Securing your Windows Dedicated Server

IPBan – The Simplest Way to Block Hackers and Remote Desktop Attempts In Windows Server 2008 or newer




Is your Windows server getting hacked? Do you need to block ip addresses in Windows? Dealing with a brute force attack? Then IPBan is for you.

A while ago, I noticed a disturbing trend in the event viewer on one of our dedicated windows servers. We were getting thousands of failed login attempts to terminal services (remote desktop). I decided I would enable the terminal services auto-ban, so after 5 login attempts the ip address would get banned for 24 hours. This only solved part of the problem, as the attacker continued to flood our server with requests, causing the windows logon process (csrss.exe kept appearing and disappearing in task manager) to continually spin up and shut down. This actually caused significant CPU (10%+) and disk IO as the event viewer continually wrote failed login attempts.

After searching the Interwebs for a better way, I did not find anything that I liked or that didn’t spike my CPU usage, so I decided to make a free (if you install it yourself) tool in C# to auto-ban ip addresses. This tool is constantly improving. Right now it can block ip addresses as found in the event log for audit-failure events. It is very configurable as well.

Features include:
- Duration to ban ip address
- Number of failed login attempts before ban
- Whitelist of comma separated ip addresses or regex to never ban
- Blacklist of comma separated ip addresses or regex to always ban
- Custom prefix to windows firewall rules
- Custom keywords, XPath and Regex to parse event viewer logs for failed login attempts
- Refreshes config so no need to restart the service when you change something
- Highly configurable, ban anything that comes through Windows Event Viewer
- A GREAT and FREE (if you install it yourself) alternative to RdpGuard or Syspeace
- Contains configuration to block Remote Desktop attempts, Microsoft SQL Server login attempts and MySQL Server login attempts by default

If you found IPBan useful, would you consider helping support the project by donating? Thank you for your consideration.




Testimonials:

A few days ago I was checking the event logs for my server that hosts a MSSQL DB. I could see that I was under attack by a port scanner (changing IP addresses for each attack ‘period’). I know I should not have MSSQL exposed to the world but the users are remote so it was the easiest solution for me. Anyway, I came across IPBAN. Because of the concise directions on your Git repository I was able to easily setup a service. The results were immediate, as the banlog.txt file had an entry immediately after starting the service, thus putting an end to the current attack. The purpose of this email is simply to express my gratitude for developing the program. The people responsible for the attack are the lowlifes of the internet while you are on the complete opposite side of the scale! Thank you, thank you, thank you for the help.

- Jim

Bravo! This is a master piece!

- Periklis

Really a neat tool. This really works as advertised, and wow does it cut down on the noise. Your code structure made it really easy as well to add a couple lines to immediately ban non-US IPs (using a 3rd party geocoding service). Thanks for this great tool.

- Matt C




Visit this Project on GitHub



216 Thoughts on “Securing your Windows Dedicated Server

  1. Hello Jeff,

    I want to test your great software in a server 2008R2 but i get an error in the logfile when i start the service, maybe caused by the server’s language that is french.

    I paste the logfile, can you help tell me what is the problem please ?

    [logfile]

    2014-04-17 16:37:33.2560|INFO|FileLogger|Started IPBan service
    2014-04-17 16:37:33.3184|ERROR|FileLogger|System.OverflowException: Impossible d’analyser TimeSpan, car au moins l’un des composants numériques se situe en dehors de la plage ou contient trop de chiffres.
    à System.Globalization.TimeSpanParse.TimeSpanResult.SetFailure(ParseFailureKind failure, String failureMessageID, Object failureMessageFormatArgument, String failureArgumentName)
    à System.Globalization.TimeSpanParse.ProcessTerminal_HMS_F_D(TimeSpanRawInfo& raw, TimeSpanStandardStyles style, TimeSpanResult& result)
    à System.Globalization.TimeSpanParse.ProcessTerminalState(TimeSpanRawInfo& raw, TimeSpanStandardStyles style, TimeSpanResult& result)
    à System.Globalization.TimeSpanParse.TryParseTimeSpan(String input, TimeSpanStandardStyles style, IFormatProvider formatProvider, TimeSpanResult& result)
    à System.Globalization.TimeSpanParse.Parse(String input, IFormatProvider formatProvider)
    à IPBan.IPBanConfig..ctor() dans c:\Users\jejohnson\Desktop\Personal\STUFF\trunk\Utilities\IPBan\IPBanConfig.cs:ligne 118
    à IPBan.IPBanService.ReadAppSettings() dans c:\Users\jejohnson\Desktop\Personal\STUFF\trunk\Utilities\IPBan\IPBanService.cs:ligne 77

    [Logfile]

     

    Best regards

    Greg

    • Looks like we are using the current culture to parse time span, this is probably bad, we should change it to invariant culture or you can set the language of your server to English-US…

  2. I completely forgot about that option. Im pretty sure that should take care of it.

    Thanks!

  3. I had to modify the rules I had in place after a mixup with an IP address being blocked.  When I tried to start everything back up I found that the the firewall rule wasnt there anymore.

    I actually have it running on two servers with identical configs and one of them is doing just fine.

    Its been about 9 months since Ive had to make any changes to the setup, am I forgetting one of the steps here or overlooking something obvious?

    Thanks!

    • Do you have the option on that resets the rule when the service starts? Specifically the BanFileClearOnRestart property should be false if you want to keep the firewall rules between restarts of the service.

  4. Does it block brute force to IIS FTP?

    • Yes. Failed IIS ftp events are logged in the event viewer with the ip address and ipban can block them. You will need to edit the config file to look for these entries.

  5. Sam Filler on March 10, 2014 at 4:05 pm said:

    Jeff,

    This looks great, I want to use it for failed IIS logins and 404 file not found errors.

    Ay direction you can give me?

    I am using 2008 with IIS8

  6. Ziginox on February 16, 2014 at 2:12 pm said:

    I made a class for UltraVNC http://pastebin.com/y8sW9b97

  7. Hi JJxtra,
    Thanks a lot for your previous answers.

    In my local test server, and in IPBan.exe.config,

    I want to ALLOW IP’s from 192.168.0.[3-4] and also all Ip’s starting with 192.168.1.*
    <add key=”WhitelistRegex” value=”192\.168\.1\.*|192\.168\.0\.3-4″ />

    But I want to BLOCK all others
    <add key=”BlacklistRegex” value=”*.*.*.*” />

    Unfortunaletely, I can access by Remote Desktop with IP 192.168.0.2

    Did I made a mistake somewhere?

    Zoe

  8. Hi JJxtra,

    In IPBan.exe.config,

    Lets assume I want the following 3 RANGES of IPs to be Allowed
    <add key=”WhitelistRegex” value=”62.235.*.*|80.236.*.*|81.11.*.*” />

    and All Others to be Blocked
    <add key=”BlacklistRegex” value=”*.*.*.*” />

    Are both syntax correct ?

    King Regards,Zoe

     

  9. Hi,

    My dedicated server is locatedin th United States, but I want to access it from Europe also  by REMOTE ACCESS.

    Does your software blocks that possibility?

    Kind Regards,

    Zoe

  10. Michael on December 12, 2013 at 1:06 pm said:

    Thank you for this great software. I use Windows 2008 R2. I want to change to Windows Server 2012R2 Datacenter Edition (64 bit). Means support for 2008+ also Windows Server 2012?

     

Comment navigation

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

Post Navigation