IPBan – The Simplest Way to Block Hackers and Bot Nets




IPBan for Windows Donation

Is your server getting hacked? Do you need to block ip addresses automatically? Dealing with a brute force attack? Don’t want to spend your life savings on SysPeace or other overly priced security software? IPBan is for you.

A while ago, I noticed a disturbing trend in the event viewer on one of our dedicated Windows servers. We were getting thousands of failed login attempts to terminal services (remote desktop). I decided I would enable the terminal services auto-ban, so after 5 login attempts the ip address would get banned for 24 hours. This only solved part of the problem, as the attacker continued to flood our server with requests, causing the windows logon process (csrss.exe kept appearing and disappearing in task manager) to continually spin up and shut down. This actually caused significant CPU (10%+) and disk IO as the event viewer continually wrote failed login attempts.

After searching the Interwebs for a better way, I did not find anything that I liked or that didn’t spike my CPU usage, so I decided to make a free (if you install it yourself) tool in C# to auto-ban ip addresses. This tool is constantly improving. Right now it can block ip addresses as found in the event log for audit-failure events. It is very configurable as well.

Features include:
– Unlimited number of ip addresses to ban
– Duration to ban ip address
– Number of failed login attempts before ban
– Whitelist of comma separated ip addresses or regex to never ban
– Blacklist of comma separated ip addresses or regex to always ban
– Custom prefix to windows firewall rules
– Custom keywords, XPath and Regex to parse event viewer logs for failed login attempts
– Refreshes config so no need to restart the service when you change something
– Highly configurable, ban anything that comes through Windows Event Viewer
– A GREAT and FREE (if you install it yourself) alternative to RdpGuard or Syspeace
– Contains configuration to block Remote Desktop attempts, Microsoft SQL Server login attempts and MySQL Server login attempts by default
– Runs on Linux and Windows

If you found IPBan useful, would you consider helping support the project by donating? Thank you for your consideration.

I am also willing to do contracting work to improve IPBan if it doesn’t fit your needs or to help you set it up on your servers. Please email me at [email protected] if you would like paid services.

*INSTRUCTIONS*: https://github.com/jjxtra/IPBan




Windows IPBan Donation

Need help configuring IPBan? I’m happy to help with simple questions. For more involved assistance, I do consulting. Please email me at [email protected] and I’d be happy to consider your proposal.

Testimonials:

A few days ago I was checking the event logs for my server that hosts a MSSQL DB. I could see that I was under attack by a port scanner (changing IP addresses for each attack ‘period’). I know I should not have MSSQL exposed to the world but the users are remote so it was the easiest solution for me. Anyway, I came across IPBAN. Because of the concise directions on your Git repository I was able to easily setup a service. The results were immediate, as the banlog.txt file had an entry immediately after starting the service, thus putting an end to the current attack. The purpose of this email is simply to express my gratitude for developing the program. The people responsible for the attack are the lowlifes of the internet while you are on the complete opposite side of the scale! Thank you, thank you, thank you for the help.

– Jim

Bravo! This is a master piece!

– Periklis

Really a neat tool. This really works as advertised, and wow does it cut down on the noise. Your code structure made it really easy as well to add a couple lines to immediately ban non-US IPs (using a 3rd party geocoding service). Thanks for this great tool.

– Matt C




Windows IPBan Donation
Visit this Project on GitHub
372 comments on “IPBan – The Simplest Way to Block Hackers and Bot Nets
  1. Dan Brown says:

    I Would gladly Donate once I have figured out how it works. I am not a Programmer. One thing I did learn was that I have been looking for a reason why my Customers scanner would scan to any workstation but not the Server.Eventually I found the Scanner IP Address in the Firewall IPban rule but was puzzled as to how it got there because it scans using port 445 and not 3389.

    I would gladly also contribute to developement of a GUI for us self taught people. It is Obviously working as I see a list of Banned IP addresses in the Firewall growing But I can’t figure out how to create a Whitelist. Also like Filzezilla Server one amazing feature would be a Block all (ie The Whole World) and in the Allow the following allow only the few staff Members IP Ranges (of their ISP’s) to gain log in. If you look in FileZilla server you will see what I mean.Most small businesses and even Medium have countries they never deal with, it would save a lot of time.

    In most cases it’s one or two people that remote in from Home and the rest of the world must be blocked. Please put me on your mailing list as this product is great

  2. Steve Ricketts says:

    I just downloaded the latest version.  I have tons of 5152 “Filtering Packet Drop” errors in the event log.  I’ve put the following in the IPBan.dll.config file:

    <!– This group will block audit failures from failed login attempts to Windows –>
    <Group>
    <Source>RDP</Source>
    <Keywords>0x8010000000000000</Keywords>
    <Path>Security</Path>
    <Expressions>

    <Expression>
    <XPath>//EventID</XPath>
    <Regex>^(4625|5152)$</Regex>
    </Expression>

    <Expression>
    <XPath>//Data[@Name=’IpAddress’ or @Name=’Workstation’]</XPath>
    <Regex>
    <![CDATA[
    (?<ipaddress>.+)
    ]]>
    </Regex>
    </Expression>
    </Expressions>
    </Group>

    Why am I still getting those errors and why is IPBan not putting those IP’s in the ban list?

    • jjxtra says:

      Please post raw xml from event viewer.

