evananderson / ts_block Goto Github PK

Blocks IP addresses generating invalid Terminal Services logons

License: Artistic License 2.0

Visual Basic 100.00%

ts_block's Introduction

ts_block.vbs - Blocks brute force Terminal Services login attempts
Copyright 2011 Wellbury LLC - See LICENSE for license information

Release 20110901 - Adapted from sshd_block release 20100120
Release 20120530 - Added MSI to distribution

For support, please contact Evan Anderson at Wellbury LLC
[email protected], (866) 569-9799, ext 801
<http://serverfault.com/users/7200/evan-anderson>

If you like this program please drop me an email. If you have any
ideas for enhancements or find a bug, I'd love to hear about that
too.


Overview
========
ts_block is a VBScript program that acts as a WMI event sink to receive 
events logged by Windows in response to invalid Terminal Services 
logons. It parses these log entries and acts upon them as follows: 

 - If the IP address attempts to logon with a username flagged as "block 
immediately" the IP address is blocked immediately. 

 - If the IP address attempts to logon with more frequently than is 
allowed in a given time period the IP address is blocked. 

The "block immediately" usernames and thresholds associated with repeated 
logon attempts are configurable in the "Configuration" section of the 
script. Default settings are as follows: 

	Block Immediately Usernames - administrator, root, guest
	Logon attempts allowed - 5 in 120 seconds (2 minutes)
	Duration of block - 300 seconds (5 minutes)

The configuration variables for these values are reasonably 
self-explanatory. Additional variables to enable/disable debugging and 
event log usage are also present and self-explanatory. Review the 
section "Registry Configuration Parameters" for information about 
configuring via the registry (which is useful for management via Group 
Policy). 

Four times per second IP addresses that have remained blocked for their 
assigned block duration are unblocked.

ts_block does not run under Windows 2000 Server (because I have no 
machines handy to test it on and because the Terminal Services logon 
type, 10, is not logged on Windows 2000 Server) and under Windows XP 
(because the remote IP address is not included in the event log 
message). 


Pre-Requisite Computer Configuration
====================================
For Windows Vista, 2008, 7, and 2008 R2 the "Advanced Firewall" is used 
to create inbound firewall rules blocking traffic from the blocked host. 
On these operating systems no special configuration of the registry or 
network adapters is necessary. 

Because Windows Server 2003 lacks sufficient features in its built-in 
firewall functionality a black-hole host route is used. Unfortunately, 
the "trick" commonly used on Linux to black-hole traffic with a route to 
"lo" (127.0.0.1) doesn't work on Windows. The "route" command will fail 
if the destination specified isn't local to one of machine's interfaces, 
as well. As such, there are two options for selecting the destination 
address used for the black-hole route. 

You may specify the black-hole destination IP address as REG_SZ value as 
described below in the "Registry Configuration Parameters" section. This 
address must be local to (in the same IP subnet as) one of the server 
computer's interfaces. It is recommended that you select an address that 
is unused in your network. This is my preferred method of installation 
because no device drivers need to be installed. 

Alternatively you may install a network interface with a static IP 
address assigned and no default gateway specified be present on the 
server computer. A physical hardware device is not necessary as the 
Microsoft Loopback Adapter serves the purposes of this application. 
Details about installing the Microsoft Loopback Adapter is available 
from: http://support.microsoft.com/kb/842561 

After you have installed the Microsoft Loopback Adapter (or chosen an 
unused physical hardware NIC) specify a static IP address and no 
default gateway in the TCP/IP version 4 properties for the adapter. The 
IP address and subnet mask assigned to this adapter should not match any 
network in use in your enterprise and should be in the RFC 1918 space. 

The ts_block script will locate the adapter with no default gateway 
specified and use it as the destination for the black-hole route. 


Registry Configuration Parameters
=================================
The following configuration paramters are available under the registry 
path:  HKLM\Software\Policies\Wellbury LLC\ts_block

Parameter: BlockAttempts
Type: REG_DWORD
Explanation: The number of sequential failed logon attempts (with 
accounts that are not considered "block immediately" accounts) that will 
trigger a block. 

Parameter: BlockDuration
Type: REG_DWORD
Explanation: The duration, in seconds, of a block (either because of 
reaching the BlockAttempts threshhold or because of a "block 
immediately"). 

Parameter: BlockTimeout
Type: REG_DWORD
Explanation: The duration, in seconds, that must elapse between failed 
logon attempts to reset the count of failed logon attempts for a given 
IP address. 

Parameter: BlackholeIP
Type: REG_SZ
Explanation: The IP address used for the black-hole route (for Windows 
Server 2003). If not specified the default algorithm of selecting the IP 
address of a network interface with no default gateway specified will be 
used.  This setting is not used in Windows Server 2008 and later versions
of Windows.

