IPBan – The Simplest Way to Block Hackers and Bot Nets




IPBan for Windows Donation

Is your server getting hacked? Do you need to block ip addresses automatically? Dealing with a brute force attack? Don’t want to spend your life savings on SysPeace or other overly priced security software? IPBan is for you.

A while ago, I noticed a disturbing trend in the event viewer on one of our dedicated Windows servers. We were getting thousands of failed login attempts to terminal services (remote desktop). I decided I would enable the terminal services auto-ban, so after 5 login attempts the ip address would get banned for 24 hours. This only solved part of the problem, as the attacker continued to flood our server with requests, causing the windows logon process (csrss.exe kept appearing and disappearing in task manager) to continually spin up and shut down. This actually caused significant CPU (10%+) and disk IO as the event viewer continually wrote failed login attempts.

After searching the Interwebs for a better way, I did not find anything that I liked or that didn’t spike my CPU usage, so I decided to make a free (if you install it yourself) tool in C# to auto-ban ip addresses. This tool is constantly improving. Right now it can block ip addresses as found in the event log for audit-failure events. It is very configurable as well.

Features include:
– Unlimited number of ip addresses to ban
– Duration to ban ip address
– Number of failed login attempts before ban
– Whitelist of comma separated ip addresses or regex to never ban
– Blacklist of comma separated ip addresses or regex to always ban
– Custom prefix to windows firewall rules
– Custom keywords, XPath and Regex to parse event viewer logs for failed login attempts
– Refreshes config so no need to restart the service when you change something
– Highly configurable, ban anything that comes through Windows Event Viewer
– A GREAT and FREE (if you install it yourself) alternative to RdpGuard or Syspeace
– Contains configuration to block Remote Desktop attempts, Microsoft SQL Server login attempts and MySQL Server login attempts by default
– Runs on Linux and Windows

If you found IPBan useful, would you consider helping support the project by donating? Thank you for your consideration.

I am also willing to do contracting work to improve IPBan if it doesn’t fit your needs or to help you set it up on your servers. Please email me at [email protected] if you would like paid services.

*INSTRUCTIONS*: https://github.com/jjxtra/IPBan




Windows IPBan Donation

Need help configuring IPBan? I’m happy to help with simple questions. For more involved assistance, I do consulting. Please email me at [email protected] and I’d be happy to consider your proposal.

Testimonials:

A few days ago I was checking the event logs for my server that hosts a MSSQL DB. I could see that I was under attack by a port scanner (changing IP addresses for each attack ‘period’). I know I should not have MSSQL exposed to the world but the users are remote so it was the easiest solution for me. Anyway, I came across IPBAN. Because of the concise directions on your Git repository I was able to easily setup a service. The results were immediate, as the banlog.txt file had an entry immediately after starting the service, thus putting an end to the current attack. The purpose of this email is simply to express my gratitude for developing the program. The people responsible for the attack are the lowlifes of the internet while you are on the complete opposite side of the scale! Thank you, thank you, thank you for the help.

– Jim

Bravo! This is a master piece!

– Periklis

Really a neat tool. This really works as advertised, and wow does it cut down on the noise. Your code structure made it really easy as well to add a couple lines to immediately ban non-US IPs (using a 3rd party geocoding service). Thanks for this great tool.

– Matt C

Sign up for the IPBan Mailing List




Windows IPBan Donation
0 0 vote
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

404 Comments
Inline Feedbacks
View all comments
Patrick
28 days ago

Your IPBan solution is awesome!!!
I’ve been using IPBan for quite some time now and I just installed the Pro version, which saves me a lot of configuration on different servers.

I will certainly make a donation.

Keep up the good work !!

docbt
docbt
4 months ago

Hi guys! I need help with windows event viewer logs. I can´t get it to work and I don´t know why. I would like two add two things: VPN and SVN login attempts. 1. VPN: VPN 0x80000000000000 System //EventID ^20271$ //Provider[@Name=’RemoteAccess’] //Data //Data <![CDATA[ (?.*?) ]]> //Data <![CDATA[ (?.+) ]]> //Data //Data event log xml looks like this for example: 20271 3 0 0x80000000000000 424153 System server.domain.com {NA} Admin 123.123.123.123 Die Remoteverbindung wurde verweigert, weil die angegebene Kombination aus Benutzername und Kennwort nicht erkannt wird oder das ausgewählte Authentifizierungsprotokoll nicht für den RAS-Server zulässig ist. 0x10 B3020000 2.SVN SVN 0x80000000000000… Read more »

docbt
docbt
4 months ago
Reply to  jjxtra

Hi jjxtra!

Thx. I created an issue.

https://github.com/DigitalRuby/IPBan/issues/89

Greetings doc

steve
steve
5 months ago

this dead?

steve
steve
5 months ago
Reply to  jjxtra

Thanks! /releases link helped! Amazing work, testing it out now.
Where can i find what “pro” does ?

1 6 7 8