Several times you check the Security logs and noticed some IP addresses ate trying to guess any username and password to the remote desktop or RDP.

 

This script is for Windows 2008/2008R2 and Windows 7.

 

Because we want to block and stop those attacks a lot of Security Analyst block the IP address in the Firewall (Windows or Appliance). It is good but there is a  big chance that another IP show up attacking when the analyst is sleeping or doing something else.

 

This script will read the Windows log looking for the Event id 4625 in the last 5 minutes , then will remove the log information and duplicate IP addresses, at the end will write the ip addresses in the firewall to block them. Now this block will be for the whole IP not the port.

 

The next time you run the script it will delete all the IP addresses the script wrote in the firewall and begin the process again.

 

Now if there is not any new IP address to add the scrip will end.

 

This script is basic. So there is not port involved just IP addresses and if a legitit user put wrong password he/she ip will be block it in the next time you runt he script.

 

Now to run the script every 5 minutes you will need to create a task in the Windows machines to run every 5 minutes.

 

If you want to copy the script please copy and past in the Notepad to make sure the code is fine otherwise you will get some errors and will troubleshooting.

 

If you need custom code please contact me and I will be glad to help you for small fee.

 

This is the script:

 

 

#### THIS LINE WILL CLEAN ANE FIREWALL ACCESS LIST WAS CREATED TO BLOCK IP ADDDRESSES USING THIS SCRIPT, I AVE TO PUT IT HERE TO AVOID FILLING UP THE

####FIREWALL WITH LINES AND ELIMINATING THE ONES THAT WE DO NOT NEED TO BLOCK

 

 

netsh advfirewall firewall del rule name="Block IP Attacker"

 

 

 

### This check the latest 5 minutes wrong username and password. If you want to change the time replace the -5 for any minutes you want.

 

 

Get-EventLog -LogName Security -After (Get-Date).AddMinutes(-5) | Where-Object {$_.eventID -eq 4625}| Format-List message | Out-File result.txt

 

 

### This find the IP addresses line

 

 

get-content result.txt | Select-String -Pattern "Source Network Address:" | out-file result2.txt

 

 

###CLEAN THE OUTPUT to eliminate any character and letters from the logs

 

Get-Content result2.txt | ForEach-Object {$_ -replace "Source Network Address:", ""} | ForEach-Object {$_ -replace "-", ""} | out-file result3.txt

 

Get-Content result3.txt | ForEach-Object {$_.trim()} | out-file result4.txt

 

Get-Content result4.txt | where {$_ -ne ""} > result5.txt

 

 

###REMOVING DUPLICATE IP addresses

 

get-content result5.txt | sort| Get-Unique | out-file result6.txt

 

Get-Content result6.txt | where {$_ -ne ""} > iptoblock.txt

 

get-content iptoblock.txt

 

 

 

###CREATING RULES FIREWALL, IF THERE IS NOT ANY ATTACK THE PROGRAM WILL EXIT and will print No New Incidents, I will sleep waiting for new attacks

 

if ((Get-item iptoblock.txt).length -eq 0)

 

{

    write-host "No New Incidents, I will sleep waiting for new attacks"

    Exit

}

 

Else

 

{

 

$c = get-content iptoblock.txt

 

foreach ($ip in $c){

 

    netsh advfirewall firewall add rule name="Block IP Attacker" dir=in interface=any action=block remoteip="$ip"

   

}

 

}

 

 

###This will tell you the scrip finish, you can comment this line

 

write-host "WORK DONE"

 

 

 

 

This is not part of the script.