A Group Policy Administrative Template (ADM) file is included with this 
distribution that is capable of setting these values. Deploying a GPO 
near the top of the domain with the BlockAttempts, BlockDuration, and 
BlockTimeout values specified and Site or OU-level GPOs with the 
BlackholeIP value specified (as this will vary based on the subnets 
where the server computers are located, and is only necessary for 
Windows Server 2003 machines) is recommended. 


Script Testing
==============
It is recommended that you copy the ts_block.vbs script to your desired 
location, modify the configuration parameters if you are unsatisfied 
with the defaults, and execute the script either. It is recommended that 
you execute the script using the CSCRIPT.EXE utility, but it is possible 
to execute the script using WSCRIPT.EXE via double-clicking on the 
script file in Windows Explorer. Be aware that, should debugging be 
enabled, execution is only effectively possible through CSCRIPT.EXE 
because message logging to pop-up dialogs will "stall" the script until 
the dialogs are dismissed. 

Test the functionality of the script by performing both invalid logons 
using both a "block immediately" account and attempting repeated logons 
with a valid or invalid account that is not in the "block immediately" 
list. Blocking and unblocking events will be logged in the Application 
event log. (It is recommended that you perform your tests via a protocol
that won't cause you to lose communication with the server computer
during testing or from an IP address that isn't going to be blocked.) 


Windows Service Installation
============================
A binary copy of the public domain "Non-Sucking Service Manager" (nssm, 
available from http://iain.cx/src/nssm/) is included with ts_block to 
facilitate installation as a Windows service. The Microsoft SRVANY tool 
may also be used to run ts_block as a Windows Service. 

If you choose to use nssm, copy the nssm.exe file to the location of 
your choice (in "%ProgramFiles%\ts_block", for example). 

After you are satisfied with the performance of the script in testing 
and have copied nssm.exe to the desired location, install the script as 
a Windows service using the following command-line (from the directory 
where nssm was installed): 

	nssm install ts_block %SystemRoot%\System32\cscript.exe 
		"\"%ProgramFiles%\ts_block\ts_block.vbs\""

The command is depicted as two lines above but should be entered on a 
single line. It is necessary to enter the "\" characters as depicted 
such that the resulting registry entry is surrounded by double quotes. 
This command will create a service set to start automatically. (If your 
ts_block.vbs is stored in a path w/o spaces then you don't need to go 
through those gyrations.) 

After installing the service start it and verify that it functions 
properly. 


External Dependencies
=====================
The following external programs are required to be in the PATH for the 
user context under which ssdh_block is executing: 

ROUTE.EXE - For black-hole routing blocked IP addresses under Windows XP

NETSH.EXE - For creating Advanced Firewall rules on Windows Vista and
  later versions of Windows

EVENTCREATE.EXE - For writing to the event log
  (only if event logging is enabled)


Performance and Security
========================
A simple and fairly unscientific stress test function is included in the 
script (and disabled by default). Testing with the parameters listed in 
the script (but with the BLOCK_DURATION decreased from the default to 60 
seconds) on a Windows Server 2003 SP2 x86 Stadard Edition machine 
resulted in peak memory usage of 6,780KB. As the blocked queue drained 
at the end of the test, the memory usage decreased slightly. On the face 
of it, it would appear that the script can handle at least thousands of 
unique IP addresses being blocked at a rate of one IP address every 10 
to 50ms with no major issues. 

Parameters passed to calls to external programs for creating Windows 
Event Log entries or altering IP routes are sanitized through a regular 
expression match (allowing only the characters 0-9, a-z, A-Z, and 
period, underscore, space, right-leaning slash, colon, and minus). 


Windows Installer Package (MSI)
===============================
A Windows Installer package (MSI) version of ts_block is included with 
this distribution (along with the WiX source file used to create the 
MSI). The MSI is self-contained (all necessary files are compressed and 
embedded within it) and can be used for automated deployment of ts_block 
as a service under NSSM. It has been tested using Group Policy Software
Installation Policy under Windows Server 2003, Windows Server 2008 R2,
and Windows 7. Uninstallation via Group Policy has also been tested.


Future Roadmap
==============
Exciting enhancement possibilities include:

 - Loading values for "block immediately" usernames from the registry.

ts_block's People

Contributors

Stargazers

Watchers

ts_block's Issues

Add command-line argument to enable debugging

I've had multiple people email me with problems that would have been easier to resolve w/ a debugging command-line argument (versus having to have them modify the script).

TS_Block service stopped working

Hi, I have installed ts_block on 3 different 2003 small business servers. All three were working and blocking rdp attacks for serveral days. All of a sudden, on all three servers, the ts_block service showed up as being paused and I could not start it (error starting service). All three servers are running 2003 sbs, Trend micro advanced Security suite. Any Idea's why and how to fix. Thanks.

