RDP2Ban – Fail2Ban für Remotedesktop

Da sich im Moment die BruteForce-Angriffe auf einen (ja… es geht nicht anders) offenen Remotedesktop stark häufen, habe ich ein kleines Powershell-Script vorbereitet, welches wie bei Fail2Ban solche Logins in die Firewall schreibt.

Das Script muss in die Aufgabenplanung eingetragen werden. Ganz nach eigenem Belieben.

Die Parameter / Variablen sind eigentlich selbsterklärend.

<#
.DESCRIPTION
  Count failed RDP sessions (username / password missmatch)
  by IP-Address.
  If the adjustable threshold is exceeded, 
  the address is entered in the firewall.
  After a certain time the entry will be deleted.

.NOTES
  Version:        1.0
  Author:         Bjoern Weis
  Creation Date:  2019-05-21
  Purpose/Change: Initial script development
#>

$storageBasePath = "HKLM:\SOFTWARE"
$storageName = "RDP2Ban"
$itemStorageName = "Items"

$failGraceTries = 2
$failGraceMinutes = 60*12
$failLookbackMinutes = 60*12


$combinedStoragePath = $storageBasePath+"\"+$storageName
$combinedItemPath = $combinedStoragePath+"\"+$itemStorageName
Write-Host -ForegroundColor Yellow $combinedStoragePath
Write-Host -ForegroundColor Yellow $combinedItemPath


if(!(Test-Path -Path $combinedStoragePath)){
    New-Item -ItemType Directory -Path $storageBasePath -Name $storageName
}

if(!(Test-Path -Path $combinedItemPath)){
    New-Item -ItemType Directory -Path $combinedStoragePath -Name $itemStorageName
}

$starttime = (Get-Date).AddMinutes(0 - $failLookbackMinutes)

$events = Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational";level=3;starttime=$starttime}
foreach($event in $events){
  if($event.Opcode -eq 14){
    $ipaddr = $event.Properties[0].Value;
    $ipPath = $combinedItemPath+"\"+$ipaddr
    if(!(Test-Path -Path $ipPath)){
        New-Item -ItemType Directory -Path $combinedItemPath -Name $ipaddr
    }
    
    if(!((Get-Item -Path $ipPath).GetValue($event.TimeCreated) -ne $null)){
        New-ItemProperty -Path $ipPath -Name $event.TimeCreated -PropertyType "DWORD" -Value 0
    }
    
  }
}

$failItems = Get-ChildItem -Path $combinedItemPath

$bannedIPs = @("0.0.0.1")

$currentGrace = (Get-Date).AddMinutes(0 - $failGraceMinutes);
foreach($item in $failItems){
    $ipaddr = $item.PSChildName
    Write-Host -ForegroundColor Magenta $ipaddr
        
    $failCount = 0
    foreach($failure in $item.GetValueNames()){      
       if($currentGrace -lt $failure){
            Write-Host -ForegroundColor Gray $failure
            $failCount++
       }
       
    }
    if($failCount -gt $failGraceTries){
        Write-Host -ForegroundColor DarkRed $failCount $ipaddr
        $bannedIPs += $ipaddr
    }

}


if(!((Get-NetFirewallRule -DisplayName "RDP2Ban") -ne $null)){
    New-NetFirewallRule -DisplayName "RDP2Ban" -Action Block -Profile Any -Direction Inbound -Protocol Any -RemoteAddress $bannedIPs 
    Write-Host -ForegroundColor Yellow "FW Add"
} else {
    $storedBannedIPs = (Get-NetFirewallRule -DisplayName "RDP2Ban" | Get-NetFirewallAddressFilter).RemoteAddress
    $diffCount = (Compare-Object -ReferenceObject $bannedIPs -DifferenceObject $storedBannedIPs).Count
    Write-Host -ForegroundColor Green "ObjDiff" $diffCount
    if(($diffCount -gt 0) -or ($diffCount -eq $null)){
        Write-Host -ForegroundColor Yellow "FW Set"
        Set-NetFirewallRule -DisplayName "RDP2Ban" -RemoteAddress $bannedIPs
    }
}

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.