IPBan – The Simplest Way to Block Hackers and Bot Nets




IPBan for Windows Donation

Is your server getting hacked? Do you need to block ip addresses automatically? Dealing with a brute force attack? Don’t want to spend your life savings on SysPeace or other overly priced security software? IPBan is for you.

A while ago, I noticed a disturbing trend in the event viewer on one of our dedicated Windows servers. We were getting thousands of failed login attempts to terminal services (remote desktop). I decided I would enable the terminal services auto-ban, so after 5 login attempts the ip address would get banned for 24 hours. This only solved part of the problem, as the attacker continued to flood our server with requests, causing the windows logon process (csrss.exe kept appearing and disappearing in task manager) to continually spin up and shut down. This actually caused significant CPU (10%+) and disk IO as the event viewer continually wrote failed login attempts.

After searching the Interwebs for a better way, I did not find anything that I liked or that didn’t spike my CPU usage, so I decided to make a free (if you install it yourself) tool in C# to auto-ban ip addresses. This tool is constantly improving. Right now it can block ip addresses as found in the event log for audit-failure events. It is very configurable as well.

Features include:
– Unlimited number of ip addresses to ban
– Duration to ban ip address
– Number of failed login attempts before ban
– Whitelist of comma separated ip addresses or regex to never ban
– Blacklist of comma separated ip addresses or regex to always ban
– Custom prefix to windows firewall rules
– Custom keywords, XPath and Regex to parse event viewer logs for failed login attempts
– Refreshes config so no need to restart the service when you change something
– Highly configurable, ban anything that comes through Windows Event Viewer
– A GREAT and FREE (if you install it yourself) alternative to RdpGuard or Syspeace
– Contains configuration to block Remote Desktop attempts, Microsoft SQL Server login attempts and MySQL Server login attempts by default
– Runs on Linux and Windows

If you found IPBan useful, would you consider helping support the project by donating? Thank you for your consideration.

I am also willing to do contracting work to improve IPBan if it doesn’t fit your needs or to help you set it up on your servers. Please email me at [email protected] if you would like paid services.

*INSTRUCTIONS*: https://github.com/jjxtra/IPBan




Windows IPBan Donation

Need help configuring IPBan? I’m happy to help with simple questions. For more involved assistance, I do consulting. Please email me at [email protected] and I’d be happy to consider your proposal.

Testimonials:

A few days ago I was checking the event logs for my server that hosts a MSSQL DB. I could see that I was under attack by a port scanner (changing IP addresses for each attack ‘period’). I know I should not have MSSQL exposed to the world but the users are remote so it was the easiest solution for me. Anyway, I came across IPBAN. Because of the concise directions on your Git repository I was able to easily setup a service. The results were immediate, as the banlog.txt file had an entry immediately after starting the service, thus putting an end to the current attack. The purpose of this email is simply to express my gratitude for developing the program. The people responsible for the attack are the lowlifes of the internet while you are on the complete opposite side of the scale! Thank you, thank you, thank you for the help.

– Jim

Bravo! This is a master piece!

– Periklis

Really a neat tool. This really works as advertised, and wow does it cut down on the noise. Your code structure made it really easy as well to add a couple lines to immediately ban non-US IPs (using a 3rd party geocoding service). Thanks for this great tool.

– Matt C

Sign up for the IPBan Mailing List




Windows IPBan Donation
Visit this Project on GitHub

396
Leave a Reply

avatar
140 Comment threads
260 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
105 Comment authors
jjxtrajean paganucciPaulJulianVlad Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
Spamme
Guest
Spamme

Hello

What is the logic behind the bitwise and operator in this line:

foreach (ExpressionsToBlockGroup group in config.Expressions.Groups.Where(g => (g.KeywordsULONG & keywordsULONG) != 0))

because the bitwise and of 0x8010000000000000 and 0x8020000000000000 isn’t zero and a successful login is banned.

