在Windows服务器放置公网后，一直存在来之海外和国内IP针对远程桌面和SQLServer数据库服务帐号密码的暴力破解。于是编写了一个Powershell脚本，通过分析系统安全日志，自动探测攻击来源的IP并加入到Windows防火墙中，从而达到了自动过滤暴力攻击的IP地址。

1.开启Windows防火墙

在开始菜单运行中，输入：fw.msc，打开防火墙管理程序，在所有区域启用防火墙规则。

2.创建防火墙入站规则

依次选择：入站规则–>新建规则。

名称必须为：MY BLACKLIST

操作：阻止

作用域：远程IP地址，选择“下列IP地址”，初始配置时必须填写一个IP。否则防火墙将阻止所有入站通讯。

3.下载并运行脚本

将脚本中的10.1.1.20地址修改成远程访问的IP地址，防止将受信任的IP地址防火墙中，导致无法访问。完成在powershell中运行下载的脚本程序。

因系统默认只允许运行经过受信任数字签名后的代码，脚本可能无法正常运行，有两个解决方法：

1.调整powershell运行安全策略，信任所有本地powershell脚本。

#从网络上下载的脚本执行会提示需要签名
set-executionpolicy remotesigned
#如要恢复强制签名，使用下面的命令
# 验证所有的脚本的签名信息，验证不通过，拒绝执行。
set-executionpolicy AllSigned

2.创建自签名证书，对脚本进行签名。

参考本站点另外一篇文章：《自签名证书对Powershell代码签名》

脚本下载地址：点击此处

3.具体代码如下

#modification your application port number
#Run Secript: powershell.exe -file 
#Cancel Run: CTRL+C
#This code has been used pactera eds data certificate to sign
#If change security policy run all local code: set-executionpolicy remotesigned
#Change 10.1.1.20 to your trust remote access IP
$tick = 0; 
"Start to run at: " + (get-date); 

#fiter 
$regex2 = [regex] "Source Network Address:\t(\d+\.\d+\.\d+\.\d+)"; 
$regex3 = [regex] "CLIENT: (\d+\.\d+\.\d+\.\d+)";
  
while($True) {
	"Running... (tick:" + $tick + ")"; $tick+=1; 
	$blacklist = @();

	#Get System FW Blocked IPs
	$fwDefault=New-object -comObject HNetCfg.FwPolicy2;
	$myruleBlockIPs = ($fwDefault.Rules | where {$_.Name -eq "MY BLACKLIST"} | select -First 1).RemoteAddresses;

	#Port 3389 
	$a = netstat -ant | Select-String ":3389";

	if ($a.count -gt 0) {    
		$ips = get-eventlog Security -Newest 1000 | Where-Object {$_.EventID -eq 4625 -and $_.Message -match "Logon Type:\s+10"} | foreach {
			$m = $regex2.Match($_.Message); $ip = $m.Groups[1].Value; $ip; 
		} | Sort-Object | Tee-Object -Variable list | Get-Unique

		foreach ($ip in $ips) {
			if ((-not ($myruleBlockIPs -match $ip))) {
				$attack_count = ($list | Select-String $ip -SimpleMatch | Measure-Object).count;
				"Found attacking IP on 3389: " + $ip + ", with count: " + $attack_count;
				if ($attack_count -ge 8) {$blacklist = $blacklist + $ip;}
			}
		}
	}

	#Get MSSQLSERVER Audits Failed List
	$mssqlserver=(netstat -ant | Select-String ":1433");

	if ($mssqlserver.count -gt 0) {
		$ips = get-eventlog Application -Newest 1000 | Where-Object {$_.EventID -eq 18456} | foreach {
				$m = $regex3.Match($_.Message);
				$ip = $m.Groups[1].Value;
				$ip;
			} | Sort-Object | Tee-Object -Variable list | Get-Unique

		foreach ($ip in $ips) {
			if ((-not ($blacklist -contains $ip)) -and (-not ($myruleBlockIPs -match $ip))) {
				$attack_count = ($list | Select-String $ip -SimpleMatch | Measure-Object).count;
				"Found attacking MS-SQLServer IP on 1433: " + $ip + ", with count: " + $attack_count;
				if ($attack_count -ge 8) {$blacklist = $blacklist + $ip;}
			}
		}
	}

	#Firewall change 
	foreach ($ip in $blacklist) {
		$fw=New-object -comObject HNetCfg.FwPolicy2;
		$myrule = $fw.Rules | where {$_.Name -eq "MY BLACKLIST"} | select -First 1;   
		if (-not ($myrule.RemoteAddresses -match $ip) -and -not ($ip -like "10.1.1.20")) {
			(get-date)+"   "+"Adding this IP into firewall blocklist: " + $ip;   
			$myrule.RemoteAddresses+=(","+$ip); 
		}
	}

	Wait-Event -Timeout 30 #pause 30 secs
} # end of top while loop.

转载请注明：自动化运维 » 使用Powershell自动过滤暴力破解IP