How To Block Hackers and Remote Desktop Attempts In Windows Server 2008 or newer
Is your Windows server getting hacked? Do you need to block ip addresses in Windows? Dealing with a brute force attack? This article is for you.
The last month or so I noticed a disturbing trend in the event viewer on one of our dedicated windows servers. We were getting thousands of failed login attempts to terminal services (remote desktop). I decided I would enable the terminal services auto-ban, so after 5 login attempts the ip address would get banned for 24 hours. This only solved part of the problem, as the attacker continued to flood our server with requests, causing the windows logon process (csrss.exe kept appearing and disappearing in task manager) to continually spin up and shut down. This actually caused significant CPU (10%+) and disk IO as the event viewer continually wrote failed login attempts.
After searching the Interwebs for a better way, I did not find anything that I liked or that didn’t spike my CPU usage, so I decided to make a free tool in C# to auto-ban ip addresses. This tool is constantly improving. Right now it can block ip addresses as found in the event log for audit-failure events. It is very configurable as well.
Features include:
- Duration to ban ip address
- Number of failed login attempts before ban
- Whitelist of comma separated ip addresses or regex to never ban
- Blacklist of comma separated ip addresses or regex to always ban
- Custom prefix to windows firewall rules
- Custom keywords, XPath and Regex to parse event viewer logs for failed login attempts
- Refreshes config so no need to restart the service when you change something
- Highly configurable, ban anything that comes through Windows Event Viewer
- A GREAT and FREE alternative to RdpGuard or Syspeace. Don’t pay for something that should be free! 
Ships with Windows login failure and MSSQLSERVER login failures by default.
Here’s how to create a Windows service from command prompt:
sc create IPBAN type= own start= auto binPath= d:\system\ipban\ipban.exe DisplayName= IPBAN
*** Requires Windows Vista or Windows Server 2008 or newer ***
*** Make sure to right click on the .zip file you download and select properties, then unblock ***
Jeffrey N. Johnson (
Pingback: Child Porn ransomeware - Page 2 - Untangle Forums
A really very good equivalent to fail2ban.
Maybe you should incorporate a small readme “How do I create a service”
I think a lot of server owners do not know how.
The easiest way is:
sc create NameOfMyService BinPath= “myPath\IPBan.exe” type= own
Thank you for this excellent tool.
Lothar
The Readme here: https://github.com/jjxtra/Windows-IP-Ban-Service should have instructions on how to create the service. Let me know if it’s obvious to you. If not, I may need to make it more user friendly. Glad you enjoyed the tool.
Thank you for building this excellent tool.
Is it possible to adapt it to monitor failed SSH logins?
I’ve tried playing around with XML groups and RegEx expressions in the .config file, but lack of IpAddress group seems to be the stumbling block:
Here is the info that needs to be extracted from the eventlog
—-
sshd: PID 1504: Invalid user admin from 192.168.68.1
——
So far I’ve setup the following two regex entries …but the service is not picking up the IP
==
//Source[@Name='sshd']
//Data
===
Any suggestions?
Thanks,
ck
Can you email me your event log XML and your config file? jjxtra AT gmail DOT com
Try this in your Regex element:
<![CDATA[Invalid user admin from (?<ipaddress>.+)]]>You are a genius! I spent most of the day trying to hack together a PowerShell solution after posting here …but it required too much overhead and still haven’t nailed it yet.
Your regex worked. It was the ipaddress part that I was stumbling on.
Here is my modified (allow for any username) regex:
<![CDATA[user((\W+\w+){1}?)\W+from (?.+)]]>
Thank you so much.
for some reason the comment system tookout the word ipaddress in the regex posted above: enter following without spaces:
…(? . + )…
Glad it worked! Sorry the comment form garbled your code
IPBan is just what I’ve been looking for, but it doesn’t work for me.
I have installed on my server as a service using the sc script provided in README, adjusted to my path and using the main “LocalSystem” account (same as most of the other services on my server; SBS2003 R2 does not have an account called “SYSTEM”).
logfile.txt reports that the IPBAN service starts. The service does indeed initially start but after 3 or 4 seconds it stops with error code 1067 (Unexpected error).
“ipban.exe debug” reports an error… Unhandled Exception: System.PlatformNotSupportedException: Operation is not supported on this platform.
I have Windows Small Business Server 2003 Standard R2 with .NET 4.0 installed and functional. Should your service work on this server? Or have I done something wrong?
Hope you can help, I’m desperately keen to get rid of a persistent Chinese hacker attacking my RDP port!
Kindest regards and best wishes. Alan.
Hey Alan,
Sorry the program isn’t working for you. My best guess is that we are using some system calls that are not available on small business server. Do you have access to a standard server 2003 install that you could try the service on?
Hi Jeff.
No, I don’t have a standard server. If I get some energy tomorrow (I’m a cancer sufferer and never know how I’m going to feel the next day) I’ll add some trace code to your source to see if I can find out which system call is causing the problem. I’ll let you know so we can fix this.
