IPBan – The Simplest Way to Block Hackers and Bot Nets




IPBan for Windows Donation

Is your server getting hacked? Do you need to block ip addresses automatically? Dealing with a brute force attack? Don’t want to spend your life savings on SysPeace or other overly priced security software? IPBan is for you.

A while ago, I noticed a disturbing trend in the event viewer on one of our dedicated Windows servers. We were getting thousands of failed login attempts to terminal services (remote desktop). I decided I would enable the terminal services auto-ban, so after 5 login attempts the ip address would get banned for 24 hours. This only solved part of the problem, as the attacker continued to flood our server with requests, causing the windows logon process (csrss.exe kept appearing and disappearing in task manager) to continually spin up and shut down. This actually caused significant CPU (10%+) and disk IO as the event viewer continually wrote failed login attempts.

After searching the Interwebs for a better way, I did not find anything that I liked or that didn’t spike my CPU usage, so I decided to make a free (if you install it yourself) tool in C# to auto-ban ip addresses. This tool is constantly improving. Right now it can block ip addresses as found in the event log for audit-failure events. It is very configurable as well.

Features include:
– Unlimited number of ip addresses to ban
– Duration to ban ip address
– Number of failed login attempts before ban
– Whitelist of comma separated ip addresses or regex to never ban
– Blacklist of comma separated ip addresses or regex to always ban
– Custom prefix to windows firewall rules
– Custom keywords, XPath and Regex to parse event viewer logs for failed login attempts
– Refreshes config so no need to restart the service when you change something
– Highly configurable, ban anything that comes through Windows Event Viewer
– A GREAT and FREE (if you install it yourself) alternative to RdpGuard or Syspeace
– Contains configuration to block Remote Desktop attempts, Microsoft SQL Server login attempts and MySQL Server login attempts by default
– Runs on Linux and Windows

If you found IPBan useful, would you consider helping support the project by donating? Thank you for your consideration.

I am also willing to do contracting work to improve IPBan if it doesn’t fit your needs or to help you set it up on your servers. Please email me at [email protected] if you would like paid services.

*INSTRUCTIONS*: https://github.com/jjxtra/IPBan




Windows IPBan Donation

Need help configuring IPBan? I’m happy to help with simple questions. For more involved assistance, I do consulting. Please email me at [email protected] and I’d be happy to consider your proposal.

Testimonials:

A few days ago I was checking the event logs for my server that hosts a MSSQL DB. I could see that I was under attack by a port scanner (changing IP addresses for each attack ‘period’). I know I should not have MSSQL exposed to the world but the users are remote so it was the easiest solution for me. Anyway, I came across IPBAN. Because of the concise directions on your Git repository I was able to easily setup a service. The results were immediate, as the banlog.txt file had an entry immediately after starting the service, thus putting an end to the current attack. The purpose of this email is simply to express my gratitude for developing the program. The people responsible for the attack are the lowlifes of the internet while you are on the complete opposite side of the scale! Thank you, thank you, thank you for the help.

– Jim

Bravo! This is a master piece!

– Periklis

Really a neat tool. This really works as advertised, and wow does it cut down on the noise. Your code structure made it really easy as well to add a couple lines to immediately ban non-US IPs (using a 3rd party geocoding service). Thanks for this great tool.

– Matt C

Sign up for the IPBan Mailing List




Windows IPBan Donation
Visit this Project on GitHub

396
Leave a Reply

avatar
140 Comment threads
260 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
105 Comment authors
jjxtrajean paganucciPaulJulianVlad Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
Greg
Guest
Greg

Hello Jeff, I want to test your great software in a server 2008R2 but i get an error in the logfile when i start the service, maybe caused by the server’s language that is french. I paste the logfile, can you help tell me what is the problem please ? [logfile] 2014-04-17 16:37:33.2560|INFO|FileLogger|Started IPBan service 2014-04-17 16:37:33.3184|ERROR|FileLogger|System.OverflowException: Impossible d’analyser TimeSpan, car au moins l’un des composants numériques se situe en dehors de la plage ou contient trop de chiffres. à System.Globalization.TimeSpanParse.TimeSpanResult.SetFailure(ParseFailureKind failure, String failureMessageID, Object failureMessageFormatArgument, String failureArgumentName) à System.Globalization.TimeSpanParse.ProcessTerminal_HMS_F_D(TimeSpanRawInfo& raw, TimeSpanStandardStyles style, TimeSpanResult& result) à System.Globalization.TimeSpanParse.ProcessTerminalState(TimeSpanRawInfo& raw, TimeSpanStandardStyles style,… Read more »

DJ
Guest
DJ

I completely forgot about that option. Im pretty sure that should take care of it.

