IPBan – The Simplest Way to Block Hackers and Bot Nets




IPBan for Windows Donation

Is your server getting hacked? Do you need to block ip addresses automatically? Dealing with a brute force attack? Don’t want to spend your life savings on SysPeace or other overly priced security software? IPBan is for you.

A while ago, I noticed a disturbing trend in the event viewer on one of our dedicated Windows servers. We were getting thousands of failed login attempts to terminal services (remote desktop). I decided I would enable the terminal services auto-ban, so after 5 login attempts the ip address would get banned for 24 hours. This only solved part of the problem, as the attacker continued to flood our server with requests, causing the windows logon process (csrss.exe kept appearing and disappearing in task manager) to continually spin up and shut down. This actually caused significant CPU (10%+) and disk IO as the event viewer continually wrote failed login attempts.

After searching the Interwebs for a better way, I did not find anything that I liked or that didn’t spike my CPU usage, so I decided to make a free (if you install it yourself) tool in C# to auto-ban ip addresses. This tool is constantly improving. Right now it can block ip addresses as found in the event log for audit-failure events. It is very configurable as well.

Features include:
– Unlimited number of ip addresses to ban
– Duration to ban ip address
– Number of failed login attempts before ban
– Whitelist of comma separated ip addresses or regex to never ban
– Blacklist of comma separated ip addresses or regex to always ban
– Custom prefix to windows firewall rules
– Custom keywords, XPath and Regex to parse event viewer logs for failed login attempts
– Refreshes config so no need to restart the service when you change something
– Highly configurable, ban anything that comes through Windows Event Viewer
– A GREAT and FREE (if you install it yourself) alternative to RdpGuard or Syspeace
– Contains configuration to block Remote Desktop attempts, Microsoft SQL Server login attempts and MySQL Server login attempts by default
– Runs on Linux and Windows

If you found IPBan useful, would you consider helping support the project by donating? Thank you for your consideration.

I am also willing to do contracting work to improve IPBan if it doesn’t fit your needs or to help you set it up on your servers. Please email me at [email protected] if you would like paid services.

*INSTRUCTIONS*: https://github.com/jjxtra/IPBan




Windows IPBan Donation

Need help configuring IPBan? I’m happy to help with simple questions. For more involved assistance, I do consulting. Please email me at [email protected] and I’d be happy to consider your proposal.

Testimonials:

A few days ago I was checking the event logs for my server that hosts a MSSQL DB. I could see that I was under attack by a port scanner (changing IP addresses for each attack ‘period’). I know I should not have MSSQL exposed to the world but the users are remote so it was the easiest solution for me. Anyway, I came across IPBAN. Because of the concise directions on your Git repository I was able to easily setup a service. The results were immediate, as the banlog.txt file had an entry immediately after starting the service, thus putting an end to the current attack. The purpose of this email is simply to express my gratitude for developing the program. The people responsible for the attack are the lowlifes of the internet while you are on the complete opposite side of the scale! Thank you, thank you, thank you for the help.

– Jim

Bravo! This is a master piece!

– Periklis

Really a neat tool. This really works as advertised, and wow does it cut down on the noise. Your code structure made it really easy as well to add a couple lines to immediately ban non-US IPs (using a 3rd party geocoding service). Thanks for this great tool.

– Matt C

Sign up for the IPBan Mailing List




Windows IPBan Donation
Visit this Project on GitHub

396
Leave a Reply

avatar
140 Comment threads
260 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
105 Comment authors
jjxtrajean paganucciPaulJulianVlad Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
trackback

[…] to the above mentioned IPBan: http://www.digitalruby.com/securing-…icated-server/ I have not installed this yet as I don't open RDP to the internet but it look interesting, and […]

Lothar
Guest
Lothar

A really very good equivalent to fail2ban.
Maybe you should incorporate a small readme “How do I create a service”

I think a lot of server owners do not know how.

The easiest way is:
sc create NameOfMyService BinPath= “myPath\IPBan.exe” type= own

Thank you for this excellent tool.
Lothar

Chintan Karnik
Guest
Chintan Karnik

Thank you for building this excellent tool. Is it possible to adapt it to monitor failed SSH logins? I’ve tried playing around with XML groups and RegEx expressions in the .config file, but lack of IpAddress group seems to be the stumbling block: Here is the info that needs to be extracted from the eventlog —- sshd: PID 1504: Invalid user admin from 192.168.68.1 —— So far I’ve setup the following two regex entries …but the service is not picking up the IP == //Source[@Name=’sshd’] //Data === Any suggestions? Thanks, ck