Possible to watch for other types of failed logins?

Hi,

I've been looking for something like this for use at home for a good while, and it does a really good job - thanks very much. It still works a treat on Server 2019.

Adding two things would make it even more useful (to me at least, but I'd bet others too):
Watching for VPN login failures too
Logging to a file (so I can read that with another app that doesn't talk windows event logs)

I havent ever touched VB before though, and get nowhere fast trying to add these to ts_block.
Anyone kind enough to point me in the right direction please?

Also, there's one (minor) issue I've found while using it:
If it's created a firewall rule, and you then restart the machine its running on - the rule's left there forever.
It seems that wildcards cant be used when removing firewall rules, so 'remove Blackhole*' wont do the trick. Is just removing all during startup even a valid approach though?
Is there some other way to remove old rules after a restart, or maybe re-import them then remove them once the right periods passed?

IP not blocked on Windows Server 2003

Hi, thanks for releasing this application, it looks promising.

I just installed via the MSI installer on a Windows 2003 server.

The installer appeared to run, but gave no confirmation message after completing.

However, looking in "Services" I saw "ts_block" was there, but not started.

I also took a look in the registry, and there were no keys created under HKLM/Software/Policies/Wellbury LLC/* with "Wellbury LLC" absent there.

I'd edited the .vbs script in Program Files to add the blackhole IP 192.168.168.28 ( which doesn't exist, but is on the subnet )

I then started the service and tested it with the "administrator" username over RDP

Later, I saw the event log to the effect that my IP had been blocked for 5 minutes.

However, I could still keep trying to login, with no block appearing in place for "administrator" or any other username and I logged in via my usual username instead.

So, the issue is, the application was installed from MSI, service started, log entries created, but no block appears to actually occur.

thanks,

IP white list

The title is self explaining. It would be nice if can added a list of IPs, which are never blocked.
Reason: If I mistype the password from my office, with a known IP, I don't want to wait 5 minutes to try again.

No longer functioning?

My last blocked IP was 3/31/2014 which I thought was odd, so logged into a remote system and hammered my server 6 times with Administrator, which should have been immediately blocked. After that I was able to authenticate with a correct login & password.

I have enabled Debug and I can see nothing out of the ordinary. I use a modified script that ignores private IPs so I restored the original script and it behaves the same way: nothing logged, nothing blocked.

Could a MS patch have broken it?

It is running on Windows 2008 R2.

Cant get it to work on 2008 R2

Hello,
i have server 2008 R2 and installed ts_block_20120530.msi
The service and map where creating and i start the ts_block service.
So far so good.

When i connect to the terminal server with root, administrator or several other usernames nothing happens. No rules in the firewall.

Can you tell me if i mis some configuration ?

regards, Dutchmen

I have been successful with manual installation. but msi fails

ID 4625 Guest type 3 hacking suspicion.

cd %ProgramFiles%
md ts_block
cd ts_block
nssm install ts_block %SystemRoot%\System32\cscript.exe "\"%ProgramFiles%\ts_block\ts_block.vbs\""

md "%ProgramFiles%\ts_block"

echo ts_block Download
powershell.exe -Command "& {Invoke-WebRequest -OutFile $env:ProgramFiles\ts_block\ts_block-master.zip -Uri "https://github.com/EvanAnderson/ts_block/archive/refs/heads/master.zip"}
tar -zxvf "%ProgramFiles%\ts_block\ts_block-master.zip" -C "%ProgramFiles%\ts_block"
xcopy "%ProgramFiles%\ts_block\ts_block-master" "%ProgramFiles%\ts_block"/E

echo nssm Download or install 
bitsadmin /transfer 1234 /download "http://nssm.cc/release/nssm-2.24.zip" "%ProgramFiles%\ts_block\nssm-2.24.zip"
tar -zxvf "%ProgramFiles%\ts_block\nssm-2.24.zip" -C "%ProgramFiles%\ts_block"
copy "%ProgramFiles%\ts_block\nssm-2.24\win64\nssm.exe" "%ProgramFiles%\ts_block\"
cd "%ProgramFiles%\ts_block\"
nssm install ts_block %SystemRoot%\System32\cscript.exe "\"%ProgramFiles%\ts_block\ts_block.vbs\""

echo error..?
echo Deleting the service (If you register by mistake, the service specified as `Error creating service! CreateService():` already exists.)
echo https://kitty-geno.tistory.com/151
nssm remove ts_block

This installed successfully. thank you.
Windows 10 Insider 64bit [Version 10.0.19044.1889]
(I'm not good at computers, so I wrote the commands by asking.)

I hope this program will be updated someday.
Applicable to Windows 10-11. I would like to change it to

Oh my symptoms.
C:\Windows\System32
There were signs that the folder had been opened.
And my chrome was... suspicious. As if someone had opened it once.