Cheers,
Alan
That’s very nice of you. However, looking at MSDN documentation the calls we are making are only supported on Vista or Server 2008 or newer … I will update the documentation.
Wishing you the best in your medical battles.
I gotta give more props to JJXTRA. With the most recent iterations this software package is set it and forget it. I no longer have to worry about the nasty’s trying to penetrate my public facing RDP systems.This utility could be called RADs. Remote Access Denial service, or Really Awesome Denial system. Thank you again.
Just a quick question for a poor soul who got stuck with having to manage a mail server running of 2008 R@=2.
On the old server 2003 I pretty much had it down to an art for nailing these idiots that ping my SQL interface a thousand times an hour trying to access as “sa”. This is a “mail server”. .. period.
but that doesn’t seem to bother the program they run as they hit me from various IP’s all the time.
I have it setup to flash a pop-up every time the security log intercepts one and logs it BUT… The new Windows advanced security firewall is WAY over my head. FAR too much trouble when All I want is a simple IP blocker. Something specific to s single IP at a time.
This is a very small company that hosts their own email and it annoys me no end. I used to get some satisfaction from checking the security logs every day and adding a few more of the #@!75 ‘ s to the list.
But the “method” offered to do that in 2008 R2…by Microsoft … I got lost after the 4th page. I just want to make a list of IP’s to block, That USED to be simple enough.
I tried my best to follow along but after the 15th step I was so lost I was afraid I would end up blocking ALL the mail.
Your “program run as a service” was almost like a gift from God!
IF>>> I can be SURE I did it right. It is running as a service so I must have done something right. But I don’t yet know how to tell who/what/if it blocks an IP.
The monitor I use (Event Sentry) usually goes ballistic at about 5 pm every day and then off and on through the night. Then after midnight it goes full throttle till about 7 am. My window security logs are a red streak of failures every day. Hundreds of “attempts” Obviously the “other side of the world” where it is daytime there, actually i even tracked a few IP’s all the way down to a Google sky-photo of the building they are in…In China.
Anyway, please tell me how to tell for sure it is working and make sure I am not blocking real people. What does it use for “guidance” and how to control it.
NOTE! I am NOT a programmer and even your readme was close to being outside my faculties
Thanks
PS: If it works, what kind (how much) donation do you want? I don’t mind paying for results. That is how we all survive.
Mike
Mike,
The service should spit out a banlog.txt file that contains a list of the currently banned ip addresses. You can also look in your windows firewall rules for a rule called “BlockIPAddresses”. The default settings should work pretty well right out of the box and protect you from remote desktop attacks and SQL server attacks. If you know there are some IP Addresses you never want to ban, you can add them to what’s called a whitelist, which means they are always safe. If you want help doing that, let me know.
I believe the defaults will ban an ip address for 24 hours if it fails to login 5 times with a 24 hour period.
Glad you are finding the tool useful, let me know how it goes…
We were nice enough to get a bug fix that actually uses the ban time in the config file instead of hard coding it to 24 hours. Thanks to https://github.com/primaryobjects for the fix!
Hi jjxtra
Do you have a plan to add a log rotation feature as it gets to big?
Thank you.
Nlog can do that http://stackoverflow.com/questions/5565597/delete-log-files-after-x-days
For anyone who has downloaded, please go download the latest from github. I fixed a bug where in the rare chance that it unbans the last ip address, it creates a rule with no ip addresses, effectively firewalling off the entire server.
Thanks Matt for finding that, I apologize for any problems this causes anyone.
A great alternative to Linux’s BFD for Windows. Works like a charm, thanks very much.
Glad it’s working out for you.
Just had a problem. I tried connecting this morning and my server was inaccessible. Connected via other means and figured out it was empty rule that IPBan had set up that was blocking all traffic. Any ideas? Should IPBan delete the rule each day rather than clearing IPs? Have I set something up wrong?
Matt,
I am so sorry that happened to you. Guess that’s a rare bug you ran into. I have fixed it in the latest code, so if you get the latest from github, you should not have the problem anymore. If it unbans the last ip address and there are no more banned ip addresses, it simply deletes the firewall rule, and will recreate it the next time an ip address gets banned.
Again, I apologize for the bug.
Thanks for trying it out!
Hi jjxtra
I found the exactly same issue this morning as IPBan blocked all traffics with the empty rule. Did you update not only source files but the pre compiled IPBan.exe?
Yes I updated the download of the precompiled service along with the source code.
Great support! I really appreciate it.
How can I unblock a IP address once it has been blocked.
Also I dont have a log file that shows what has been blocked?
The service is running as system
It is reading the ban time correctly from the IPBan.exe.config file. The log files are in the config file as well (one for the ip address list and another for all logging).
If you want to manually unblock an ip address, go to windows firewall and edit the rule created (it’s called BlockIPAddresses). Alternatively, you can restart the service, but it’s probably easier just to set a short ban time in the config file (something like 30 minutes or something).
Happy easter!