共计 3128 个字符,预计需要花费 8 分钟才能阅读完成。
最近观察系统日志(事件查看器 -Windows 日志 - 安全 - 事件 ID4625),在互联网默认 3389 端口下,每天暴力破解 RDP 账号的次数大约在 1200 次左右
虽然使用强密码,但是微软一直没有实现基于 IP 的自动封锁功能(Windows 11 22H2 后微软启用“帐户锁定阈值”,登录失败 10 次后,封锁账号 10 分钟),仍有暴力破解的风险
通过 chatgpt 及优化后,写了个简单的 PowerShell 脚本,每 60 秒检测 ID4625 日志攻击 IP,超过 3 次失败,添加到系统防火墙中禁止访问。并实现白名单、控制台输出登录失败 IP 及登录成功 IP
# PowerShell 脚本 - 每分钟检查 RDP 登录失败,并将失败超过 3 次的 IP 阻止
Write-Host -ForegroundColor Green "========================================================================"
Write-Host -ForegroundColor Cyan "RDP login failure monitoring script has been started"
"This script checks for RDP login failures every minute and blocks IP that have failed more than 3 times."
Write-Host -ForegroundColor Green "========================================================================"
# 配置变量
$ErrorActionPreference = "SilentlyContinue"
$LogName = "Security"
$EventID = 4625,4624 # Windows 安全事件 ID
$TimeSleepSeconds = 60
$FailedAttempsLimit = 3
$WhiteListIPs = @("127.0.0.1", "172.16.0.110")
$FirewallRuleName = "BlockedRDPAttempt_IPs"
$newBlockIPs = @()
$FailedIPs = @{}
# 初始化首次查询间隔
$startTime = (Get-Date).Add(-(New-TimeSpan -Hours 1))
$endTime = Get-Date
# 创建一个无限循环,每分钟运行一次
while ($true) {
# 计算时间间隔
$TimeSpan = $endTime - $startTime
$startTime = Get-Date
$Events = Get-WinEvent -FilterHashtable @{
LogName = $LogName
ID = $EventID
StartTime = (Get-Date).Add(-$TimeSpan)
}
# 解析失败的 IP 地址并计算每个 IP 的失败次数
foreach ($event in $Events) {$IpAddress = $event.Properties[19].Value
if ((![string]::IsNullOrEmpty($IpAddress)) -and ($IpAddress -ne "-") -and ($IpAddress -ne "0")) {$FailedIPs[$IpAddress] = $FailedIPs[$IpAddress] + 1
Write-Host -ForegroundColor Yellow "$(Get-Date) Detected failed login from: $IpAddress at $($event.TimeCreated)"
}
}
# 打印登录成功的 IP 地址
foreach ($event in $Events) {$SuccessIpAddress = $event.Properties[18].Value
if ((![string]::IsNullOrEmpty($SuccessIpAddress)) -and ($SuccessIpAddress -ne "-") -and ($SuccessIpAddress -ne "0") -and ($event.Properties[8].Value -eq 3)) {Write-Host -ForegroundColor Green "$(Get-Date) Detected successful login from: $SuccessIpAddress at $($event.TimeCreated)"
}
}
# 过滤出失败次数达到限制的 IP 并进行处理
$BlockedIPs = $FailedIPs.Keys | Where-Object {$FailedIPs[$_] -ge $FailedAttempsLimit }
$BlockedIPs = $BlockedIPs | Where-Object {$_ -notin $WhiteListIPs}
if (Compare-Object -ReferenceObject $BlockedIPs -DifferenceObject $newBlockIPs -PassThru) {foreach ($ip in $BlockedIPs) {
# 检查防火墙规则是否存在
$ruleExists = Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue
# 如果规则不存在,则创建一个新规则
if (-not $ruleExists) {
New-NetFirewallRule -DisplayName $FirewallRuleName -Direction Inbound -Action Block -RemoteAddress $ip -Protocol TCP -LocalPort 3389
Write-Host -ForegroundColor Blue "$(Get-Date) Created new Firewall rule for IP: $ip"
} else {
# 如果规则已存在,更新规则以添加新 IP
$existingBlockIPs = (Get-NetFirewallRule -DisplayName $FirewallRuleName | Get-NetFirewallAddressFilter).RemoteAddress
$newBlockIPs = @()
$newBlockIPs += $existingBlockIPs
if ($newBlockIPs -notcontains $ip) {
$newBlockIPs += $ip
Write-Host -ForegroundColor Red "$(Get-Date) Detected IP with multiple RDP failures: $ip"
}
Set-NetFirewallRule -DisplayName $FirewallRuleName -RemoteAddress $newBlockIPs
}
}
if (![string]::IsNullOrEmpty($newBlockIPs)) {Write-Host -ForegroundColor Red "$(Get-Date) Updated Firewall rule to add IP: $newBlockIPs"
}
}
# 等待 60 秒后继续下一轮循环
Start-Sleep -Seconds $TimeSleepSeconds
# 结束时间戳
$endTime = Get-Date
}
https://github.com/Qetesh/rdpFail2Ban
可从 GitHub 下载,或复制代码到 ps1 文件,使用管理员权限终端运行 ps1 程序
最后希望 RDP 永远不会中毒~
正文完