5379 Microsoft Windows security
And this event happens a lot.
This has nothing to do with the above program.
These are my symptoms.

Doesn't work under Win2012R2

I did use this script for a long time under Win2008. But now, under Win2012 it does nothing. In Debugmode it is waiting in busy-loop but no event is noticed.
It looks like that the Select Statement is no longer valid.

block 0.0.0.0

Skript add 0.0.0.0 which blocks broadcast for example DHCP request :-/

Can't install it with MSI

Hi,

On Windows Server 2008 R2 I'm having problems of installation:

When I execute the .msi it opens-&-closes a pair of command prompts very quickly and then says "There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or vendor package.".

I've checked that ROUTE, NETSH and EVENTCREATE are available from the command prompt.

What can be the problem?
Thanks,
SntsDev

Advanced Firewall-based blocks persist across service restarts

This was wholly unintended functionality. I will write code to identify and remove blocks that have persisted.

It looks like an initialization routine to query the Advanced Firewall rules for rules with a known naming convention and parsing those rule names to extract the appropriate block expiration time should be sufficient.

No MSI package

The README refers to an MSI package but it hasn't been created yet.

Multiple blocks being generated

Users have reported that multiple blocks are being generated, complete with multiple "Advanced Firewall" rules. I will attempt to repro the issue and, if I am so able, refactor the code to prevent the multiple blocks from being created.

Make special-case exemptions for blocking 0.0.0.0 and 255.255.255.255

Make sure the script can't block 0.0.0.0 and 255.255.255.255.

That shouldn't ever happen, since the only way the script gets IP addresses is from IPs that failed logons from the Event Log, but it's not a big deal to special-case except them anyway.

MSI file give error trying to launch in windows server 2008 R2

Hello,
thank you for your script.

I'd want to install it on our Windows 2008 R2 web server, but I receive an error from MSI when I try to launch it: "This Installation package could not be opened".

Furthermore, when I tried it in cscript/wscript, I don't know where exactly to look in the Firewall for new rules to understand if it's working or not. All items I checked doesn't show any rules in relation with TS_BLOCK

Could you help me with these problems?

Thank you again,
Alberto
(Italy)

Find workaround for logging changes when the "Security Layer" is SSL/TLS

When an RDP client that supports SSL/TLS (rather than only "RDP" security, as was the case with older clients) fails authentication to the RDP server an IP address for the client won't be logged when the NtLmSsp security provider is used.

Arguably, SSL/TLS is a Good Thing(tm) (see http://technet.microsoft.com/en-us/magazine/ff458357.aspx) for details and I am wary of other invalid RDP logon block products suggestions to force the security layer to "RDP" (see http://rdpguard.com/windows-server-how-to-catch-failed-logons.aspx) because, while it does cause IP addresses to be logged, it prevents useful features (like mutual authentication) from being used.

The "Cyberarms IDDS" product came up with a workaround that allows the SSL/TLS security layer to remain enabled while still being able to log IP addresses. I'm going to look at their product to see if I'm able to determine what they're doing, however anything that involves compiled code is probably going to be above my interest level for ts_block.

I ran the MSI, but can not get it to run

I ran the MSI as instructed and get the error "Error creating service!"

I'm running Windows Server 2003

The MSI files are in the folder C:\program files\Ts_block

here's what I typed on the command prompt

nssm install Ts_block c:\windows\system32\cscript32.exe C:\program files\ts_block\ts_block.vbs

IIS/FTP?

Does this work for IIS/FTP log on attempts?

THX

Include note in README indicating that Logon Failure Auditing is required

Users may not be aware that the Windows Server 2003 defaults do not include the right auditing settings to make this tool effective.

https://github.com/EvanAnderson/ts_block

Nov 2014 RDP update

I am the only one who since the nov2014 rdp security update no longer receives the 4625 events no matter what the settings?

Update: So my boxes (4 hanging off the public internet - don't ask) running this used to get hundreds 4625 attempts per day prior to nov 11th, then when I applied that months updates one which included an rdp\ts related update they all stopped. Literally for a month, till today dec 11th I did not receive a single bad logon attempt 4625 (except one I generated myself to see if I could) - very strange, it's as if the botnets and related folks all took a month off, which of course I know they haven't. I was thinking it was had something to do the the Nov rdp\ts update that talked like it made some change related to logging though it was never specific. Anyway I see today for the first time I finally received 2 bad attempts from random ips, besides the timing being interesting I'm closing this as it indicates to me it must not have been a ts_block\rdp related issue.

evananderson / ts_block Goto Github PK

ts_block's Introduction

ts_block's People

Contributors

Stargazers

Watchers

Forkers

ts_block's Issues

Recommend Projects

Recommend Topics

Recommend Org