AlanO
Guest
AlanO

IPBan is just what I’ve been looking for, but it doesn’t work for me. I have installed on my server as a service using the sc script provided in README, adjusted to my path and using the main “LocalSystem” account (same as most of the other services on my server; SBS2003 R2 does not have an account called “SYSTEM”). logfile.txt reports that the IPBAN service starts. The service does indeed initially start but after 3 or 4 seconds it stops with error code 1067 (Unexpected error). “ipban.exe debug” reports an error… Unhandled Exception: System.PlatformNotSupportedException: Operation is not supported on this… Read more »

TimOneill
Guest
TimOneill

I gotta give more props to JJXTRA. With the most recent iterations this software package is set it and forget it. I no longer have to worry about the nasty’s trying to penetrate my public facing RDP systems.This utility could be called RADs. Remote Access Denial service, or Really Awesome Denial system. Thank you again.

mike g
Guest

Just a quick question for a poor soul who got stuck with having to manage a mail server running of 2008 [email protected]=2. On the old server 2003 I pretty much had it down to an art for nailing these idiots that ping my SQL interface a thousand times an hour trying to access as “sa”. This is a “mail server”. .. period. but that doesn’t seem to bother the program they run as they hit me from various IP’s all the time. I have it setup to flash a pop-up every time the security log intercepts one and logs it… Read more »

Matt
Guest
Matt

A great alternative to Linux’s BFD for Windows. Works like a charm, thanks very much.

Aaron
Guest
Aaron

How can I unblock a IP address once it has been blocked.

Also I dont have a log file that shows what has been blocked?

The service is running as system

TimOneill
Guest
TimOneill

Hi JJXtra, I’ll give that new version a go. I had seen it not unban after the set time, and used the above reset task script to do it. Plus I like how a reset flushes all the firewall rules, and brings it all back to zero. White listing wasn’t being cooperative either, and with 300+ users, my potential for grief was high so a 15min flush kept the legit users working while balancing the security aspect. Also incrementing the version numbers in the exe so folks know what ver they’re running would be helpful, it seems they’re all stamped… Read more »

TimOneill
Guest
TimOneill

This has been working so well! I added a cmd task to reset the service every 15mins, this clears previously banned IP’s, and inserts into a long term log any blocked IP in that segment of time. Haven’t tried the newer vers but here’s my reset script if anyone is interested. Cheers to JJXTRA for this tool.

net stop “ipban”
echo %date% %time% >> C:\apps\IPBan\log\IPBANLog.txt
type C:\apps\IPBan\banlog.txt >> C:\apps\IPBan\log\IPBANLog.txt
sleep 2
net start “ipban”

Chris
Guest

Hi, great script! I can’t seem to get it to go run unfortunately. It’s a 2008R2 server with .NET 4 Framework Extended running on it. Here’s the debug output… C:\IPBan>ipban.exe debug Unhandled Exception: System.TypeInitializationException: The type initializer for ‘IPBan.Log’ threw an exception. —> S ystem.Configuration.ConfigurationErrorsException: An error occurred creating the configuration section handler for nlog: Request failed. (C:\IPBan\IPBan.exe.Config line 5) —> System.Security.SecurityException: Request failed. at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCache d, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck) at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache) at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean skipVisibilityChecks, Boolean skipCheckTh is, Boolean fillCache) at System.Activator.CreateInstance(Type type, Boolean nonPublic)… Read more »

Harry
Guest
Harry

First of all I would like to say Thank you for your great work!

I am new to windows server and was looking for a secure solution for my windows server that I recently installed.

I uploaded .exe file from the downloads folder and created a service as below. Unfortunately the service doesn’t start as it stopped itself after the service started.

sc create IPBAN type= own start= auto binPath= c:\path\IPBan.exe DisplayName= IPBAN

I installed .NET framework 4.0 before create a service. Can you please advise?

Harry

Opoloko
Guest
Opoloko

This is a simple and awesome tool..works perfect on my VPS, almost no cpu impact, very simple and effective, really man you made a perfect and simple tool for a simple but very important function.

TimOneill
Guest
TimOneill

Hey JJxtra

The software is working great blocking the IP’s of hax0rz. But it doesn’t appear to be doing housekeeping removing previously banned IP’s. The problem being that we’ve got some legit users that have banned themselves, and while it’s simple to remove them by hand, I’m wondering if you’ve had the same results with banned IP’s not being cleansed after the the ban period has elapsed.
I appreciate your effort, once the word gets out on this tool everyone will be using it =)
Tim

TimOneill
Guest
TimOneill

I loaded it up on a test box and it is working as described. Simple and effective. Thanks for your work on putting this together. I appreciate it.

TimOneill
Guest
TimOneill

Hi, I came upon your tool for banning IP’s based upon failed logon attempts. I am curious if you would provide the .exe file, as I don’t have the tools to compile the source.
I appreciate this effort and would like to try it out.

Tim ONeill

1 2 3 7