Securing your Windows Dedicated Server

IPBan – The Simplest Way to Block Hackers and Remote Desktop Attempts In Windows Server 2008 or newer




Is your Windows server getting hacked? Do you need to block ip addresses in Windows? Dealing with a brute force attack? Don’t want to spend your life savings on SysPeace or other overly priced security software? Then IPBan is for you.

A while ago, I noticed a disturbing trend in the event viewer on one of our dedicated windows servers. We were getting thousands of failed login attempts to terminal services (remote desktop). I decided I would enable the terminal services auto-ban, so after 5 login attempts the ip address would get banned for 24 hours. This only solved part of the problem, as the attacker continued to flood our server with requests, causing the windows logon process (csrss.exe kept appearing and disappearing in task manager) to continually spin up and shut down. This actually caused significant CPU (10%+) and disk IO as the event viewer continually wrote failed login attempts.

After searching the Interwebs for a better way, I did not find anything that I liked or that didn’t spike my CPU usage, so I decided to make a free (if you install it yourself) tool in C# to auto-ban ip addresses. This tool is constantly improving. Right now it can block ip addresses as found in the event log for audit-failure events. It is very configurable as well.

Features include:
- Duration to ban ip address
- Number of failed login attempts before ban
- Whitelist of comma separated ip addresses or regex to never ban
- Blacklist of comma separated ip addresses or regex to always ban
- Custom prefix to windows firewall rules
- Custom keywords, XPath and Regex to parse event viewer logs for failed login attempts
- Refreshes config so no need to restart the service when you change something
- Highly configurable, ban anything that comes through Windows Event Viewer
- A GREAT and FREE (if you install it yourself) alternative to RdpGuard or Syspeace
- Contains configuration to block Remote Desktop attempts, Microsoft SQL Server login attempts and MySQL Server login attempts by default

If you found IPBan useful, would you consider helping support the project by donating? Thank you for your consideration.

*INSTRUCTIONS*: https://github.com/jjxtra/Windows-IP-Ban-Service




Testimonials:

A few days ago I was checking the event logs for my server that hosts a MSSQL DB. I could see that I was under attack by a port scanner (changing IP addresses for each attack ‘period’). I know I should not have MSSQL exposed to the world but the users are remote so it was the easiest solution for me. Anyway, I came across IPBAN. Because of the concise directions on your Git repository I was able to easily setup a service. The results were immediate, as the banlog.txt file had an entry immediately after starting the service, thus putting an end to the current attack. The purpose of this email is simply to express my gratitude for developing the program. The people responsible for the attack are the lowlifes of the internet while you are on the complete opposite side of the scale! Thank you, thank you, thank you for the help.

- Jim

Bravo! This is a master piece!

- Periklis

Really a neat tool. This really works as advertised, and wow does it cut down on the noise. Your code structure made it really easy as well to add a couple lines to immediately ban non-US IPs (using a 3rd party geocoding service). Thanks for this great tool.

- Matt C




Visit this Project on GitHub



218 Thoughts on “Securing your Windows Dedicated Server

    • I’m not sure what’s going on there, I would need to see the XML version of this to help you. Can you see the XML version in the Windows Event Viewer at all?

  1. Hello Jeff,

    I want to test your great software in a server 2008R2 but i get an error in the logfile when i start the service, maybe caused by the server’s language that is french.

    I paste the logfile, can you help tell me what is the problem please ?

    [logfile]

    2014-04-17 16:37:33.2560|INFO|FileLogger|Started IPBan service
    2014-04-17 16:37:33.3184|ERROR|FileLogger|System.OverflowException: Impossible d’analyser TimeSpan, car au moins l’un des composants numériques se situe en dehors de la plage ou contient trop de chiffres.
    à System.Globalization.TimeSpanParse.TimeSpanResult.SetFailure(ParseFailureKind failure, String failureMessageID, Object failureMessageFormatArgument, String failureArgumentName)
    à System.Globalization.TimeSpanParse.ProcessTerminal_HMS_F_D(TimeSpanRawInfo& raw, TimeSpanStandardStyles style, TimeSpanResult& result)
    à System.Globalization.TimeSpanParse.ProcessTerminalState(TimeSpanRawInfo& raw, TimeSpanStandardStyles style, TimeSpanResult& result)
    à System.Globalization.TimeSpanParse.TryParseTimeSpan(String input, TimeSpanStandardStyles style, IFormatProvider formatProvider, TimeSpanResult& result)
    à System.Globalization.TimeSpanParse.Parse(String input, IFormatProvider formatProvider)
    à IPBan.IPBanConfig..ctor() dans c:\Users\jejohnson\Desktop\Personal\STUFF\trunk\Utilities\IPBan\IPBanConfig.cs:ligne 118
    à IPBan.IPBanService.ReadAppSettings() dans c:\Users\jejohnson\Desktop\Personal\STUFF\trunk\Utilities\IPBan\IPBanService.cs:ligne 77

    [Logfile]

     

    Best regards

    Greg

    • Looks like we are using the current culture to parse time span, this is probably bad, we should change it to invariant culture or you can set the language of your server to English-US…

  2. I completely forgot about that option. Im pretty sure that should take care of it.

    Thanks!

  3. I had to modify the rules I had in place after a mixup with an IP address being blocked.  When I tried to start everything back up I found that the the firewall rule wasnt there anymore.

    I actually have it running on two servers with identical configs and one of them is doing just fine.

    Its been about 9 months since Ive had to make any changes to the setup, am I forgetting one of the steps here or overlooking something obvious?

    Thanks!

    • Do you have the option on that resets the rule when the service starts? Specifically the BanFileClearOnRestart property should be false if you want to keep the firewall rules between restarts of the service.

  4. Does it block brute force to IIS FTP?

    • Yes. Failed IIS ftp events are logged in the event viewer with the ip address and ipban can block them. You will need to edit the config file to look for these entries.

  5. Sam Filler on March 10, 2014 at 4:05 pm said:

    Jeff,

    This looks great, I want to use it for failed IIS logins and 404 file not found errors.

    Ay direction you can give me?

    I am using 2008 with IIS8

  6. Ziginox on February 16, 2014 at 2:12 pm said:

    I made a class for UltraVNC http://pastebin.com/y8sW9b97

  7. Hi JJxtra,
    Thanks a lot for your previous answers.

    In my local test server, and in IPBan.exe.config,

    I want to ALLOW IP’s from 192.168.0.[3-4] and also all Ip’s starting with 192.168.1.*
    <add key=”WhitelistRegex” value=”192\.168\.1\.*|192\.168\.0\.3-4″ />

    But I want to BLOCK all others
    <add key=”BlacklistRegex” value=”*.*.*.*” />

    Unfortunaletely, I can access by Remote Desktop with IP 192.168.0.2

    Did I made a mistake somewhere?

    Zoe

  8. Hi JJxtra,

    In IPBan.exe.config,

    Lets assume I want the following 3 RANGES of IPs to be Allowed
    <add key=”WhitelistRegex” value=”62.235.*.*|80.236.*.*|81.11.*.*” />

    and All Others to be Blocked
    <add key=”BlacklistRegex” value=”*.*.*.*” />

    Are both syntax correct ?

    King Regards,Zoe

     

  9. Hi,

    My dedicated server is locatedin th United States, but I want to access it from Europe also  by REMOTE ACCESS.

    Does your software blocks that possibility?

    Kind Regards,

    Zoe

  10. Michael on December 12, 2013 at 1:06 pm said:

    Thank you for this great software. I use Windows 2008 R2. I want to change to Windows Server 2012R2 Datacenter Edition (64 bit). Means support for 2008+ also Windows Server 2012?

