最近观察系统日志(事件查看器-Windows日志-安全-事件ID4625),在互联网默认3389端口下,每天暴力破解RDP账号的次数大约在1200次左右
虽然使用强密码,但是微软一直没有实现基于IP的自动封锁功能(Windows 11 22H2后微软启用“帐户锁定阈值”,登录失败10次后,封锁账号10分钟),仍有暴力破解的风险
通过chatgpt及优化后,写了个简单的PowerShell脚本,每60秒检测ID4625日志攻击IP,超过3次失败,添加到系统防火墙中禁止访问。并实现白名单、控制台输出登录失败IP及登录成功IP
# PowerShell 脚本 - 每分钟检查RDP登录失败,并将失败超过3次的IP阻止
Write-Host -ForegroundColor Green "========================================================================"
Write-Host -ForegroundColor Cyan " RDP login failure monitoring script has been started"
" This script checks for RDP login failures every minute and blocks IP that have failed more than 3 times."
Write-Host -ForegroundColor Green "========================================================================"
# 配置变量
$ErrorActionPreference = "SilentlyContinue"
$LogName = "Security"
$EventID = 4625,4624 # Windows安全事件ID
$TimeSleepSeconds = 60
$FailedAttempsLimit = 3
$WhiteListIPs = @("127.0.0.1", "172.16.0.110")
$FirewallRuleName = "BlockedRDPAttempt_IPs"
$newBlockIPs = @()
$FailedIPs = @{}
# 初始化首次查询间隔
$startTime = (Get-Date).Add(-(New-TimeSpan -Hours 1))
$endTime = Get-Date
# 创建一个无限循环,每分钟运行一次
while ($true) {
# 计算时间间隔
$TimeSpan = $endTime - $startTime
$startTime = Get-Date
$Events = Get-WinEvent -FilterHashtable @{
LogName = $LogName
ID = $EventID
StartTime = (Get-Date).Add(-$TimeSpan)
}
# 解析失败的IP地址并计算每个IP的失败次数
foreach ($event in $Events) {
$IpAddress = $event.Properties[19].Value
if ((![string]::IsNullOrEmpty($IpAddress)) -and ($IpAddress -ne "-") -and ($IpAddress -ne "0")) {
$FailedIPs[$IpAddress] = $FailedIPs[$IpAddress] + 1
Write-Host -ForegroundColor Yellow "$(Get-Date) Detected failed login from: $IpAddress at $($event.TimeCreated)"
}
}
# 打印登录成功的IP地址
foreach ($event in $Events) {
$SuccessIpAddress = $event.Properties[18].Value
if ((![string]::IsNullOrEmpty($SuccessIpAddress)) -and ($SuccessIpAddress -ne "-") -and ($SuccessIpAddress -ne "0") -and ($event.Properties[8].Value -eq 3)) {
Write-Host -ForegroundColor Green "$(Get-Date) Detected successful login from: $SuccessIpAddress at $($event.TimeCreated)"
}
}
# 过滤出失败次数达到限制的IP并进行处理
$BlockedIPs = $FailedIPs.Keys | Where-Object { $FailedIPs[$_] -ge $FailedAttempsLimit }
$BlockedIPs = $BlockedIPs | Where-Object { $_ -notin $WhiteListIPs }
if (Compare-Object -ReferenceObject $BlockedIPs -DifferenceObject $newBlockIPs -PassThru) {
foreach ($ip in $BlockedIPs) {
# 检查防火墙规则是否存在
$ruleExists = Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue
# 如果规则不存在,则创建一个新规则
if (-not $ruleExists) {
New-NetFirewallRule -DisplayName $FirewallRuleName -Direction Inbound -Action Block -RemoteAddress $ip -Protocol TCP -LocalPort 3389
Write-Host -ForegroundColor Blue "$(Get-Date) Created new Firewall rule for IP: $ip"
} else {
# 如果规则已存在,更新规则以添加新IP
$existingBlockIPs = (Get-NetFirewallRule -DisplayName $FirewallRuleName | Get-NetFirewallAddressFilter).RemoteAddress
$newBlockIPs = @()
$newBlockIPs += $existingBlockIPs
if ($newBlockIPs -notcontains $ip) {
$newBlockIPs += $ip
Write-Host -ForegroundColor Red "$(Get-Date) Detected IP with multiple RDP failures: $ip"
}
Set-NetFirewallRule -DisplayName $FirewallRuleName -RemoteAddress $newBlockIPs
}
}
if (![string]::IsNullOrEmpty($newBlockIPs)) {
Write-Host -ForegroundColor Red "$(Get-Date) Updated Firewall rule to add IP: $newBlockIPs"
}
}
# 等待60秒后继续下一轮循环
Start-Sleep -Seconds $TimeSleepSeconds
# 结束时间戳
$endTime = Get-Date
}
https://github.com/Qetesh/rdpFail2Ban
可从GitHub下载,或复制代码到ps1文件,使用管理员权限终端运行ps1程序
最后希望RDP永远不会中毒~
0