forked from glasnt/wail2ban
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDailyBan.ps1
79 lines (69 loc) · 2.94 KB
/
DailyBan.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
################################################################################
# Script that looks up log for failed rdp ssl logins and permaban if amount
# exceeded. Added this due to a bunch of rate limited rdp-ssl bruteforce
# attempts that can be detected only on a long run
#
# TODO: stats/logs/etc
################################################################################
$wail2banInstall = ""+(Get-Location)+"\"
$ConfigFile = $wail2banInstall+"wail2ban_config.ini" # Using only whitelist from config
$Period = 86400000 # Depth of log to analyze in milliseconds
$Fails = 20 # Number of fails per $Period for permanent ban
$WhiteList = @()
switch -regex -file $ConfigFile {
"^\[(.+)\]$" {
$Header = $matches[1].Trim()
}
"^\s*([^#].+?)\s*=\s*(.*)" {
$Match1 = $matches[1]
$Match2 = $matches[2]
switch ($Header) {
"Whitelist" { $WhiteList += $Match1; }
}
}
}
$WhiteList += (Get-NetIPAddress -AddressFamily IPv4).IPAddress
#Convert subnet Slash (e.g. 26, for /26) to netmask (e.g. 255.255.255.192)
function netmask($MaskLength) {
$IPAddress = [UInt32]([Convert]::ToUInt32($(("1" * $MaskLength).PadRight(32, "0")), 2))
$DottedIP = $( For ($i = 3; $i -gt -1; $i--) {
$Remainder = $IPAddress % [Math]::Pow(256, $i)
($IPAddress - $Remainder) / [Math]::Pow(256, $i)
$IPAddress = $Remainder
} )
Return [String]::Join('.', $DottedIP)
}
#check if IP is whitelisted
function whitelisted($IP) {
foreach ($white in $Whitelist) {
if ($IP -eq $white) { $Whitelisted = "Uniquely listed."; break}
if ($white.contains("/")) {
$Mask = netmask($white.Split("/")[1])
$subnet = $white.Split("/")[0]
if ((([net.ipaddress]$IP).Address -Band ([net.ipaddress]$Mask).Address ) -eq`
(([net.ipaddress]$subnet).Address -Band ([net.ipaddress]$Mask).Address )) {
$Whitelisted = "Contained in subnet $white"; break;
}
}
}
return $Whitelisted
}
$Events = Get-WinEvent -FilterXPath "*[System[EventID=140 and TimeCreated[timediff(@SystemTime) <= $Period]]]" -LogName Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
$Failed = $Events.Properties.Value | Group-Object | Sort-Object Count | Select-Object Count,Name
$Failed= $Failed | ?{$_.Count -gt $Fails}
$Failed = $Failed.Name
$Rule = Get-NetFirewallRule -DisplayName "Wail2ban persistent" -ErrorAction SilentlyContinue
if (!$Rule) {$Rule = New-NetFirewallRule -DisplayName "Wail2ban persistent" -Action Block -Direction Inbound -Enabled False -Profile Any}
$Exisitng = ($Rule | Get-NetFirewallAddressFilter).RemoteAddress
$TotalList = $Failed+$Exisitng | Sort -Unique
$ApplyList=@()
foreach ($ip in $TotalList){
if ($ip -notmatch "Any") {
$res=whitelisted($ip); if(!$res){$ApplyList+=$ip}
}
}
if ($ApplyList.Count -gt 0){
$Rule | Set-NetFirewallRule -RemoteAddress $ApplyList -Enabled true
}else{
$Rule | Set-NetFirewallRule -RemoteAddress "Any" -Enabled false
}