      • Steve Ricketts says:


        5152
        0
        0
        12809
        0
        0x8010000000000000

        22470986

        Security
        Eterna


        0

        %%14592
        176.119.4.49
        55188
        192.168.100.2
        5002
        6
        103153
        %%14597
        13

        • Steve Ricketts says:

          Maybe if I take off part of the tags they will show…
          – Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
          – System>
          Provider Name=”Microsoft-Windows-Security-Auditing” Guid=”{54849625-5478-4994-A5BA-3E3B0328C30D}” />
          EventID>5152/EventID>
          Version>0/Version>
          Level>0/Level>
          Task>12809/Task>
          Opcode>0/Opcode>
          Keywords>0x8010000000000000/Keywords>
          TimeCreated SystemTime=”2019-01-10T11:52:43.914718600Z” />
          EventRecordID>22470986/EventRecordID>
          Correlation />
          Execution ProcessID=”4″ ThreadID=”88″ />
          Channel>Security/Channel>
          Computer>Eterna/Computer>
          Security />
          /System>
          – EventData>
          Data Name=”ProcessId”>0/Data>
          Data Name=”Application”>-/Data>
          Data Name=”Direction”>%%14592/Data>
          Data Name=”SourceAddress”>176.119.4.49/Data>
          Data Name=”SourcePort”>55188/Data>
          Data Name=”DestAddress”>192.168.100.2/Data>
          Data Name=”DestPort”>5002/Data>
          Data Name=”Protocol”>6/Data>
          Data Name=”FilterRTID”>103153/Data>
          Data Name=”LayerName”>%%14597/Data>
          Data Name=”LayerRTID”>13/Data>
          /EventData>
          /Event>

      • Steve Ricketts says:

        Sorry… had to repost without “real” xml. Hopefully, you can delete the bad one below.

  3. David Borneman says:

    Hi,

    First off, great tool!

    I am curious where this stores its list of banned IPs in order to maintain the firewall rules properly? I see no files being written in the application folder, and it obviously didn’t install a SQL database of any kind… is this stuff just held in memory?

    I am looking to hook in to that in some manner so that I can report those banned IPs to a master database, so I can identify IPs that are being banned multiple times and/or hitting multiple servers, so I can perma-ban those IPs in our hardware firewall.

    I thought to hook in to the firewall rule itself to get the scope data.. that would give me the IPs, but not the banned date. I could work with that, but would much rather hook in to whatever database the tool itself is using so i can get that date as well 🙂

    TIA

    Dave

    • jjxtra says:

      Right now you would just query the firewall for any IPBan* rules. I will consider adding the text file back to make this easier for people who aren’t software developers.

  4. Hello,

    I would like to be able to block failed Outlook Web Access logon attempts.

    The default config file is not blocking these failed attempts

    Regards

    VW

  5. Hello,

    I have downloaded v1_3_5

    I am using Windows

    I found a short tutorial here but I can’t find the entries mentioned in the tutorial with regards to logging and log rotation.

    Also, if you have plans for a GUI and a supported version, I would be interested in licensing details

    Thank you

    VW

  6. Thiago says:

    Hello, how can I configure an email to be sent whenever I block or unlock an IP?

    • jjxtra says:

      This is not built in you will have to hook into the ban process config item to send the email or change the code. Paid version coming soon that will offer this and much more.

  7. Peter says:

    One more question: how to remove  any IP from banned IP list? How to control it? Where is it? I can’t see any file created, only log files.

    • jjxtra says:

      Add a whitelist entry in config file. IPBan.dll.config.

      • Peter says:

        I know about whitelist, I was rather concerned with the location of this list. I found that it just modifies the rules of the built-in firewall in Windows. That’s what it was all about, I’m still testing, but now I think I already know everything, it seems that everything works as it should. Thanks!

  8. Michael Blackmore says:

    Hi

    Great tool, thank you, using on Win10/RDP.

    I cannot find any documentation that says what config file to edit, and how, maybe even examples for white listing IPs etc

    Can we reference a text file say whitelist.txt

     

    thanks

     

     

  9. Peter says:

    I need to monitor RPD traffic in Windows 2012. Downloaded last 1.3.1 but nothing happens (just “Press ENTER to quit”).

    How should the configuration file for Windows look like?

    default it was:

    LogFile: Source = SSH,  PathAndMask = /var/log/…

    but it is for Linux SSH… what about  RDP/Windows?

    • jjxtra says:

      Log level is warn by default, so won’t right anything to screen unless there is a ban, so probably is working fine. No need for log files on Windows, it uses event viewer by default.

      • Peter says:

        So, LogFilesToParse part is not necessary? When remove it, program crashes. If I leave it as it was by default – the program does not start either (“there is no C:\var\log” error) if I leave PathAndMask empty – the program starts but nothing happens. I made an attempt to log in incorrectly – the program did not say anything.

        • jjxtra says:

          Looks like I need a null check. For now keep it as is or leave it as a minimum:

          <LogFilesToParse><LogFiles></LogFiles></LogFilesToParse>

          • Peter says:

            I put empty tags as above (LogFilesToParse),program starts without errors but still, just “Press ENTER to quit”. Nothing happens even if I tested from another machine to login 5 times to server with wrong password. Log level is set to Info in console. Everything is set as in the step-by-step instructions. What else can I check? (Windows 2012 R2 standard)

            • jjxtra says:

              Redownload to ensure default installation. Make sure to right click on all files and select unblock. Make sure to run as administrator. Can test by opening admin command prompt and running “IPBAN.EXE”.

              • Peter says:

                opsss… It looks like I forgot to run console as admin to test it (I was sure that it runs on the admin account, it works as admin by default?)… now I run powerShell as admin and looks like it works – great thanks for your help!

  10. Clinton Fung says:

    tried to run IPBan.exe but the console just comes back with ” press enter to quit”

    “C:\IPBan>IPBan.exe debug
    Press ENTER to quit”

    On both Windows Server 2012 R2 and Windos 10 (1803)

     

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.