     

  11. Does it help stop Event 4625, Logon type 10 attacks? The IP is in the event notice.

  12. RobertW on November 28, 2013 at 8:55 am said:

    Sorry this seems to have gone, what i wanted to say is how does the BanTime affect the Blacklist?
    “BanTime” value=”01:00:00:00″

  13. RobertW on November 28, 2013 at 8:54 am said:

    We were under the impression that it will be gone after this time is reached.

  14. RobertW on November 28, 2013 at 8:39 am said:

    Hallo,

    We are trying to test this however it never removes the IP address from the Blacklist, could you assist us and let us know under what conditions it will be removed?

  15. Excuse my ignorance…wondering if it is possible for this service to also block unsuccessful FTP attempts on an IIS FTP server?

     

     

    • Yes you should be able to block this, assuming that these failed FTP attempts are logged in the event viewer. If they are and you want help setting up a rule, email me jeff AT digitalruby DOT com.

  16. Nicolas KAROLAK on November 5, 2013 at 1:02 am said:

    Hi, just a little question, does it also work on Windows 7 ?

    Thanks for this great application :-)

  17. Since we have made the necessary changes to the GPO to get this service working ( NTLM etc.) we now show a list of all user accounts to anyone who tries to RDP – before any credentials are sent. Is there a trick to removing/limiting the accounts that are shown here?

    Thanks

  18. I totally missed that you fixed this so quickly.

    Initially it seems you have corrected the problem. Thanks!

  19. I’m not sure if this falls into the same area as the last post.  I have noticed that ip addresses that are not in the whitelist seem to trigger the failed login attempt tally even upon successful login.

    I would add these computers to the whitelist but unfortunately they are not static ip’s.   Is there something that my config is missing to only increment failed logins or is this the intended behaviour?

    Thanks again btw…really appreciate you sharing this tool

  20. Thanks for the reply (the reply button doesn’t work in IE too). I tried to add my username in the AllowedUserNames section of the configuration but it didn’t work the IP6 still get banned. If I’m not wrong, you check the allowed user names in the ShouldBanUserNameAfterFailedLoginAttempt method, which is used in the IsBlackListed mathod, which is used in the ProcessIPAddress method. Although the IsBlackListed returns false, the ipBlockCount has already been incremented by one and with a FailedLoginAttemptsBeforeBan equals to one the IP get in any case banned.

  21. Hello

    What is the logic behind the bitwise and operator in this line:

    foreach (ExpressionsToBlockGroup group in config.Expressions.Groups.Where(g => (g.KeywordsULONG & keywordsULONG) != 0))

    because the bitwise and of 0×8010000000000000 and 0×8020000000000000 isn’t zero and a successful login is banned.

    • It matches the event query from this method:

    • I changed it back to do an equality compare, you can re-download and try again.

  22. Thanks for the reply, sorry the reply function doesn’t work in FF.

    Moreover I was checking the log file and I saw that my IP6 was banned after a success login, at least in the event viewer is marked as “Audit success”. Here the xml of the event:

  23. I’m not quite sure about the whitelist regex, for a local network, which regex is 192\.168\.\d+\.\d+ can I use 192\.168\.*\.*? Or should I use only one wildcard char? 192\.168\.*?

  24. Nick Z. on August 20, 2013 at 1:05 pm said:

    A question, can I put in the “whitelist” some wildcard IP’s using the “*”, such as:

    <add key=”Whitelist” value=”127.0.0.1,::1,0.0.0.0,193.85.*.*,180.179.159.29-” />

    Thank You

  25. Nick Z. on August 20, 2013 at 12:53 pm said:

    Thank You so much for this useful little prog.

    I was getting hundreds of login attempts on my 2008 server by hackers from all over the world. I got here to this site out of desperation and decided to try IPban.

    What I can say is that maybe this is the most useful program that I have ever downloaded in my entire life !

    The creator of IPban did the world a big favor. Thank You !

    • I’m glad you are finding the software useful. I created it for that very reason, my own server had crazy amounts of RDP attempts and CPU usage was bad.

  26. [email protected] on August 8, 2013 at 2:21 pm said:

    ok, it’s done I have read readme

    • Are you on Server 2003?

      • [email protected] on August 9, 2013 at 4:21 am said:

        Hi, I installed on one of hour windows server 2008.
        I now have a :

        Got event with ip address 37.255.208.65, count 21, ip should already banned

        After reading your code, i realized this scriptfilename file was missing :
        string scriptFileName = "banscript.txt";

        Have i to create the script ?
        If not, can you send me the file ?

        Regards, Nicolas

      • [email protected] on August 9, 2013 at 4:27 am said:

        Ok read too fast. No problem.

        • The banscript.txt just contains the last ban command that was run, it it not needed for the program to function. You may occasionally get “should already be banned” messages if someone is attacking your server fast and they go over your limit while you are performing a ban.

  27. [email protected] on August 8, 2013 at 2:14 pm said:

    Hi, I have installed the service but can’t see it in the services (and can’t start it so), here is the install log

    Installing assembly ‘C:\Users\nl20121974\Desktop\IPBan\IPBan.exe’.
    Affected parameters are:
       logtoconsole =
       logfile = C:\Users\nl20121974\Desktop\IPBan\IPBan.InstallLog
       assemblypath = C:\Users\nl20121974\Desktop\IPBan\IPBan.exe
    No public installers with the RunInstallerAttribute.Yes attribute could be found in the C:\Users\nl20121974\Desktop\IPBan\IPBan.exe assembly.
    Committing assembly ‘C:\Users\nl20121974\Desktop\IPBan\IPBan.exe’.
    Affected parameters are:
       logtoconsole =
       logfile = C:\Users\nl20121974\Desktop\IPBan\IPBan.InstallLog
       assemblypath = C:\Users\nl20121974\Desktop\IPBan\IPBan.exe
    No public installers with the RunInstallerAttribute.Yes attribute could be found in the C:\Users\nl20121974\Desktop\IPBan\IPBan.exe assembly.
    Remove InstallState file because there are no installers.

     

    Regards, Nicolas

  28. Hi Jeff,

    I sent you a mail, but maybe you can help, we running MySQL, so I added a group to deal with failed logins, the xml data is

    <Data>Access denied for user ‘root’@’41.132.172.189′ (using password: YES)</Data>

    but the mssql regex is not working on this, so I assume the regex match is the issue can you help me here as to what I need to get the ip from this data

     

    • Hi Keith,

      I responded and once we get this figured out I’ll put the change in the github project so that everyone gets MySQL blocking for free :)

  29. or rather, the event viewer continues to show new attempts. from the same ip….

  30. Hrm. running this as a service on my 2k8r2 server, and the log is still filling up with attempts…

  31. Paul T on April 30, 2013 at 4:03 am said:

    I see you say the tool is incompatible with Windows Server 2003. Have you any alternative suggestions? Our server has to cope with over 10000 failed remote logins daily. These started just over a year ago, but the average then was less than 5000 per day. One day last month, the number exceeded 45000. That can’t be good.

    • We have done some preliminary work trying to make it work on XP / 2003 but it’s been slow going as it has not given us everything we want in the event log.

  32. Nick Zouein on March 29, 2013 at 5:02 am said:

    Just saying a BIG Thnak You!!

    Followed the “How to” and it already started adding IP’s to the firewall.

    Great tool.

    Thank You so much.

  33. Arijit Upadhyay on March 7, 2013 at 11:31 pm said:

    Thank you for this great free tool. I just installed and busy configuring.

    A question, how to add monitoring of FTP service with IPBan?

