How To Block Hackers and Remote Desktop Attempts In Windows Server 2008 or newer
Is your Windows server getting hacked? Do you need to block ip addresses in Windows? Dealing with a brute force attack? This article is for you.
The last month or so I noticed a disturbing trend in the event viewer on one of our dedicated windows servers. We were getting thousands of failed login attempts to terminal services (remote desktop). I decided I would enable the terminal services auto-ban, so after 5 login attempts the ip address would get banned for 24 hours. This only solved part of the problem, as the attacker continued to flood our server with requests, causing the windows logon process (csrss.exe kept appearing and disappearing in task manager) to continually spin up and shut down. This actually caused significant CPU (10%+) and disk IO as the event viewer continually wrote failed login attempts.
After searching the Interwebs for a better way, I did not find anything that I liked or that didn’t spike my CPU usage, so I decided to make a free tool in C# to auto-ban ip addresses. This tool is constantly improving. Right now it can block ip addresses as found in the event log for audit-failure events. It is very configurable as well.
- Duration to ban ip address
- Number of failed login attempts before ban
- Whitelist of comma separated ip addresses or regex to never ban
- Blacklist of comma separated ip addresses or regex to always ban
- Custom prefix to windows firewall rules
- Custom keywords, XPath and Regex to parse event viewer logs for failed login attempts
- Refreshes config so no need to restart the service when you change something
- Highly configurable, ban anything that comes through Windows Event Viewer
- A GREAT and FREE alternative to RdpGuard or Syspeace. Don’t pay for something that should be free!
Ships with Windows login failure and MSSQLSERVER login failures by default.
Here’s how to create a Windows service from command prompt:
sc create IPBAN type= own start= auto binPath= d:\system\ipban\ipban.exe DisplayName= IPBAN
*** Requires Windows Vista or Windows Server 2008 or newer ***
*** Make sure to right click on the .zip file you download and select properties, then unblock ***