vctls / winsshd_fail2ban Goto Github PK
View Code? Open in Web Editor NEWA small Powershell script that creates Windows firewall blocking rules from Bitvise SSH Server logs
A small Powershell script that creates Windows firewall blocking rules from Bitvise SSH Server logs
Maybe the whole event message.
Some IPs seem to do port scanning that doesn't register as a failed authentication or bad obfuscation keyword.
The following IP, for example, has already been reported repeatedly as abusive:
https://www.abuseipdb.com/check/80.82.65.74
Maybe use abuseipdb's API to block any suspicious IP immediately?
<log>
<event seq="20" time="2020-11-20 06:42:31.661045 +0100" app="BvSshServer 8.44" name="I_CONNECT_ACCEPTED" desc="Connection accepted.">
<session id="1001" service="SSH" remoteAddress="80.82.65.74:39654" loc="NL/EU"/>
<location continent="Europe" country="Netherlands"/>
<parameters addressRule="AnyIP" listenAddress="192.168.1.10:443"/>
<sessions ssh="1" sshAuth="0" ftp="0" ftpAuth="0"/>
</event>
<event seq="21" time="2020-11-20 06:43:31.649349 +0100" app="BvSshServer 8.44" name="I_SESSION_DISCONNECTED_NORMALLY" desc="Session disconnected normally.">
<session id="1001" service="SSH" remoteAddress="80.82.65.74:39654" loc="NL/EU"/>
<parameters disconnectReason="EofReceived" socketBytesReceived="9" socketBytesSent="0" payloadBytesReceived="0" payloadBytesSent="0" channelBytesReceived="0" channelBytesSent="0"/>
<sessions ssh="0" sshAuth="0" ftp="0" ftpAuth="0"/>
<help message="The client has disconnected the session by sending EOF."/>
</event>
<event seq="22" time="2020-11-20 06:43:31.707464 +0100" app="BvSshServer 8.44" name="I_CONNECT_ACCEPTED" desc="Connection accepted.">
<session id="1002" service="SSH" remoteAddress="80.82.65.74:42872" loc="NL/EU"/>
<location continent="Europe" country="Netherlands"/>
<parameters addressRule="AnyIP" listenAddress="192.168.1.10:443"/>
<sessions ssh="1" sshAuth="0" ftp="0" ftpAuth="0"/>
</event>
<event seq="23" time="2020-11-20 06:44:31.709784 +0100" app="BvSshServer 8.44" name="I_SESSION_DISCONNECTED_NORMALLY" desc="Session disconnected normally.">
<session id="1002" service="SSH" remoteAddress="80.82.65.74:42872" loc="NL/EU"/>
<parameters disconnectReason="Ssh" socketBytesReceived="3" socketBytesSent="0" payloadBytesReceived="0" payloadBytesSent="0" channelBytesReceived="0" channelBytesSent="0"/>
<error type="Flow" component="SshManager/loginTimeout" class="LocalSshDisconn" code="ByApplication" description="User authentication timeout"/>
<sessions ssh="0" sshAuth="0" ftp="0" ftpAuth="0"/>
</event>
<event seq="24" time="2020-11-20 06:44:31.782236 +0100" app="BvSshServer 8.44" name="I_CONNECT_ACCEPTED" desc="Connection accepted.">
<session id="1003" service="SSH" remoteAddress="80.82.65.74:54670" loc="NL/EU"/>
<location continent="Europe" country="Netherlands"/>
<parameters addressRule="AnyIP" listenAddress="192.168.1.10:443"/>
<sessions ssh="1" sshAuth="0" ftp="0" ftpAuth="0"/>
</event>
<event seq="25" time="2020-11-20 06:45:31.789193 +0100" app="BvSshServer 8.44" name="I_SESSION_DISCONNECTED_NORMALLY" desc="Session disconnected normally.">
<session id="1003" service="SSH" remoteAddress="80.82.65.74:54670" loc="NL/EU"/>
<parameters disconnectReason="Ssh" socketBytesReceived="3" socketBytesSent="0" payloadBytesReceived="0" payloadBytesSent="0" channelBytesReceived="0" channelBytesSent="0"/>
<error type="Flow" component="SshManager/loginTimeout" class="LocalSshDisconn" code="ByApplication" description="User authentication timeout"/>
<sessions ssh="0" sshAuth="0" ftp="0" ftpAuth="0"/>
</event>
</log>
Remove-NetFirewallRule
is slow as hell.
Maybe try removing the rules from the registry instead.
Does the server generate some kind of event?
Should I track the logs?
Or scan for popup events? This last option sounds terrible.
Since addresses are completely blocked in the firewall, they shouldn't reappear at all in the logs under normal circumstances.
Using the (very slow) address check should not be the default behaviour.
The script should be able to remove all rules created by the other scripts.
Somewhat normal behaviour, since we're relying on the firewall blocking connections to avoid duplicates.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.