    Regards

    Arijit

    • Any entry written to the event viewer can be filtered on. Does your FTP program write failed login attempts to the event viewer?

      • Arijit Upadhyay on March 8, 2013 at 1:12 am said:

        Sorry the reply got posted as a separate comment, please delete that.

        I was using Win2003 till last week and there the default MS FTP program used to write. Now I just migrated to windows 2008 R2 and it seems MS FTP still logs errors. So will IPBAN work for MS FTP?
        ==========
        Log Name: Security
        Source: Microsoft-Windows-Security-Auditing
        Date: 3/7/2013 10:07:42 PM
        Event ID: 4625
        Task Category: Logon
        Level: Information
        Keywords: Audit Failure
        User: N/A
        Computer: xxxcomputer.domainnamexxx
        Description:
        An account failed to log on.

        Subject:
        Security ID: SYSTEM
        Account Name: WIN-KUL06F5MC3B$
        Account Domain: WORKGROUP
        Logon ID: 0x3e7

        Logon Type: 8

        Account For Which Logon Failed:
        Security ID: NULL SID
        Account Name: arc
        Account Domain:

        Failure Information:
        Failure Reason: Unknown user name or bad password.
        Status: 0xc000006d
        Sub Status: 0xc000006a

        Process Information:
        Caller Process ID: 0×444
        Caller Process Name: C:\Windows\System32\svchost.exe

        Network Information:
        Workstation Name: WIN-KUL06F5MC3B
        Source Network Address: -
        Source Port: -

        Detailed Authentication Information:
        Logon Process: Advapi
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Transited Services: -
        Package Name (NTLM only): -
        Key Length: 0

        This event is generated when a logon request fails. It is generated on the computer where access was attempted.

        The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

        The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

        The Process Information fields indicate which account and process on the system requested the logon.

        The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

        The authentication information fields provide detailed information about this specific logon request.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
        Event Xml:

        4625
        0
        0
        12544
        0
        0×8010000000000000

        205050

        Security
        xxxcomputer.domainnamexxx

        S-1-5-18
        WIN-KUL06F5MC3B$
        WORKGROUP
        0x3e7
        S-1-0-0
        arc

        0xc000006d
        %%2313
        0xc000006a
        8
        Advapi
        MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        WIN-KUL06F5MC3B
        -
        -
        0
        0×444
        C:\Windows\System32\svchost.exe
        -
        -

        • It should as long as you can figure out why the ip address is a hyphen in that log. There are probably some configurations that are necessary in order to fix that.

  34. slamjam on February 20, 2013 at 9:47 am said:

    Yes, its the same as the example below but with some text taken out for security.

  35. Slamjam on February 19, 2013 at 2:57 am said:

    OK Great.

    What about these being logged:

    We seem to have lots of the below logged filling up the logs. Anyway to stop them?

    Processing xml: 4624001254400×80200000000000003799622Securitymachinename.domainname.localS-1-0-0–0×0S-1-5-18machinenameDomain Name0xbccf3f273KerberosKerberos{3EA8282A-70D7-6E3B-409F-1E4BCFFCB82F}–00×0-::163717

  36. Slamjam on February 18, 2013 at 5:11 pm said:

    Hi there

     

    Does IPBan block IPv6 addresses or just IPv4?

     

    We seem to have lots of the below logged filling up the logs. Anyway to stop them?

    Processing xml: <Event xmlns=’http://schemas.microsoft.com/win/2004/08/events/event’><System><Provider Name=’Microsoft-Windows-Security-Auditing’ Guid=’{54849625-5478-4994-A5BA-3E3B0328C30D}’/><EventID>4624</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0×8020000000000000</Keywords><TimeCreated SystemTime=’2013-02-18T22:08:11.121854600Z’/><EventRecordID>3799622</EventRecordID><Correlation/><Execution ProcessID=’624′ ThreadID=’6180′/><Channel>Security</Channel><Computer>machinename.domainname.local</Computer><Security/></System><EventData><Data Name=’SubjectUserSid’>S-1-0-0</Data><Data Name=’SubjectUserName’>-</Data><Data Name=’SubjectDomainName’>-</Data><Data Name=’SubjectLogonId’>0×0</Data><Data Name=’TargetUserSid’>S-1-5-18</Data><Data Name=’TargetUserName’>machinename</Data><Data Name=’TargetDomainName’>Domain Name</Data><Data Name=’TargetLogonId’>0xbccf3f27</Data><Data Name=’LogonType’>3</Data><Data Name=’LogonProcessName’>Kerberos</Data><Data Name=’AuthenticationPackageName’>Kerberos</Data><Data Name=’WorkstationName’></Data><Data Name=’LogonGuid’>{3EA8282A-70D7-6E3B-409F-1E4BCFFCB82F}</Data><Data Name=’TransmittedServices’>-</Data><Data Name=’LmPackageName’>-</Data><Data Name=’KeyLength’>0</Data><Data Name=’ProcessId’>0×0</Data><Data Name=’ProcessName’>-</Data><Data Name=’IpAddress’>::1</Data><Data Name=’IpPort’>63717</Data></EventData></Event>

     

  37. Brian Stilts on February 13, 2013 at 3:33 pm said:

    I tried to setup IPBan for a customer last night that was experiencing a brute force attack against his Windows 2003 SBS server. The software seemed to download and unzip fine, but when I would try to start the service it would immediately fail with an unhandled exception error. I saw another post that reference a possible issue with using the Microsoft built in unzip software, so I tried 7Zip as well but got the same result. When I unzipped the program I copied all the files into the System32 folder for easy access. Until I can get your software working I had to use the 30 day trial of Syspeace so I can keep the attackers at bay. Any help would be greatly appreciated. – Thanks

    • I suggest not putting it in system32, but rather put it in a non O.S. folder. Also, once you have extracted all the files, you need to right click on each, select properties and make sure to unblock.
      For more troubleshooting, open a command prompt and run the .exe manually with a debug parameter, i.e. “IPBAN.EXE DEBUG”

      Let me know how it goes…

    • Ack, just re-read your comment and see you are using Windows Server 2003. Unfortunately that is not supported, only Windows Server 2008+ is supported right now…

  38. Steven R. on February 2, 2013 at 4:43 pm said:

    Greetings,

    I am trying to get an Regex to match A keyword thru Regex, and I looked at the website and regex buddy, where i do get match in files, but I do keep getting “No regex, so counting as a match” instead, from the line im trying to match :/ I do not see where the expression is wrong… :/ Does the Expression whitelist on allowed IP adresses ?

    My Target is the Keyword “tware” in this line – “Date”|INFO|FileLogger|Processing xml: 18456040x9000000000000036531434ApplicationCT55785tware Reason: Password did not match that for the login provided. [CLIENT: XXX]184800000E0000001300000043005400350035003700380035005C00530051004C0045005800500052004500530053000000070000006D00610073007400650072000000

    I have used following expressions:
    1.
    2.
    3.

    But none of them seems to work :/

    Kind regards,

    Steven

    • Looks like your message got kind of garbled by wordpress. I would suggest emailing me your configuration file with a description of your problem and I’ll try and troubleshoot with you that way. J J X t r a AT g m a i l . c o m

      • Steven R on February 2, 2013 at 5:45 pm said:

        I replied thru email and sent my original post + running IPBAN config :) Thanks for looking at it…. Im sure I am doing something wrong :)

        - Steven R

  39. Ganesh on January 15, 2013 at 2:18 am said:

    Hi there,
    Your service rocks! But it’s creating huge log files (log0.txt etc)! Is there way to stop it? I refered nLogs API and found that by setting the internalLogLevel = “Fatal”, the size of logs could be reduced. Is it this fine?
    And to disable logging entirely, I’d disabled the entire line below:

    Is this the right way?

