+- Sinisterly (https://sinister.ly)
+-- Forum: Coding (https://sinister.ly/Forum-Coding)
+--- Forum: Visual Basic & .NET Framework (https://sinister.ly/Forum-Visual-Basic-NET-Framework)
+--- Thread: Tutorial [PowerShell] Automatically ban IP addresses (/Thread-Tutorial-PowerShell-Automatically-ban-IP-addresses)
[PowerShell] Automatically ban IP addresses - phyrrus9 - 12-18-2020
Maybe you're like me, and occasionally you'll get a random person somewhere in the world that points a fuzzer at one of your applications. For me, this means nothing more than 500+ error log emails in a night before I can get around to banning their IP via firewall. Well, since I've already got code that hooks into any uncaught exceptions and logs them, I figured why not extract out the IP and put it in a database so I can easily ban them. Then I thought, why shouldn't I just automate banning them too? Well, if anybody else has had that problem, here's some code for you:
SQL:
Code:
CREATE TABLE sys_ErrorIPs (Time DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, Ip VARCHAR(30) NOT NULL) GO
CREATE TABLE sys_IPBans (Time DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, Ip VARCHAR(30) NOT NULL) GO
CREATE view sys_FrequentErrors AS
SELECT DISTINCT Ip FROM (
SELECT *,
ROW_NUMBER() OVER (
PARTITION BY Ip
ORDER BY Ip) As RN
FROM sys_ErrorIPs
WHERE DATEDIFF(MINUTE, Time, CURRENT_TIMESTAMP) < 1) A
WHERE RN >= 5
AND Ip NOT IN ('whitelist_1', 'whitelist_2')
UNION (SELECT '120.1.1.21' AS Ip) -- bogus IP for powershell
GOWhen you get an error, log your error as normal but insert the ip of the user into sys_ErrorIPs, then use the following PS script:
Code:
$cn = 'YOUR_CN_HERE'
$ips = Invoke-Sqlcmd -ConnectionString $cn -Query 'SELECT * FROM sys_FrequentErrors'
if ($ips.Count -gt 0)
{
$filter = Get-NetFirewallRule -DisplayName Blacklist | Get-NetFirewallAddressFilter
$ips | ForEach-Object {
$ip = $_.Ip
if (!$filter.RemoteAddress.Contains($ip))
{
$addrs = $filter.RemoteAddress + $ip
Set-NetFirewallAddressFilter -InputObject $filter -RemoteAddress $addrs
Invoke-Sqlcmd -ConnectionString $cn -Query "INSERT INTO sys_IPBans (Ip) VALUES('$ip');"
Invoke-Sqlcmd -ConnectionString $cn -Query "DELETE FROM sys_ErrorIps WHERE Ip='$ip';"
$cred = New-Object System.Management.Automation.PSCredential('YOUR_EMAIL_USER', (ConvertTo-SecureString 'YOUR_EMAIL_PASS' -AsPlainText -Force))
Send-MailMessage -From 'FROM_EMAIL' -To 'TO_EMAIL' -Subject "Banned $ip" -SmtpServer 'YOUR_SMTP_SERVER' -Port 587 -Credential $cred
}
}
}For me, I have that script set up in windows task scheduler to run every minute, so if somebody causes 5 or more unhandled exceptions in under a minute, the script will ban their IP, log that in the db, and send me an email about it.
Note: this assumes that you have a firewall rule named Blacklist.
Hope you enjoy.
RE: [PowerShell] Automatically ban IP addresses - sashimi0 - 12-18-2020
I’m reading this through foggy glasses...
Can this be adapted to block anyone browsing through a VPN, like how I was using with algo through Digital Ocean?
RE: [PowerShell] Automatically ban IP addresses - phyrrus9 - 12-18-2020
(12-18-2020, 08:14 PM)sarcrates Wrote: I’m reading this through foggy glasses...
Can this be adapted to block anyone browsing through a VPN, like how I was using with algo through Digital Ocean?
The powershell script is basically just a script that loops over an array of ip addresses that its given, and adds them to an existing network policy. it has no idea if the ip is on a vpn or not (and that's probably not the route you'd want to go for that either)