Spamme
Guest
Spamme

Thanks for the reply, sorry the reply function doesn’t work in FF. Moreover I was checking the log file and I saw that my IP6 was banned after a success login, at least in the event viewer is marked as “Audit success”. Here the xml of the event: <?xml version="1.0" encoding="UTF-8"?> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4648</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2013-09-09T14:01:30.962261600Z" /> <EventRecordID>182487</EventRecordID> <Correlation /> <Execution ProcessID="552" ThreadID="620" /> <Channel>Security</Channel> <Computer>Server01</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">Server01$</Data> <Data Name="SubjectDomainName">WORKGROUP</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TargetUserName">Admin</Data> <Data Name="TargetDomainName">Server01</Data> <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TargetServerName">localhost</Data> <Data Name="TargetInfo">localhost</Data>… Read more »

Spamme
Guest
Spamme

I’m not quite sure about the whitelist regex, for a local network, which regex is 192\.168\.\d+\.\d+ can I use 192\.168\.*\.*? Or should I use only one wildcard char? 192\.168\.*?

Nick Z.
Guest
Nick Z.

A question, can I put in the “whitelist” some wildcard IP’s using the “*”, such as:

<add key=”Whitelist” value=”127.0.0.1,::1,0.0.0.0,193.85.*.*,180.179.159.29-” />

Thank You

Nick Z.
Guest
Nick Z.

Thank You so much for this useful little prog.

I was getting hundreds of login attempts on my 2008 server by hackers from all over the world. I got here to this site out of desperation and decided to try IPban.

What I can say is that maybe this is the most useful program that I have ever downloaded in my entire life !

The creator of IPban did the world a big favor. Thank You !

nl20121974@hotmail.com
Guest

ok, it’s done I have read readme

nl20121974@hotmail.com
Guest

Hi, I have installed the service but can’t see it in the services (and can’t start it so), here is the install log

Installing assembly ‘C:\Users\nl20121974\Desktop\IPBan\IPBan.exe’.
Affected parameters are:
   logtoconsole =
   logfile = C:\Users\nl20121974\Desktop\IPBan\IPBan.InstallLog
   assemblypath = C:\Users\nl20121974\Desktop\IPBan\IPBan.exe
No public installers with the RunInstallerAttribute.Yes attribute could be found in the C:\Users\nl20121974\Desktop\IPBan\IPBan.exe assembly.
Committing assembly ‘C:\Users\nl20121974\Desktop\IPBan\IPBan.exe’.
Affected parameters are:
   logtoconsole =
   logfile = C:\Users\nl20121974\Desktop\IPBan\IPBan.InstallLog
   assemblypath = C:\Users\nl20121974\Desktop\IPBan\IPBan.exe
No public installers with the RunInstallerAttribute.Yes attribute could be found in the C:\Users\nl20121974\Desktop\IPBan\IPBan.exe assembly.
Remove InstallState file because there are no installers.

 

Regards, Nicolas

Keith
Guest

Hi Jeff,

I sent you a mail, but maybe you can help, we running MySQL, so I added a group to deal with failed logins, the xml data is

<Data>Access denied for user ‘root’@’41.132.172.189’ (using password: YES)</Data>

but the mssql regex is not working on this, so I assume the regex match is the issue can you help me here as to what I need to get the ip from this data

 

paintball dude
Guest

or rather, the event viewer continues to show new attempts. from the same ip….

paintball dude
Guest

Hrm. running this as a service on my 2k8r2 server, and the log is still filling up with attempts…

Paul T
Guest
Paul T

I see you say the tool is incompatible with Windows Server 2003. Have you any alternative suggestions? Our server has to cope with over 10000 failed remote logins daily. These started just over a year ago, but the average then was less than 5000 per day. One day last month, the number exceeded 45000. That can’t be good.

Nick Zouein
Guest
Nick Zouein

Just saying a BIG Thnak You!!

Followed the “How to” and it already started adding IP’s to the firewall.

Great tool.

Thank You so much.

Arijit Upadhyay
Guest
Arijit Upadhyay

Thank you for this great free tool. I just installed and busy configuring.

A question, how to add monitoring of FTP service with IPBan?

Regards

Arijit

slamjam
Guest
slamjam

Yes, its the same as the example below but with some text taken out for security.

Slamjam
Guest
Slamjam

OK Great.

What about these being logged:

We seem to have lots of the below logged filling up the logs. Anyway to stop them?