  40. Hello!

    How can I download latest binaries? From GITHUB I can get only source files.

    Thank you!

  41. Michael on January 3, 2013 at 9:34 am said:

    Can IPBan parse regular log files or just windows events? If so do you have an example of the config file and how it is configured to do that?

    –Mike

    • Unfortunately it is hard coded against the Windows event viewer and only against live events as they come through, using event notifications.

      There is currently no way to parse existing log files or events.

  42. Greetings, Jeffrey!

    You’ve created exactly what I was trying to do! Many-many thanks to you!
    I’ve stuck on powershelling similiar algorithm. Not enough knowledge in scripting…
    Another difference is that I wanted to use IPSEC instead of Windows Firewall. It looks more reliable to me, what do you think?

    But anyway your program is just great! Thanks again!

  43. Montia on December 6, 2012 at 5:33 pm said:

    Hi,

    I was wondering what you meant in the following line:
    “I decided I would enable the terminal services auto-ban, so after 5 login attempts the ip address would get banned for 24 hours.”

    Are you talking about configuring the account lockout policy in the security options on the server or is there an auto-ban setting in the Remote Desktop Configuration?

    Thank you.

  44. Hi,
    great shop you did with this tool, many thanks.
    I have a question about the posebility to block ftp attacks as well ?

    Many thanks
    Mike from Germany

  45. slamjam on November 16, 2012 at 9:42 am said:

    Is is possible to get IPBan logging into a database rather than a text file?

  46. nicholas on November 15, 2012 at 11:26 pm said:

    How would I go about allowing ipv6 addresses? For example, I have 192.168.1.* white listed but I have an ip ::ffff:192.168.1.45 that keeps ending up on the banned list.

    • Does whitelisting ::ffff:192.168.1.* work?

      • nicholas on November 16, 2012 at 1:17 am said:

        I thought I had tried that but doesn’t the range need to be under the regular expressions portion or can it be under the normal white list IP’s with a wild card option.

        • There was a bug, update to the latest version. The non regex setting is exact match only.

          • nicholas on November 19, 2012 at 1:14 am said:

            The new precompiled version for both x86 and any CPU both crash on startup

            Problem signature:
            Problem Event Name: CLR20r3
            Problem Signature 01: ipban.exe
            Problem Signature 02: 1.0.4703.15667
            Problem Signature 03: 50a65ed7
            Problem Signature 04: mscorlib
            Problem Signature 05: 4.0.0.0
            Problem Signature 06: 50483a22
            Problem Signature 07: 475f
            Problem Signature 08: 9d
            Problem Signature 09: System.Security.Security
            OS Version: 6.1.7601.2.1.0.305.9
            Locale ID: 1033
            Additional Information 1: decf
            Additional Information 2: decf9afcdb05a7d51839a3d9359dd1d0
            Additional Information 3: a28b
            Additional Information 4: a28b88f66428041dc413a64cbe933541

            • nicholas on November 19, 2012 at 1:16 am said:

              D:\>cd system\IPBan

              D:\system\IPBan>ipban debug

              Unhandled Exception: System.TypeInitializationException: The type initializer fo
              r ‘IPBan.Log’ threw an exception. —> System.Configuration.ConfigurationErrorsE
              xception: An error occurred creating the configuration section handler for nlog:
              Request failed. (D:\system\IPBan\IPBan.exe.Config line 5) —> System.Security.
              SecurityException: Request failed.
              at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOn
              ly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Bo
              olean& bNeedSecurityCheck)
              at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipChec
              kThis, Boolean fillCache)
              at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean s
              kipVisibilityChecks, Boolean skipCheckThis, Boolean fillCache)
              at System.Activator.CreateInstance(Type type, Boolean nonPublic)
              at System.Configuration.TypeUtil.CreateInstanceWithReflectionPermission(Type
              type)
              at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactor
              y.Init(RuntimeConfigurationRecord configRecord, FactoryRecord factoryRecord)
              at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactor
              y.InitWithRestrictedPermissions(RuntimeConfigurationRecord configRecord, Factory
              Record factoryRecord)
              at System.Configuration.RuntimeConfigurationRecord.CreateSectionFactory(Facto
              ryRecord factoryRecord)
              at System.Configuration.BaseConfigurationRecord.FindAndEnsureFactoryRecord(St
              ring configKey, Boolean& isRootDeclaredHere)
              — End of inner exception stack trace —
              at System.Configuration.BaseConfigurationRecord.FindAndEnsureFactoryRecord(St
              ring configKey, Boolean& isRootDeclaredHere)
              at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String co
              nfigKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Bool
              ean requestIsHere, Object& result, Object& resultRuntimeObject)
              at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)
              at System.Configuration.ConfigurationManager.GetSection(String sectionName)
              at NLog.LogFactory.get_Configuration()
              at NLog.LogFactory.GetLogger(LoggerCacheKey cacheKey)
              at IPBan.Log..cctor() in c:\Users\Jeff\Desktop\Personal\DigitalRuby\DEV\SVN\t
              runk\Utilities\IPBan\Logger.cs:line 22
              — End of inner exception stack trace —
              at IPBan.IPBanService.OnStart(String[] args) in c:\Users\Jeff\Desktop\Persona
              l\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:line 491
              at IPBan.IPBanService.RunConsole(String[] args) in c:\Users\Jeff\Desktop\Pers
              onal\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:line 529
              at IPBan.IPBanService.Main(String[] args) in c:\Users\Jeff\Desktop\Personal\D
              igitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:line 548

              D:\system\IPBan>

      • nicholas on November 16, 2012 at 1:26 am said:

        Here is what I have so far, whitelisting the single ip ::ffff:192.168.1.45 works fine but not for the wildcard.

  47. slamjam on November 15, 2012 at 9:59 am said:

    Hi Jeff

    Thank you for creating a great and truly worth while and useful application.

    Would you be able to look at the few points I have raised below and consider including them within your application:

    1. When IPBan creates a rule in the Windows Firewall it would be useful if:
    A) Appended to the end of the firewall rule name (BlockIPAddress) the IP Address being blocked. (ie BlockIPAddress-123.123.123.123)

    B) Add a Description to the firewall rule create to include the details. (ie Description would read: Auto created block rule created for IP: 123.123.123.123, added at: 12:12 14/11/2012, unblocking at: 12:30 14/11/2012)

    C: Add the group name for the created firewall rules to be: BlockIPAddress (makes it easier to filter based on the same group name when lots of IPs have been blocked).

    Many thanks
    Adam

    • Adam,

      Thanks for posting. Right now all the ip addresses blocked are stuffed under one rule. I had previously created a separate rule as you suggest with the ip as a suffix but I had a lot of people ask me to switch it to a single rule. If there’s enough demand for a separate rules for each ip feature, we could make it configurable in the app settings.

      Adding a group is easy enough to do.

      As far as seeing banning and unbanning info and dates and times, there is a log file that gets created which should give you all of that information.

      Let me know if you have more questions and have a great day!

  48. Jeff, this is a fantastic tool. Thanks for throwing this together. I dont have much experience with XML or Regex but I was able to do some basic configs to help with a security issue we were running into here at my location.

    I was looking over the Regex site and trying to dig down to it but Ive been swamped at work and havent had a chance to review it all.

    Hopefully you can provide me with a answer…

    But basically, Id like to setup an array of user names to automatically block if someone attempts to use them.

    Its really the format Im not sure about. If you could show an example of the formatting, I would greatly appreciate it.

    Thanks again for a great tool!

