app.config

<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="ExpressionsToBlock" type="IPBan.ExpressionsToBlockConfigSectionHandler, IPBan" />
    <section name="nlog" type="NLog.Config.ConfigSectionHandler, NLog"/>
  </configSections>

  <!--
    Setup expressions to block
    You may specify the keywords to look for as well as an array of ExpressionsToBlockGroup objects.
    In each group there is xpath and a regex.
    All must match in the event for it to be filtered, and at least one regex must have an ipaddress group to pull out the ip address to block.
  -->
  <ExpressionsToBlock>
    <Groups>

      <!-- This group will block audit failures from failed login attempts to Windows -->
      <Group>
        <Keywords>0x8010000000000000</Keywords>
        <Path>Security</Path>
        <Expressions>
          <Expression>
            <XPath>//Data[@Name='IpAddress']</XPath>
            <Regex>
              <![CDATA[
                (?<ipaddress>.+)
              ]]>
            </Regex>
          </Expression>
        </Expressions>
      </Group>

      <!-- This group will block audit failures from failed login attempts to Windows (Local network) -->
      <Group>
        <Keywords>0x8010000000000000</Keywords>
        <Path>Security</Path>
        <Expressions>
          <Expression>
            <XPath>//Data[@Name='Workstation']</XPath>
            <Regex>
              <![CDATA[
                (?<ipaddress>.+)
              ]]>
            </Regex>
          </Expression>
        </Expressions>
      </Group>

      <!-- This group will block audit failures from failed login attempts to Microsoft SQL Server -->
      <Group>
        <Keywords>0x90000000000000</Keywords>
        <Path>System</Path>
        <Expressions>
          <Expression>
            <XPath>//Provider[@Name='MSSQLSERVER']</XPath>
            <Regex></Regex>
          </Expression>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>
              <![CDATA[
                \[Client ?: ?(?<ipaddress>.*?)\]
              ]]>
            </Regex>
          </Expression>
        </Expressions>
      </Group>
      <Group>
        <Keywords>0x90000000000000</Keywords>
        <Path>Application</Path>
        <Expressions>
          <Expression>
            <XPath>//Provider[@Name='MSSQLSERVER']</XPath>
            <Regex></Regex>
          </Expression>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>
              <![CDATA[
                \[Client ?: ?(?<ipaddress>.*?)\]
              ]]>
            </Regex>
          </Expression>
        </Expressions>
      </Group>

      <!-- This group will block audit failures from failed login attempts to MySQL Server -->
      <Group>
        <Keywords>0x80000000000000</Keywords>
        <Path>Application</Path>
        <Expressions>
          <Expression>
            <XPath>//Provider[@Name='MySQL']</XPath>
            <Regex></Regex>
          </Expression>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>
              <![CDATA[
                Access denied for user .*?'@'(?<ipaddress>.*?)'
              ]]>
            </Regex>
          </Expression>
        </Expressions>
      </Group>
      
      <!-- This group will block audit failures from MS Exchange -->
      <Group>
        <Keywords>0x80000000000000</Keywords>
        <Path>System</Path>
        <Expressions>
          <Expression>
            <XPath>//Provider[@Name='MSExchangeTransport']</XPath>
            <Regex></Regex>
          </Expression>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>LogonDenied</Regex>
          </Expression>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>
              <![CDATA[
                (?<ipaddress>.+)
              ]]>
            </Regex>
          </Expression>
        </Expressions>
      </Group>
      
      <!-- This group will block audit dropped packet failures from firewall drops to Windows -->
      <Group>
        <Keywords>0x8010000000000001</Keywords>
        <Path>Security</Path>
        <Expressions>
          <Expression>
            <XPath>//EventID</XPath>
            <Regex>^(4625|5152)$</Regex>
          </Expression>
          <Expression>
            <XPath>//Data[@Name='SourceAddress']</XPath>
            <Regex>
              <![CDATA[
              (?<ipaddress>.+)
              ]]>
            </Regex>
          </Expression>
        </Expressions>
      </Group>
    
      <!-- This group will block audit failures from failed login attempts to phpMyAdmin Web Interface -->
      <Group>
        <Keywords>0x80000000000000</Keywords>
        <Path>Application</Path>
        <Expressions>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>phpMyAdmin</Regex>
          </Expression>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>
              <![CDATA[
                user denied: .*?\(mysql-denied\) from ?(?<ipaddress>.*)
              ]]>
            </Regex>
          </Expression>
        </Expressions>
      </Group>