Processing xml: 4624001254400×80200000000000003799622Securitymachinename.domainname.localS-1-0-0–0×0S-1-5-18machinenameDomain Name0xbccf3f273KerberosKerberos{3EA8282A-70D7-6E3B-409F-1E4BCFFCB82F}–00×0-::163717

Slamjam
Guest
Slamjam

Hi there

 

Does IPBan block IPv6 addresses or just IPv4?

 

We seem to have lots of the below logged filling up the logs. Anyway to stop them?

Processing xml: <Event xmlns=’http://schemas.microsoft.com/win/2004/08/events/event’><System><Provider Name=’Microsoft-Windows-Security-Auditing’ Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}’/><EventID>4624</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=’2013-02-18T22:08:11.121854600Z’/><EventRecordID>3799622</EventRecordID><Correlation/><Execution ProcessID=’624′ ThreadID=’6180’/><Channel>Security</Channel><Computer>machinename.domainname.local</Computer><Security/></System><EventData><Data Name=’SubjectUserSid’>S-1-0-0</Data><Data Name=’SubjectUserName’>-</Data><Data Name=’SubjectDomainName’>-</Data><Data Name=’SubjectLogonId’>0x0</Data><Data Name=’TargetUserSid’>S-1-5-18</Data><Data Name=’TargetUserName’>machinename</Data><Data Name=’TargetDomainName’>Domain Name</Data><Data Name=’TargetLogonId’>0xbccf3f27</Data><Data Name=’LogonType’>3</Data><Data Name=’LogonProcessName’>Kerberos</Data><Data Name=’AuthenticationPackageName’>Kerberos</Data><Data Name=’WorkstationName’></Data><Data Name=’LogonGuid’>{3EA8282A-70D7-6E3B-409F-1E4BCFFCB82F}</Data><Data Name=’TransmittedServices’>-</Data><Data Name=’LmPackageName’>-</Data><Data Name=’KeyLength’>0</Data><Data Name=’ProcessId’>0x0</Data><Data Name=’ProcessName’>-</Data><Data Name=’IpAddress’>::1</Data><Data Name=’IpPort’>63717</Data></EventData></Event>

 

Brian Stilts
Guest
Brian Stilts

I tried to setup IPBan for a customer last night that was experiencing a brute force attack against his Windows 2003 SBS server. The software seemed to download and unzip fine, but when I would try to start the service it would immediately fail with an unhandled exception error. I saw another post that reference a possible issue with using the Microsoft built in unzip software, so I tried 7Zip as well but got the same result. When I unzipped the program I copied all the files into the System32 folder for easy access. Until I can get your software… Read more »

Steven R.
Guest
Steven R.

Greetings, I am trying to get an Regex to match A keyword thru Regex, and I looked at the website and regex buddy, where i do get match in files, but I do keep getting “No regex, so counting as a match” instead, from the line im trying to match :/ I do not see where the expression is wrong… :/ Does the Expression whitelist on allowed IP adresses ? My Target is the Keyword “tware” in this line – “Date”|INFO|FileLogger|Processing xml: 18456040x9000000000000036531434ApplicationCT55785tware Reason: Password did not match that for the login provided. [CLIENT: XXX]184800000E0000001300000043005400350035003700380035005C00530051004C0045005800500052004500530053000000070000006D00610073007400650072000000 I have used following expressions:… Read more »

Ganesh
Guest
Ganesh

Hi there,
Your service rocks! But it’s creating huge log files (log0.txt etc)! Is there way to stop it? I refered nLogs API and found that by setting the internalLogLevel = “Fatal”, the size of logs could be reduced. Is it this fine?
And to disable logging entirely, I’d disabled the entire line below:

Is this the right way?

Ganesh
Guest
Ganesh

The blogging software isn’t parsing the line correctly. I’d disabled the below line:
target name=”logfile” xsi:type=”File” fileName=”${basedir}\logfile.txt” archiveNumbering=”Sequence” archiveEvery=”Day” maxArchiveFiles=”1″

Igor
Guest
Igor

Hello!

How can I download latest binaries? From GITHUB I can get only source files.

Thank you!