    • I think adding a group with the following *MIGHT* work. Just fill in the Regex with your pipe separated user names :)

      <Group>
      <Keywords>0x8010000000000000</Keywords>
      <Path>Security</Path>
      <Expressions>
      <Expression>
      <XPath>//Data[@Name='TargetUserName']</XPath>
      <Regex><![CDATA[
      ^username1|username2|username3$
      ]]>
      </Regex>
      </Expression>
      </Expressions>
      </Group>

      • Thanks for the quick reply.

        I just tried it and ran a couple of tests but couldnt get it catch any of the names I designated. And it looks like it disabled the ban after x number of attempts that I had in place as well.

        Id love to have it setup to catch off of the user names Im seeing them attempt with in addition to the ban after x attempts.

        Is there something else I could try?

        • So basically you want a black list of user names?

          • Thats correct. We’ve had attempts on our sever and they’re using basic user names that we have never used. So Id like to black list a set of common names that they’ve tried as an extra precaution. Nobody in our office uses them so if I see attempts with anything from that basic list, its a red flag to bring down the ban hammer.

  49. Dominic on November 7, 2012 at 6:58 pm said:

    What costs would be involved in making this software work with Server 2003 R2 and possibly XP?

    • I just found the EventLog class which does work on XP and Server 2003, I will try and get it working tonight and will let you know how it goes.

    • So the EventLog class sort of works, it’s a little less performant because I don’t see any easy way to filter out to just parsing audit failures, but maybe that’s OK. How bad do you want this? :)

      • I would also be interested in seeing it work on Win Svr 2003 and XP. Since I would be looking to us this in a commercial environment, what license would you be releasing this under? (I am not looking to resell it, just use it as protection on servers I am paid to manage, but may not own)

        • I would keep it under the same license, it would not convert to a commercial license. I believe it’s the BSD license right now, although I need to add a license source file to the project.

    • This is a lot nastier than I thought, I think it’s still possible but will require quite a bit of work…

    • I’m guessing this will be painful and require a lot of hours of tweaking and testing. Probably sadly something I don’t have time for as most of my time is spent on my iOS app, You Doodle.

  50. eschi1 on November 4, 2012 at 8:47 am said:

    Hi thx 4 the tool, but i got some problems. I can create the service with sucsess but it dont create the files, just nothing happens. Any help?
    br

    • Run it from the command line with debug as the argument.

      • thx for your answer, i got the same error like “someguy” 1 post before me

        Unhandled Exception: System.TypeInitializationException: The type initializer fo
        r ‘IPBan.Log’ threw an exception. —> System.Configuration.ConfigurationErrorsE
        xception: An error occurred creating the configuration section handler for nlog:
        Request failed. (C:\Windows\IPBan\IPBan.exe.Config line 5) —> System.Security
        .SecurityException: Request failed.
        at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOn
        ly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Bo
        olean& bNeedSecurityCheck)
        at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipChec
        kThis, Boolean fillCache)
        at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean s
        kipVisibilityChecks, Boolean skipCheckThis, Boolean fillCache)
        at System.Activator.CreateInstance(Type type, Boolean nonPublic)
        at System.Configuration.TypeUtil.CreateInstanceWithReflectionPermission(Type
        type)
        at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactor
        y.Init(RuntimeConfigurationRecord configRecord, FactoryRecord factoryRecord)
        at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactor
        y.InitWithRestrictedPermissions(RuntimeConfigurationRecord configRecord, Factory
        Record factoryRecord)
        at System.Configuration.RuntimeConfigurationRecord.CreateSectionFactory(Facto
        ryRecord factoryRecord)
        at System.Configuration.BaseConfigurationRecord.FindAndEnsureFactoryRecord(St
        ring configKey, Boolean& isRootDeclaredHere)
        — End of inner exception stack trace —
        at System.Configuration.BaseConfigurationRecord.FindAndEnsureFactoryRecord(St
        ring configKey, Boolean& isRootDeclaredHere)
        at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String co
        nfigKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Bool
        ean requestIsHere, Object& result, Object& resultRuntimeObject)
        at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)
        at System.Configuration.ClientConfigurationSystem.System.Configuration.Intern
        al.IInternalConfigSystem.GetSection(String sectionName)
        at System.Configuration.ConfigurationManager.GetSection(String sectionName)
        at NLog.Config.XmlLoggingConfiguration.get_AppConfig()
        at NLog.LogFactory.get_Configuration()
        at NLog.LogFactory.GetLogger(LoggerCacheKey cacheKey)
        at NLog.LogFactory.GetLogger(String name)
        at NLog.LogManager.GetLogger(String name)
        at IPBan.Log..cctor() in C:\Users\Jeff\Desktop\Personal\DigitalRuby\DEV\SVN\t
        runk\Utilities\IPBan\Logger.cs:line 22
        — End of inner exception stack trace —
        at IPBan.Log.Write(LogLevel level, String text, Object[] args) in C:\Users\Je
        ff\Desktop\Personal\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\Logger.cs:line 29
        at IPBan.IPBanService.OnStart(String[] args) in C:\Users\Jeff\Desktop\Persona
        l\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:line 430
        at IPBan.IPBanService.RunConsole(String[] args) in C:\Users\Jeff\Desktop\Pers
        onal\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:line 457
        at IPBan.IPBanService.Main(String[] args) in C:\Users\Jeff\Desktop\Personal\D
        igitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:line 477

        :(

  51. richieroo on October 25, 2012 at 10:44 am said:

    Thanks for the tool jjxtra! Works great for blocking all the RDP attacks we were getting.

    By chance can you (or anyone) help with the config for MySql login failures?

    • I would be happy to add that as a default option if you can send me the event xml and the location in the event viewer where MYSQL for Windows logs login failures :)

  52. So.. we have to compile this ourselves? ipban.exe is not in the repo at all… Instructions would be nice.

    Can we have a binary file please? Thanks.

  53. Hi,

    Why is the IP missing in the log?
    ::1
    I use Windows 2008 R2 x64.

    The IP block does not work…

    Best regards
    Martin

    • Martin,

      Have you done the steps in the readme with the local security policy? If you don’t do those, then you get that ip address…

      Excerpt from README:

      Make sure to read this stackoverflow thread about ip addresses not getting logged: http://stackoverflow.com/questions/1734635/event-logging-ipaddress-does-not-always-resolve
      In summary, change these local security options:
      - Network security: LAN Manager authentication level — Send NTLMv2 response only. Refuse LM & NTLM
      - Network security: Restrict NTLM: Audit Incoming NTLM Traffic — Enable auditing for all accounts
      - Network security: Restrict NTLM: Incoming NTLM traffic — Deny all accounts
      - Do not allow for passwords to be saved — Enabled
      - Prompt for credentials on the client computer — Enabled

  54. Great job man!!!

    This is a really nice tool!!!

    Thank you very much

  55. Forgot to mention that we are using it on all 16 dedicated servers that we use for our online games and it works perfectly!

  56. Bravo! This is a master piece!

    I have rebuilt it using VS2010 (anycpu) and it resolves all issues mentioned here.

    Get it from: http://cdn.ffsng.com/ipban_binary_anycpu.zip

    Again, bravo!

  57. Hello I am getting the following errors when I try and run the IPBan service. Can you please soem direction on what is going wrong.

