Last_n_Hours = [DateTime]::Now.AddHours(-Three)
$badRDPlogons = Get-EventLog -LogName 'Security' -after $Last_n_Hours -InstanceId 4625 | ? | Select-Object @
$getip = $badRDPlogons | group-object -property IpAddress | the place | Select -property Name
To show the checklist of discovered IP addresses, use:
Now add all discovered IP addresses of attackers to the firewall rule BlockRDPBruteForce created earlier. To handle Windows Firewall, we are going to use the built-in . First of all, get the checklist of presently blocked IP addresses and add new ones to it.
$log = "C:psrdp_blocked_ip.txt"
$current_ips = (Get-WebFirewallRule -ShowName "BlockRDPBruteForce" | Get-WebFirewallAddressFilter ).RemoteAddress
foreach ($ip in $getip)
the place ).rely + ' makes an attempt for two hours'>> $log # writing the IP blocking occasion to the log file
Set-WebFirewallRule -ShowName "BlockRDPBruteForce" -RemoteAddress $current_ips
Make certain that new IP addresses have been added to the blocking rule in Windows Defender Firewall.
Now you simply have to repeat this PowerShell code to the file
c:psblock_rdp_attack.ps1 and add it to your Task Scheduler to run each 2 hours, for instance.
You can or manually:
$repeat = (New-TimeSpan -Hours 2)
$length = ([timeSpan]::maxvalue)
$Trigger= New-ScheduledTaskTrigger -Once -At (Get-Date).Date -RepetitionInterval $repeat -RepetitionDuration $length
$User= "NT AUTHORITYSYSTEM"
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:PSblock_rdp_attack.ps1"
Register-ScheduledTask -TaskName "BlockRDPBruteForce_PS" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force
Or you may run your PowerShell script if the EventID 4625 seems within the log (verify the blogpost ), so you’ll reply to an RDP brute-force assault extra rapidly.
You can modify this script based on your wants and use to dam RDP assaults.