Thanks!

DJ
Guest
DJ

I had to modify the rules I had in place after a mixup with an IP address being blocked.  When I tried to start everything back up I found that the the firewall rule wasnt there anymore.

I actually have it running on two servers with identical configs and one of them is doing just fine.

Its been about 9 months since Ive had to make any changes to the setup, am I forgetting one of the steps here or overlooking something obvious?

Thanks!

Aaditya
Guest

Does it block brute force to IIS FTP?

Sam Filler
Guest
Sam Filler

Jeff,

This looks great, I want to use it for failed IIS logins and 404 file not found errors.

Ay direction you can give me?

I am using 2008 with IIS8

Ziginox
Guest
Ziginox

I made a class for UltraVNC http://pastebin.com/y8sW9b97

Zoe
Guest
Zoe

Hi JJxtra,
Thanks a lot for your previous answers.

In my local test server, and in IPBan.exe.config,

I want to ALLOW IP’s from 192.168.0.[3-4] and also all Ip’s starting with 192.168.1.*
<add key=”WhitelistRegex” value=”192\.168\.1\.*|192\.168\.0\.3-4″ />

But I want to BLOCK all others
<add key=”BlacklistRegex” value=”*.*.*.*” />

Unfortunaletely, I can access by Remote Desktop with IP 192.168.0.2

Did I made a mistake somewhere?

Zoe

Zoe
Guest
Zoe

Hi JJxtra,

In IPBan.exe.config,

Lets assume I want the following 3 RANGES of IPs to be Allowed
<add key=”WhitelistRegex” value=”62.235.*.*|80.236.*.*|81.11.*.*” />

and All Others to be Blocked
<add key=”BlacklistRegex” value=”*.*.*.*” />

Are both syntax correct ?

King Regards,Zoe

 

Zoe
Guest
Zoe

Hi,

My dedicated server is locatedin th United States, but I want to access it from Europe also  by REMOTE ACCESS.

Does your software blocks that possibility?

Kind Regards,

Zoe

Michael
Guest
Michael

Thank you for this great software. I use Windows 2008 R2. I want to change to Windows Server 2012R2 Datacenter Edition (64 bit). Means support for 2008+ also Windows Server 2012?

 

David
Guest
David

Does it help stop Event 4625, Logon type 10 attacks? The IP is in the event notice.

RobertW
Guest
RobertW

Sorry this seems to have gone, what i wanted to say is how does the BanTime affect the Blacklist?
“BanTime” value=”01:00:00:00″

RobertW
Guest
RobertW

We were under the impression that it will be gone after this time is reached.

RobertW
Guest
RobertW

Hallo,

We are trying to test this however it never removes the IP address from the Blacklist, could you assist us and let us know under what conditions it will be removed?

rich
Guest
rich

Excuse my ignorance…wondering if it is possible for this service to also block unsuccessful FTP attempts on an IIS FTP server?

 

 

Nicolas KAROLAK
Guest
Nicolas KAROLAK

Hi, just a little question, does it also work on Windows 7 ?

Thanks for this great application 🙂

rich
Guest
rich

Since we have made the necessary changes to the GPO to get this service working ( NTLM etc.) we now show a list of all user accounts to anyone who tries to RDP – before any credentials are sent. Is there a trick to removing/limiting the accounts that are shown here?

Thanks

rich
Guest
rich

I totally missed that you fixed this so quickly.

Initially it seems you have corrected the problem. Thanks!

rich
Guest
rich

I’m not sure if this falls into the same area as the last post.  I have noticed that ip addresses that are not in the whitelist seem to trigger the failed login attempt tally even upon successful login.

I would add these computers to the whitelist but unfortunately they are not static ip’s.   Is there something that my config is missing to only increment failed logins or is this the intended behaviour?

Thanks again btw…really appreciate you sharing this tool  🙂

Spamme
Guest
Spamme

Thanks for the reply (the reply button doesn’t work in IE too). I tried to add my username in the AllowedUserNames section of the configuration but it didn’t work the IP6 still get banned. If I’m not wrong, you check the allowed user names in the ShouldBanUserNameAfterFailedLoginAttempt method, which is used in the IsBlackListed mathod, which is used in the ProcessIPAddress method. Although the IsBlackListed returns false, the ipBlockCount has already been incremented by one and with a FailedLoginAttemptsBeforeBan equals to one the IP get in any case banned.