    Thanks

    Mark

    Faulting module name: KERNELBASE.dll, version: 6.1.7601.17651, time stamp: 0x4e211319
    Exception code: 0xe0434352
    Fault offset: 0x0000b9bc
    Faulting process id: 0x9d8
    Faulting application start time: 0x01cd8fb055233e81
    Faulting application path: E:\Downloads\IPBan\IPBan.exe
    Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
    Report Id: 936a802d-fba3-11e1-a98a-000c29b146f6

    and

    Application: IPBan.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.TypeInitializationException
    Stack:
    at IPBan.Log.Write(IPBan.LogLevel, System.String, System.Object[])
    at IPBan.IPBanService.OnStart(System.String[])
    at IPBan.IPBanService.RunConsole(System.String[])
    at IPBan.IPBanService.Main(System.String[])

  58. Really a neat tool. This really works as advertised, and wow does it cut down on the noise. Your code structure made it really easy as well to add a couple lines to immediately ban non-US IPs (using a 3rd party geocoding service). Thanks for this great tool.

  59. Great Job!

    I have a problem with my windows server 2008, the service is installed and working for logging the events, it is starting normal but don’t create the “banscript” and “banlog”, because of this don’t block the ips (doesn’t work for block), in my workstation works really fine (windows 7) logging and blocking.
    Versions for workstation and servers are 64 bits!

    Any solution?

    Thank you very much!

  60. Someguy on July 27, 2012 at 10:44 am said:

    Just tried to get this running on w2k8 r2 stnd. Looks like it throw an exception trying to initalize the log file:

    —snip—

    C:\Windows\IPBan>ipban debug

    Unhandled Exception: System.TypeInitializationException: The type initializer fo
    r ‘IPBan.Log’ threw an exception. —> System.Configuration.ConfigurationErrorsE
    xception: An error occurred creating the configuration section handler for nlog:
    Request failed. (C:\Windows\IPBan\IPBan.exe.Config line 5) —> System.Security
    .SecurityException: Request failed.
    at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOn
    ly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Bo
    olean& bNeedSecurityCheck)
    at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipChec
    kThis, Boolean fillCache)
    at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean s
    kipVisibilityChecks, Boolean skipCheckThis, Boolean fillCache)
    at System.Activator.CreateInstance(Type type, Boolean nonPublic)
    at System.Configuration.TypeUtil.CreateInstanceWithReflectionPermission(Type
    type)
    at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactor
    y.Init(RuntimeConfigurationRecord configRecord, FactoryRecord factoryRecord)
    at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactor
    y.InitWithRestrictedPermissions(RuntimeConfigurationRecord configRecord, Factory
    Record factoryRecord)
    at System.Configuration.RuntimeConfigurationRecord.CreateSectionFactory(Facto
    ryRecord factoryRecord)
    at System.Configuration.BaseConfigurationRecord.FindAndEnsureFactoryRecord(St
    ring configKey, Boolean& isRootDeclaredHere)
    — End of inner exception stack trace —
    at System.Configuration.BaseConfigurationRecord.FindAndEnsureFactoryRecord(St
    ring configKey, Boolean& isRootDeclaredHere)
    at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String co
    nfigKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Bool
    ean requestIsHere, Object& result, Object& resultRuntimeObject)
    at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)
    at System.Configuration.ClientConfigurationSystem.System.Configuration.Intern
    al.IInternalConfigSystem.GetSection(String sectionName)
    at System.Configuration.ConfigurationManager.GetSection(String sectionName)
    at NLog.Config.XmlLoggingConfiguration.get_AppConfig()
    at NLog.LogFactory.get_Configuration()
    at NLog.LogFactory.GetLogger(LoggerCacheKey cacheKey)
    at NLog.LogFactory.GetLogger(String name)
    at NLog.LogManager.GetLogger(String name)
    at IPBan.Log..cctor() in C:\Users\Jeff\Desktop\Personal\DigitalRuby\DEV\SVN\t
    runk\Utilities\IPBan\Logger.cs:line 22
    — End of inner exception stack trace —
    at IPBan.Log.Write(LogLevel level, String text, Object[] args) in C:\Users\Je
    ff\Desktop\Personal\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\Logger.cs:line 29
    at IPBan.IPBanService.OnStart(String[] args) in C:\Users\Jeff\Desktop\Persona
    l\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:line 430
    at IPBan.IPBanService.RunConsole(String[] args) in C:\Users\Jeff\Desktop\Pers
    onal\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:line 457
    at IPBan.IPBanService.Main(String[] args) in C:\Users\Jeff\Desktop\Personal\D
    igitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:line 477

    C:\Windows\IPBan>

    —snip—

    Any ideas? This would be a very helpful util for my Univ.

    - M

  61. Pingback: Child Porn ransomeware - Page 2 - Untangle Forums

  62. Lothar on July 7, 2012 at 2:01 am said:

    A really very good equivalent to fail2ban.
    Maybe you should incorporate a small readme “How do I create a service”

    I think a lot of server owners do not know how.

    The easiest way is:
    sc create NameOfMyService BinPath= “myPath\IPBan.exe” type= own

    Thank you for this excellent tool.
    Lothar

  63. Chintan Karnik on June 19, 2012 at 11:53 am said:

    Thank you for building this excellent tool.

    Is it possible to adapt it to monitor failed SSH logins?

    I’ve tried playing around with XML groups and RegEx expressions in the .config file, but lack of IpAddress group seems to be the stumbling block:

    Here is the info that needs to be extracted from the eventlog
    —-

    sshd: PID 1504: Invalid user admin from 192.168.68.1

    ——

    So far I’ve setup the following two regex entries …but the service is not picking up the IP

    ==

    //Source[@Name='sshd']

    //Data

    ===

    Any suggestions?

    Thanks,
    ck

    • Can you email me your event log XML and your config file? jjxtra AT gmail DOT com

    • Try this in your Regex element:

      <![CDATA[Invalid user admin from (?<ipaddress>.+)]]>

      • Chintan Karnik on June 19, 2012 at 7:41 pm said:

        You are a genius! I spent most of the day trying to hack together a PowerShell solution after posting here …but it required too much overhead and still haven’t nailed it yet.

        Your regex worked. It was the ipaddress part that I was stumbling on.

        Here is my modified (allow for any username) regex:
        <![CDATA[user((\W+\w+){1}?)\W+from (?.+)]]>

        Thank you so much.

  64. AlanO on June 9, 2012 at 2:46 am said:

    IPBan is just what I’ve been looking for, but it doesn’t work for me.

    I have installed on my server as a service using the sc script provided in README, adjusted to my path and using the main “LocalSystem” account (same as most of the other services on my server; SBS2003 R2 does not have an account called “SYSTEM”).

    logfile.txt reports that the IPBAN service starts. The service does indeed initially start but after 3 or 4 seconds it stops with error code 1067 (Unexpected error).

    “ipban.exe debug” reports an error… Unhandled Exception: System.PlatformNotSupportedException: Operation is not supported on this platform.

    I have Windows Small Business Server 2003 Standard R2 with .NET 4.0 installed and functional. Should your service work on this server? Or have I done something wrong?

    Hope you can help, I’m desperately keen to get rid of a persistent Chinese hacker attacking my RDP port!

    Kindest regards and best wishes. Alan.

    • Hey Alan,

      Sorry the program isn’t working for you. My best guess is that we are using some system calls that are not available on small business server. Do you have access to a standard server 2003 install that you could try the service on?

      • AlanO on June 9, 2012 at 1:48 pm said:

        Hi Jeff.

        No, I don’t have a standard server. If I get some energy tomorrow (I’m a cancer sufferer and never know how I’m going to feel the next day) I’ll add some trace code to your source to see if I can find out which system call is causing the problem. I’ll let you know so we can fix this.

        Cheers,
        Alan

        • That’s very nice of you. However, looking at MSDN documentation the calls we are making are only supported on Vista or Server 2008 or newer … I will update the documentation.

          Wishing you the best in your medical battles.