      <!-- This group will block NTLM login failures in the Applications and Services Logs > Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational log -->
      <Group>
        <Keywords>0x4000000000000000</Keywords>
        <Path>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</Path>
        <Expressions>
          <Expression>
            <XPath>//Data[@Name='IPString']</XPath>
            <Regex>
              <![CDATA[
                (?<ipaddress>.+)
              ]]>
            </Regex>
          </Expression>
        </Expressions>
      </Group>
    
    </Groups>

  </ExpressionsToBlock>

  <nlog
    xmlns="http://www.nlog-project.org/schemas/NLog.xsd"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    throwExceptions="false"
    internalLogToConsole="false"
    internalLogToConsoleError="false"
    internalLogLevel="Trace"
  >
    <targets>
      <target name="logfile" xsi:type="File" fileName="${basedir}\logfile.txt" archiveNumbering="Sequence" archiveEvery="Day" maxArchiveFiles="28" encoding="UTF-8" />
      <target name="console" xsi:type="Console" />
    </targets>
    <rules>
      <logger name="*" minlevel="Info" writeTo="logfile" />
      <logger name="*" minlevel="Info" writeTo="console" />
    </rules>
  </nlog>

  <appSettings>

    <!-- Number of failed audits in the event viewer before banning the ip address -->
    <add key="FailedLoginAttemptsBeforeBan" value="5" />

    <!-- The duration of time to ban an ip address (DD:HH:MM:SS) - 00:00:00:00 for forever -->
    <add key="BanTime" value="01:00:00:00" />

    <!-- The file to store banned ip addresses in -->
    <add key="BanFile" value="banlog.txt" />

    <!-- True to clear and unban all the ip addresses in the ban file when the service restarts, false otherwise -->
    <add key="BanFileClearOnRestart" value="true" />

    <!-- The duration after the last failed login attempt that the ip is forgotten (count reset back to 0). Set to 00:00:00:00 to never forget an ip. (DD:HH:MM:SS) -->
    <add key="ExpireTime" value="00:00:30:00" />

    <!-- The time between cycles to do house-keeping such as un-banning ip addresses, reloading config, etc. (DD:HH:MM:SS) -->
    <add key="CycleTime" value="00:00:00:15" />

    <!--
    Rule prefix name for Windows Firewall rules, must contain only A-Z, 0-9 and _
    It is recommended to never change this
    -->
    <add key="RuleName" value="IPBan_BlockIPAddresses_" />

    <!-- Comma separated list of ip addresses OR DNS names that are never banned -->
    <add key="Whitelist" value="127.0.0.1,::1,0.0.0.0,-" />

    <!--
      Regular expression for more advanced whitelisting. Shortcut: use * to allow any piece of an ip (i.e. 128.128.128.*).
      Sample regex that whitelists a few ips: ^(128\.128\.128\.*)|(99\.99\.99\.[0-9])$
      More info about regex: http://www.regular-expressions.info/    
    -->
    <add key="WhitelistRegex" value="" />

    <!-- Comma separated list of ip addresses OR DNS names OR user names to always ban and NEVER unban -->
    <add key="Blacklist" value="" />

    <!--
      Regular expression for more advanced blacklisting. Shortcut: use * to allow any piece of an ip, dns name or user name (i.e. 128.128.128.*).
      Sample regex that blacklists a few ips: ^(128\.128\.128\.*)|(99\.99\.99\.[0-9])$
      More info about regex: http://www.regular-expressions.info/    
    -->
    <add key="BlacklistRegex" value="" />

    <!--
      Comma separated list of allowed user names. If any user login fails and the user name is not in this list, that user is banned.
      Keep in mind that if a valid user mis-types their user name, then this will lock them out UNLESS you have whitelisted their ip address.
      Leave empty to turn off this functionality.
      ***!!!*** Be very careful not to leave garbage characters or punctuation in this field because you may get locked out of your server if you fail to login with a valid account. ***!!!***
    -->
    <add key="AllowedUserNames" value="" />

  </appSettings>

  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
  </startup>

</configuration>