Login Register





Tutorial [PowerShell] Automatically ban IP addresses filter_list
Author
Message
[PowerShell] Automatically ban IP addresses #1
Maybe you're like me, and occasionally you'll get a random person somewhere in the world that points a fuzzer at one of your applications. For me, this means nothing more than 500+ error log emails in a night before I can get around to banning their IP via firewall. Well, since I've already got code that hooks into any uncaught exceptions and logs them, I figured why not extract out the IP and put it in a database so I can easily ban them. Then I thought, why shouldn't I just automate banning them too? Well, if anybody else has had that problem, here's some code for you:

SQL:
Code:
CREATE TABLE sys_ErrorIPs (Time DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, Ip VARCHAR(30) NOT NULL) GO
CREATE TABLE sys_IPBans (Time DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, Ip VARCHAR(30) NOT NULL) GO
CREATE view sys_FrequentErrors AS
    SELECT DISTINCT Ip FROM (
        SELECT *,
            ROW_NUMBER() OVER (
                PARTITION BY Ip
                ORDER BY Ip) As RN
            FROM sys_ErrorIPs
            WHERE DATEDIFF(MINUTE, Time, CURRENT_TIMESTAMP) < 1) A
        WHERE RN >= 5
        AND Ip NOT IN ('whitelist_1', 'whitelist_2')
        UNION (SELECT '120.1.1.21' AS Ip) -- bogus IP for powershell
GO

When you get an error, log your error as normal but insert the ip of the user into sys_ErrorIPs, then use the following PS script:

Code:
$cn = 'YOUR_CN_HERE'
$ips = Invoke-Sqlcmd -ConnectionString $cn -Query 'SELECT * FROM sys_FrequentErrors'
if ($ips.Count -gt 0)
{
    $filter = Get-NetFirewallRule -DisplayName Blacklist | Get-NetFirewallAddressFilter
    $ips | ForEach-Object {
        $ip = $_.Ip
        if (!$filter.RemoteAddress.Contains($ip))
        {
            $addrs = $filter.RemoteAddress + $ip
            Set-NetFirewallAddressFilter -InputObject $filter -RemoteAddress $addrs
            Invoke-Sqlcmd -ConnectionString $cn -Query "INSERT INTO sys_IPBans (Ip) VALUES('$ip');"
            Invoke-Sqlcmd -ConnectionString $cn -Query "DELETE FROM sys_ErrorIps WHERE Ip='$ip';"
            $cred = New-Object System.Management.Automation.PSCredential('YOUR_EMAIL_USER', (ConvertTo-SecureString 'YOUR_EMAIL_PASS' -AsPlainText -Force))
            Send-MailMessage -From 'FROM_EMAIL' -To 'TO_EMAIL' -Subject "Banned $ip" -SmtpServer 'YOUR_SMTP_SERVER' -Port 587 -Credential $cred
        }
    }
}

For me, I have that script set up in windows task scheduler to run every minute, so if somebody causes 5 or more unhandled exceptions in under a minute, the script will ban their IP, log that in the db, and send me an email about it.

Note: this assumes that you have a firewall rule named Blacklist.

Hope you enjoy.

[+] 2 users Like phyrrus9's post
Reply

RE: [PowerShell] Automatically ban IP addresses #2
I’m reading this through foggy glasses...
Can this be adapted to block anyone browsing through a VPN, like how I was using with algo through Digital Ocean?

Reply

RE: [PowerShell] Automatically ban IP addresses #3
(12-18-2020, 08:14 PM)sarcrates Wrote: I’m reading this through foggy glasses...
Can this be adapted to block anyone browsing through a VPN, like how I was using with algo through Digital Ocean?

The powershell script is basically just a script that loops over an array of ip addresses that its given, and adds them to an existing network policy. it has no idea if the ip is on a vpn or not (and that's probably not the route you'd want to go for that either)

Reply







Users browsing this thread: 1 Guest(s)