  65. TimOneill on June 6, 2012 at 2:05 pm said:

    I gotta give more props to JJXTRA. With the most recent iterations this software package is set it and forget it. I no longer have to worry about the nasty’s trying to penetrate my public facing RDP systems.This utility could be called RADs. Remote Access Denial service, or Really Awesome Denial system. Thank you again.

  66. Just a quick question for a poor soul who got stuck with having to manage a mail server running of 2008 R@=2.

    On the old server 2003 I pretty much had it down to an art for nailing these idiots that ping my SQL interface a thousand times an hour trying to access as “sa”. This is a “mail server”. .. period.
    but that doesn’t seem to bother the program they run as they hit me from various IP’s all the time.

    I have it setup to flash a pop-up every time the security log intercepts one and logs it BUT… The new Windows advanced security firewall is WAY over my head. FAR too much trouble when All I want is a simple IP blocker. Something specific to s single IP at a time.

    This is a very small company that hosts their own email and it annoys me no end. I used to get some satisfaction from checking the security logs every day and adding a few more of the #@!75 ‘ s to the list.

    But the “method” offered to do that in 2008 R2…by Microsoft … I got lost after the 4th page. I just want to make a list of IP’s to block, That USED to be simple enough.

    I tried my best to follow along but after the 15th step I was so lost I was afraid I would end up blocking ALL the mail.

    Your “program run as a service” was almost like a gift from God!

    IF>>> I can be SURE I did it right. It is running as a service so I must have done something right. But I don’t yet know how to tell who/what/if it blocks an IP.

    The monitor I use (Event Sentry) usually goes ballistic at about 5 pm every day and then off and on through the night. Then after midnight it goes full throttle till about 7 am. My window security logs are a red streak of failures every day. Hundreds of “attempts” Obviously the “other side of the world” where it is daytime there, actually i even tracked a few IP’s all the way down to a Google sky-photo of the building they are in…In China.

    Anyway, please tell me how to tell for sure it is working and make sure I am not blocking real people. What does it use for “guidance” and how to control it.

    NOTE! I am NOT a programmer and even your readme was close to being outside my faculties :)

    Thanks

    PS: If it works, what kind (how much) donation do you want? I don’t mind paying for results. That is how we all survive.

    Mike

    • Mike,

      The service should spit out a banlog.txt file that contains a list of the currently banned ip addresses. You can also look in your windows firewall rules for a rule called “BlockIPAddresses”. The default settings should work pretty well right out of the box and protect you from remote desktop attacks and SQL server attacks. If you know there are some IP Addresses you never want to ban, you can add them to what’s called a whitelist, which means they are always safe. If you want help doing that, let me know.

      I believe the defaults will ban an ip address for 24 hours if it fails to login 5 times with a 24 hour period.

      Glad you are finding the tool useful, let me know how it goes…

  67. We were nice enough to get a bug fix that actually uses the ban time in the config file instead of hard coding it to 24 hours. Thanks to https://github.com/primaryobjects for the fix!

  68. For anyone who has downloaded, please go download the latest from github. I fixed a bug where in the rare chance that it unbans the last ip address, it creates a rule with no ip addresses, effectively firewalling off the entire server.

    Thanks Matt for finding that, I apologize for any problems this causes anyone.

  69. A great alternative to Linux’s BFD for Windows. Works like a charm, thanks very much.

    • Glad it’s working out for you.

      • Just had a problem. I tried connecting this morning and my server was inaccessible. Connected via other means and figured out it was empty rule that IPBan had set up that was blocking all traffic. Any ideas? Should IPBan delete the rule each day rather than clearing IPs? Have I set something up wrong?

        • Matt,

          I am so sorry that happened to you. Guess that’s a rare bug you ran into. I have fixed it in the latest code, so if you get the latest from github, you should not have the problem anymore. If it unbans the last ip address and there are no more banned ip addresses, it simply deletes the firewall rule, and will recreate it the next time an ip address gets banned.

          Again, I apologize for the bug.

          Thanks for trying it out!

  70. Aaron on April 8, 2012 at 11:38 am said:

    How can I unblock a IP address once it has been blocked.

    Also I dont have a log file that shows what has been blocked?

    The service is running as system

    • It is reading the ban time correctly from the IPBan.exe.config file. The log files are in the config file as well (one for the ip address list and another for all logging).

      If you want to manually unblock an ip address, go to windows firewall and edit the rule created (it’s called BlockIPAddresses). Alternatively, you can restart the service, but it’s probably easier just to set a short ban time in the config file (something like 30 minutes or something).

      Happy easter!

  71. TimOneill on April 6, 2012 at 7:17 pm said:

    Hi JJXtra,

    I’ll give that new version a go. I had seen it not unban after the set time, and used the above reset task script to do it. Plus I like how a reset flushes all the firewall rules, and brings it all back to zero. White listing wasn’t being cooperative either, and with 300+ users, my potential for grief was high so a 15min flush kept the legit users working while balancing the security aspect. Also incrementing the version numbers in the exe so folks know what ver they’re running would be helpful, it seems they’re all stamped as 1.0.0.
    PS.. Not sure if this is relevant to the newer vers, but what is the time frame for looking at the security log? I noticed today I banned an IP with a single invalid login, I confirmed this by resetting the service and again one single bad login got me banned. Now I may have had a number of older entries from days/weeks ago, but it seems to me it may be looking cumulatively throughout the log history. Can it auto filter perhaps only the last 24 hours? No hacker is going to try one login per day to break in.

    Tim

    • Hi Tim,

      There was a bug with unbanning that was recently fixed. I have tested whitelisting and it seems to work at least in my simple tests. The exe now has a version that increments. It does not reset failed login attempt counts ever until the ip is banned (unless you restart the service), but that may be something useful to do, I will consider adding it. What is the ban count in your configuration file (FailedLoginAttemptsBeforeBan)? I believe the default is 5.

      Thanks!

  72. Greetings all, please download the latest version from github. It has a critical bug fix for not un-banning ip addresses properly.

  73. TimOneill on April 5, 2012 at 1:56 pm said:

    This has been working so well! I added a cmd task to reset the service every 15mins, this clears previously banned IP’s, and inserts into a long term log any blocked IP in that segment of time. Haven’t tried the newer vers but here’s my reset script if anyone is interested. Cheers to JJXTRA for this tool.

    net stop “ipban”
    echo %date% %time% >> C:\apps\IPBan\log\IPBANLog.txt
    type C:\apps\IPBan\banlog.txt >> C:\apps\IPBan\log\IPBANLog.txt
    sleep 2
    net start “ipban”

    • The tool does have a configuration item that allows you to specify how long to ban ip addresses for. They are un-banned automatically after that time. Do you need a feature to keep track of all banned ip addresses for all time?

