-
Notifications
You must be signed in to change notification settings - Fork 1
/
BanIPScriptWinFW.ps1
52 lines (46 loc) · 2.2 KB
/
BanIPScriptWinFW.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Start-Transcript -Path "C:\swinst\BannedIPsLog.txt" -Append -NoClobber
$events = Get-EventLog -LogName Security -Newest 1 -InstanceId 4625
$TargetUserName = $events.ReplacementStrings[5]
$SubjectUserSid = $events.ReplacementStrings[0]
$IpAddress = $events.ReplacementStrings[19]
function Check-ForExternalLogon($event) {
$TargetUserName = $event.ReplacementStrings[5]
$SubjectUserSid = $event.ReplacementStrings[0]
$IpAddress = $event.ReplacementStrings[19]
if ((-not($TargetUserName -like "*myregularaccount*")) -and ($SubjectUserSid -eq "S-1-0-0") -and ($IpAddress -ne "-")) {
write-output $true
}
else
{
Write-Output $false
}
}
if (Check-ForExternalLogon($events)) {
write-host "Bad Logon Attempt Detected : $(Get-Date)" -ForegroundColor Red
write-host "Username : $targetUserName"
write-host "SubjectUserSid : $SubjectUserSid"
write-host "IpAddress : $IpAddress"
write-host ""
write-host "Blocking IP $IpAddress..."
#create firewall rule if not valid
if (-not(Get-NetFirewallRule -DisplayName "TTYE - Block Bad RDP Attempts" -ErrorAction SilentlyContinue)) {
Write-Host "RDP blocking firewall rule not found. Creating rule."
New-NetFirewallRule -DisplayName "TTYE - Block Bad RDP Attempts" -Direction Inbound -Action Block -RemoteAddress $IpAddress | out-null
break
}
$blockedAddresses = (Get-NetFirewallRule -DisplayName "TTYE - Block Bad RDP Attempts" | Get-NetFirewallAddressFilter).RemoteAddress
$blockAddressList = @()
foreach ($address in $blockedAddresses) {
$blockAddressList += $address
}
if ($blockAddressList.Contains($IpAddress)) {
Write-Host "WARNING: IpAddress $IpAddress already found in Blocked List!!!!" -ForegroundColor Magenta
continue
}
else {
$blockAddressList += $IpAddress
Write-Host "Modifying Rule to block IP Address: $IpAddress" -ForegroundColor Green
Get-NetFirewallRule -DisplayName "TTYE - Block Bad RDP Attempts" | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -LocalAddress Any -RemoteAddress $blockAddressList
}
}
Stop-Transcript