Tutorial [PowerShell] Automatically ban IP addresses

phyrrus9 · 12-18-2020, 04:47 PM

Maybe you're like me, and occasionally you'll get a random person somewhere in the world that points a fuzzer at one of your applications. For me, this means nothing more than 500+ error log emails in a night before I can get around to banning their IP via firewall. Well, since I've already got code that hooks into any uncaught exceptions and logs them, I figured why not extract out the IP and put it in a database so I can easily ban them. Then I thought, why shouldn't I just automate banning them too? Well, if anybody else has had that problem, here's some code for you:

SQL:

Code:
CREATE TABLE sys_ErrorIPs (Time DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, Ip VARCHAR(30) NOT NULL) GO

CREATE TABLE sys_IPBans (Time DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, Ip VARCHAR(30) NOT NULL) GO

CREATE view sys_FrequentErrors AS

    SELECT DISTINCT Ip FROM (

        SELECT *,

            ROW_NUMBER() OVER (

                PARTITION BY Ip

                ORDER BY Ip) As RN

            FROM sys_ErrorIPs

            WHERE DATEDIFF(MINUTE, Time, CURRENT_TIMESTAMP) < 1) A

        WHERE RN >= 5

        AND Ip NOT IN ('whitelist_1', 'whitelist_2')

        UNION (SELECT '120.1.1.21' AS Ip) -- bogus IP for powershell

GO

When you get an error, log your error as normal but insert the ip of the user into sys_ErrorIPs, then use the following PS script:

Code:
$cn = 'YOUR_CN_HERE'

$ips = Invoke-Sqlcmd -ConnectionString $cn -Query 'SELECT * FROM sys_FrequentErrors'

if ($ips.Count -gt 0)

{

    $filter = Get-NetFirewallRule -DisplayName Blacklist | Get-NetFirewallAddressFilter

    $ips | ForEach-Object {

        $ip = $_.Ip

        if (!$filter.RemoteAddress.Contains($ip))

        {

            $addrs = $filter.RemoteAddress + $ip

            Set-NetFirewallAddressFilter -InputObject $filter -RemoteAddress $addrs

            Invoke-Sqlcmd -ConnectionString $cn -Query "INSERT INTO sys_IPBans (Ip) VALUES('$ip');"

            Invoke-Sqlcmd -ConnectionString $cn -Query "DELETE FROM sys_ErrorIps WHERE Ip='$ip';"

            $cred = New-Object System.Management.Automation.PSCredential('YOUR_EMAIL_USER', (ConvertTo-SecureString 'YOUR_EMAIL_PASS' -AsPlainText -Force))

            Send-MailMessage -From 'FROM_EMAIL' -To 'TO_EMAIL' -Subject "Banned $ip" -SmtpServer 'YOUR_SMTP_SERVER' -Port 587 -Credential $cred

        }

    }

}

For me, I have that script set up in windows task scheduler to run every minute, so if somebody causes 5 or more unhandled exceptions in under a minute, the script will ban their IP, log that in the db, and send me an email about it.

Note: this assumes that you have a firewall rule named Blacklist.

Hope you enjoy.

sashimi0 · 12-18-2020, 08:14 PM

I’m reading this through foggy glasses...
Can this be adapted to block anyone browsing through a VPN, like how I was using with algo through Digital Ocean?

phyrrus9 · 12-18-2020, 09:11 PM

(12-18-2020, 08:14 PM)sarcrates Wrote: I’m reading this through foggy glasses...
Can this be adapted to block anyone browsing through a VPN, like how I was using with algo through Digital Ocean?

The powershell script is basically just a script that loops over an array of ip addresses that its given, and adds them to an existing network policy. it has no idea if the ip is on a vpn or not (and that's probably not the route you'd want to go for that either)