  74. Hi, great script! I can’t seem to get it to go run unfortunately. It’s a 2008R2 server with .NET 4 Framework Extended running on it. Here’s the debug output…

    C:\IPBan>ipban.exe debug

    Unhandled Exception: System.TypeInitializationException: The type initializer for ‘IPBan.Log’ threw an exception. —> S
    ystem.Configuration.ConfigurationErrorsException: An error occurred creating the configuration section handler for nlog:
    Request failed. (C:\IPBan\IPBan.exe.Config line 5) —> System.Security.SecurityException: Request failed.
    at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCache
    d, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
    at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache)
    at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean skipVisibilityChecks, Boolean skipCheckTh
    is, Boolean fillCache)
    at System.Activator.CreateInstance(Type type, Boolean nonPublic)
    at System.Configuration.TypeUtil.CreateInstanceWithReflectionPermission(Type type)
    at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactory.Init(RuntimeConfigurationRecord config
    Record, FactoryRecord factoryRecord)
    at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactory.InitWithRestrictedPermissions(RuntimeC
    onfigurationRecord configRecord, FactoryRecord factoryRecord)
    at System.Configuration.RuntimeConfigurationRecord.CreateSectionFactory(FactoryRecord factoryRecord)
    at System.Configuration.BaseConfigurationRecord.FindAndEnsureFactoryRecord(String configKey, Boolean& isRootDeclaredH
    ere)
    — End of inner exception stack trace —
    at System.Configuration.BaseConfigurationRecord.FindAndEnsureFactoryRecord(String configKey, Boolean& isRootDeclaredH
    ere)
    at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPe
    rmission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
    at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)
    at System.Configuration.ClientConfigurationSystem.System.Configuration.Internal.IInternalConfigSystem.GetSection(Stri
    ng sectionName)
    at System.Configuration.ConfigurationManager.GetSection(String sectionName)
    at NLog.Config.XmlLoggingConfiguration.get_AppConfig()
    at NLog.LogFactory.get_Configuration()
    at NLog.LogFactory.GetLogger(LoggerCacheKey cacheKey)
    at NLog.LogFactory.GetLogger(String name)
    at NLog.LogManager.GetLogger(String name)
    at IPBan.Log..cctor() in C:\Users\Jeff\Desktop\Personal\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\Logger.cs:line 22
    — End of inner exception stack trace —
    at IPBan.Log.Write(LogLevel level, String text, Object[] args) in C:\Users\Jeff\Desktop\Personal\DigitalRuby\DEV\SVN\
    trunk\Utilities\IPBan\Logger.cs:line 29
    at IPBan.IPBanService.OnStart(String[] args) in C:\Users\Jeff\Desktop\Personal\DigitalRuby\DEV\SVN\trunk\Utilities\IP
    Ban\IPBanService.cs:line 363
    at IPBan.IPBanService.RunConsole(String[] args) in C:\Users\Jeff\Desktop\Personal\DigitalRuby\DEV\SVN\trunk\Utilities
    \IPBan\IPBanService.cs:line 390
    at IPBan.IPBanService.Main(String[] args) in C:\Users\Jeff\Desktop\Personal\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan
    \IPBanService.cs:line 402

    C:\IPBan>

    The application crashes so it doesn’t parse the whole output so it stops after line 402.

    Any help would be great.

    Many thanks,
    Chris.

    • Looks like it may not have permission to write the log file. Can you verify you are running under the system account?

      • Hi, I can confirm the service is running as the Local System account. When I try and manually start the service I get the error: ‘The IPBAN service on local computer started then stopped. Some services stop automatically if they are not in use by other services or programs.’

        Any ideas?

        • What is the path to your log file? From your exception stack it looks like it’s failing to initialize the logger…

          Also try downloading the latest from github.

          • Same error again unfortunately when I try to run the debug with the newer version. :(

            The log is in the same location as the .exe file.

            C:\IPBan\IPBan.Log
            &
            C:\IPBan\banlog.txt

            I have even given ‘Everyone’ security permissions to write to it, just incase.

            Still no joy. :(

            Many thanks for your help so far.

            • Just to confirm are you running the service as SYSTEM? What about user account control, is that on at all? What if you start command prompt as administrator and then run “ipban debug”, does it work then?

  75. Harry on March 29, 2012 at 7:04 pm said:

    First of all I would like to say Thank you for your great work!

    I am new to windows server and was looking for a secure solution for my windows server that I recently installed.

    I uploaded .exe file from the downloads folder and created a service as below. Unfortunately the service doesn’t start as it stopped itself after the service started.

    sc create IPBAN type= own start= auto binPath= c:\path\IPBan.exe DisplayName= IPBAN

    I installed .NET framework 4.0 before create a service. Can you please advise?

    Harry

    • Try running “IPBAN.exe debug” on the command line and let me know what it says. Also, right click on all the files and select properties and then “unblock” if it’s available.

      • Harry on March 30, 2012 at 9:35 pm said:

        Sorry, the locale is not set to English but you may guess what type of errors I have had. The error is related to the exception which is not completed and the next error message in Korean means “a file or one of the assemblies could not be loaded. Can not find the file specified.”

        C:\bin\IPBan>IPBan.exe debug

        처리되지 않은 예외: System.IO.FileNotFoundException: 파일이나 어셈블리 ‘NLog, Ve
        rsion=2.0.0.0, Culture=neutral, PublicKeyToken=5120e14c03d0593c’ 또는 여기에 종
        속되어 있는 파일이나 어셈블리 중 하나를 로드할 수 없습니다. 지정된 파일을 찾을
        수 없습니다.
        위치: IPBan.Log.Write(LogLevel level, String text, Object[] args)
        위치: IPBan.IPBanService.OnStart(String[] args) 파일 C:\Users\Jeff\Desktop\Pe
        rsonal\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:줄 400
        위치: IPBan.IPBanService.RunConsole(String[] args) 파일 C:\Users\Jeff\Desktop
        \Personal\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:줄 427
        위치: IPBan.IPBanService.Main(String[] args) 파일 C:\Users\Jeff\Desktop\Perso
        nal\DigitalRuby\DEV\SVN\trunk\Utilities\IPBan\IPBanService.cs:줄 439

        • Try the latest download from github. It should have NLog.dll in the same directory. If it still fails to load, it must have something to do with the locale of the system you are on, in which case I will need to troubleshoot further. What is the system locale of your server? Korean I assume?

          • Harry on March 31, 2012 at 1:28 am said:

            Yes, the system locale is Korean. I will download it again and will let you know whether it works or not.

            Many thanks!

          • Harry on March 31, 2012 at 1:41 am said:

            I have uploaded NLog.dll into the same folder. The service started without any errors and it seems working fine. Thanks again for your great work!

  76. Just FYI I added a whitelist config option which is a comma separated list of ips to never ban

  77. Opoloko on March 24, 2012 at 9:47 am said:

    This is a simple and awesome tool..works perfect on my VPS, almost no cpu impact, very simple and effective, really man you made a perfect and simple tool for a simple but very important function.

  78. TimOneill on March 21, 2012 at 7:26 pm said:

    Hey JJxtra

    The software is working great blocking the IP’s of hax0rz. But it doesn’t appear to be doing housekeeping removing previously banned IP’s. The problem being that we’ve got some legit users that have banned themselves, and while it’s simple to remove them by hand, I’m wondering if you’ve had the same results with banned IP’s not being cleansed after the the ban period has elapsed.
    I appreciate your effort, once the word gets out on this tool everyone will be using it =)
    Tim

    • I’ll look into it, it’s supposed to check every minute for expired banned ip addresses, but I’ll write some tests to make sure it’s working and update github soon. Also I’ve added more flexibility in the config file to support different kind of events (such as MSSQLSERVER failed logings).

      You can try the latest version to see if you have more luck, it’s definitely more beta feeling since I’ve added so many new features, but it seems to still be working on my dedicated web server.

      Also, you can edit the WhiteList property in the config file to specify a comma separated list of ip addresses to never ban.

  79. TimOneill on March 9, 2012 at 1:03 pm said:

    I loaded it up on a test box and it is working as described. Simple and effective. Thanks for your work on putting this together. I appreciate it.

  80. TimOneill on March 8, 2012 at 6:47 pm said:

    Hi, I came upon your tool for banning IP’s based upon failed logon attempts. I am curious if you would provide the .exe file, as I don’t have the tools to compile the source.
    I appreciate this effort and would like to try it out.

    Tim ONeill

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

Post Navigation