在Windows服务器放置公网后,一直存在来之海外和国内IP针对远程桌面和SQLServer数据库服务帐号密码的暴力破解。于是编写了一个Powershell脚本,通过分析系统安全日志,自动探测攻击来源的IP并加入到Windows防火墙中,从而达到了自动过滤暴力攻击的IP地址。
1.开启Windows防火墙
在开始菜单运行中,输入:fw.msc,打开防火墙管理程序,在所有区域启用防火墙规则。
2.创建防火墙入站规则
依次选择:入站规则–>新建规则。
名称必须为:MY BLACKLIST
操作:阻止
作用域:远程IP地址,选择“下列IP地址”,初始配置时必须填写一个IP。否则防火墙将阻止所有入站通讯。
3.下载并运行脚本
将脚本中的10.1.1.20地址修改成远程访问的IP地址,防止将受信任的IP地址防火墙中,导致无法访问。完成在powershell中运行下载的脚本程序。
因系统默认只允许运行经过受信任数字签名后的代码,脚本可能无法正常运行,有两个解决方法:
1.调整powershell运行安全策略,信任所有本地powershell脚本。
#从网络上下载的脚本执行会提示需要签名 set-executionpolicy remotesigned #如要恢复强制签名,使用下面的命令 # 验证所有的脚本的签名信息,验证不通过,拒绝执行。 set-executionpolicy AllSigned
2.创建自签名证书,对脚本进行签名。
参考本站点另外一篇文章:《自签名证书对Powershell代码签名》
脚本下载地址:点击此处
3.具体代码如下
#modification your application port number #Run Secript: powershell.exe -file #Cancel Run: CTRL+C #This code has been used pactera eds data certificate to sign #If change security policy run all local code: set-executionpolicy remotesigned #Change 10.1.1.20 to your trust remote access IP $tick = 0; "Start to run at: " + (get-date); #fiter $regex2 = [regex] "Source Network Address:\t(\d+\.\d+\.\d+\.\d+)"; $regex3 = [regex] "CLIENT: (\d+\.\d+\.\d+\.\d+)"; while($True) { "Running... (tick:" + $tick + ")"; $tick+=1; $blacklist = @(); #Get System FW Blocked IPs $fwDefault=New-object -comObject HNetCfg.FwPolicy2; $myruleBlockIPs = ($fwDefault.Rules | where {$_.Name -eq "MY BLACKLIST"} | select -First 1).RemoteAddresses; #Port 3389 $a = netstat -ant | Select-String ":3389"; if ($a.count -gt 0) { $ips = get-eventlog Security -Newest 1000 | Where-Object {$_.EventID -eq 4625 -and $_.Message -match "Logon Type:\s+10"} | foreach { $m = $regex2.Match($_.Message); $ip = $m.Groups[1].Value; $ip; } | Sort-Object | Tee-Object -Variable list | Get-Unique foreach ($ip in $ips) { if ((-not ($myruleBlockIPs -match $ip))) { $attack_count = ($list | Select-String $ip -SimpleMatch | Measure-Object).count; "Found attacking IP on 3389: " + $ip + ", with count: " + $attack_count; if ($attack_count -ge 8) {$blacklist = $blacklist + $ip;} } } } #Get MSSQLSERVER Audits Failed List $mssqlserver=(netstat -ant | Select-String ":1433"); if ($mssqlserver.count -gt 0) { $ips = get-eventlog Application -Newest 1000 | Where-Object {$_.EventID -eq 18456} | foreach { $m = $regex3.Match($_.Message); $ip = $m.Groups[1].Value; $ip; } | Sort-Object | Tee-Object -Variable list | Get-Unique foreach ($ip in $ips) { if ((-not ($blacklist -contains $ip)) -and (-not ($myruleBlockIPs -match $ip))) { $attack_count = ($list | Select-String $ip -SimpleMatch | Measure-Object).count; "Found attacking MS-SQLServer IP on 1433: " + $ip + ", with count: " + $attack_count; if ($attack_count -ge 8) {$blacklist = $blacklist + $ip;} } } } #Firewall change foreach ($ip in $blacklist) { $fw=New-object -comObject HNetCfg.FwPolicy2; $myrule = $fw.Rules | where {$_.Name -eq "MY BLACKLIST"} | select -First 1; if (-not ($myrule.RemoteAddresses -match $ip) -and -not ($ip -like "10.1.1.20")) { (get-date)+" "+"Adding this IP into firewall blocklist: " + $ip; $myrule.RemoteAddresses+=(","+$ip); } } Wait-Event -Timeout 30 #pause 30 secs } # end of top while loop.
转载请注明:自动化运维 » 使用Powershell自动过滤暴力破解IP