vctls / winsshd_fail2ban Goto Github PK
View Code? Open in Web Editor NEWA small Powershell script that creates Windows firewall blocking rules from Bitvise SSH Server logs
winsshd_fail2ban's People
Contributors
Watchers
winsshd_fail2ban's Issues
Add date and time and maybe more stuff in the firewall rule description
Maybe the whole event message.
Allow banning "normal" connections and deconnections without authentication attempt
Some IPs seem to do port scanning that doesn't register as a failed authentication or bad obfuscation keyword.
The following IP, for example, has already been reported repeatedly as abusive:
https://www.abuseipdb.com/check/80.82.65.74
Maybe use abuseipdb's API to block any suspicious IP immediately?
Log entries
<log>
<event seq="20" time="2020-11-20 06:42:31.661045 +0100" app="BvSshServer 8.44" name="I_CONNECT_ACCEPTED" desc="Connection accepted.">
<session id="1001" service="SSH" remoteAddress="80.82.65.74:39654" loc="NL/EU"/>
<location continent="Europe" country="Netherlands"/>
<parameters addressRule="AnyIP" listenAddress="192.168.1.10:443"/>
<sessions ssh="1" sshAuth="0" ftp="0" ftpAuth="0"/>
</event>
<event seq="21" time="2020-11-20 06:43:31.649349 +0100" app="BvSshServer 8.44" name="I_SESSION_DISCONNECTED_NORMALLY" desc="Session disconnected normally.">
<session id="1001" service="SSH" remoteAddress="80.82.65.74:39654" loc="NL/EU"/>
<parameters disconnectReason="EofReceived" socketBytesReceived="9" socketBytesSent="0" payloadBytesReceived="0" payloadBytesSent="0" channelBytesReceived="0" channelBytesSent="0"/>
<sessions ssh="0" sshAuth="0" ftp="0" ftpAuth="0"/>
<help message="The client has disconnected the session by sending EOF."/>
</event>
<event seq="22" time="2020-11-20 06:43:31.707464 +0100" app="BvSshServer 8.44" name="I_CONNECT_ACCEPTED" desc="Connection accepted.">
<session id="1002" service="SSH" remoteAddress="80.82.65.74:42872" loc="NL/EU"/>
<location continent="Europe" country="Netherlands"/>
<parameters addressRule="AnyIP" listenAddress="192.168.1.10:443"/>
<sessions ssh="1" sshAuth="0" ftp="0" ftpAuth="0"/>
</event>
<event seq="23" time="2020-11-20 06:44:31.709784 +0100" app="BvSshServer 8.44" name="I_SESSION_DISCONNECTED_NORMALLY" desc="Session disconnected normally.">
<session id="1002" service="SSH" remoteAddress="80.82.65.74:42872" loc="NL/EU"/>
<parameters disconnectReason="Ssh" socketBytesReceived="3" socketBytesSent="0" payloadBytesReceived="0" payloadBytesSent="0" channelBytesReceived="0" channelBytesSent="0"/>
<error type="Flow" component="SshManager/loginTimeout" class="LocalSshDisconn" code="ByApplication" description="User authentication timeout"/>
<sessions ssh="0" sshAuth="0" ftp="0" ftpAuth="0"/>
</event>
<event seq="24" time="2020-11-20 06:44:31.782236 +0100" app="BvSshServer 8.44" name="I_CONNECT_ACCEPTED" desc="Connection accepted.">
<session id="1003" service="SSH" remoteAddress="80.82.65.74:54670" loc="NL/EU"/>
<location continent="Europe" country="Netherlands"/>
<parameters addressRule="AnyIP" listenAddress="192.168.1.10:443"/>
<sessions ssh="1" sshAuth="0" ftp="0" ftpAuth="0"/>
</event>
<event seq="25" time="2020-11-20 06:45:31.789193 +0100" app="BvSshServer 8.44" name="I_SESSION_DISCONNECTED_NORMALLY" desc="Session disconnected normally.">
<session id="1003" service="SSH" remoteAddress="80.82.65.74:54670" loc="NL/EU"/>
<parameters disconnectReason="Ssh" socketBytesReceived="3" socketBytesSent="0" payloadBytesReceived="0" payloadBytesSent="0" channelBytesReceived="0" channelBytesSent="0"/>
<error type="Flow" component="SshManager/loginTimeout" class="LocalSshDisconn" code="ByApplication" description="User authentication timeout"/>
<sessions ssh="0" sshAuth="0" ftp="0" ftpAuth="0"/>
</event>
</log>Make cleanup script faster.
Remove-NetFirewallRule is slow as hell.
Maybe try removing the rules from the registry instead.
Find a way to create rules immediately after a failed authentication event.
Does the server generate some kind of event?
Should I track the logs?
Or scan for popup events? This last option sounds terrible.
Document the subscriber script
Add option not to check existing rules
Since addresses are completely blocked in the firewall, they shouldn't reappear at all in the logs under normal circumstances.
Using the (very slow) address check should not be the default behaviour.
Add cleanup script
The script should be able to remove all rules created by the other scripts.
Make it less verbose by default, add a verbose option
The subscriber sometimes creates duplicate rules when connection attempts are very close
Somewhat normal behaviour, since we're relying on the firewall blocking connections to avoid duplicates.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.