-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathREADME.txt
229 lines (180 loc) · 10.3 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
ts_block.vbs - Blocks brute force Terminal Services login attempts
Copyright 2011 Wellbury LLC - See LICENSE for license information
Release 20110901 - Adapted from sshd_block release 20100120
Release 20120530 - Added MSI to distribution
For support, please contact Evan Anderson at Wellbury LLC
[email protected], (866) 569-9799, ext 801
<http://serverfault.com/users/7200/evan-anderson>
If you like this program please drop me an email. If you have any
ideas for enhancements or find a bug, I'd love to hear about that
too.
Overview
========
ts_block is a VBScript program that acts as a WMI event sink to receive
events logged by Windows in response to invalid Terminal Services
logons. It parses these log entries and acts upon them as follows:
- If the IP address attempts to logon with a username flagged as "block
immediately" the IP address is blocked immediately.
- If the IP address attempts to logon with more frequently than is
allowed in a given time period the IP address is blocked.
The "block immediately" usernames and thresholds associated with repeated
logon attempts are configurable in the "Configuration" section of the
script. Default settings are as follows:
Block Immediately Usernames - administrator, root, guest
Logon attempts allowed - 5 in 120 seconds (2 minutes)
Duration of block - 300 seconds (5 minutes)
The configuration variables for these values are reasonably
self-explanatory. Additional variables to enable/disable debugging and
event log usage are also present and self-explanatory. Review the
section "Registry Configuration Parameters" for information about
configuring via the registry (which is useful for management via Group
Policy).
Four times per second IP addresses that have remained blocked for their
assigned block duration are unblocked.
ts_block does not run under Windows 2000 Server (because I have no
machines handy to test it on and because the Terminal Services logon
type, 10, is not logged on Windows 2000 Server) and under Windows XP
(because the remote IP address is not included in the event log
message).
Pre-Requisite Computer Configuration
====================================
For Windows Vista, 2008, 7, and 2008 R2 the "Advanced Firewall" is used
to create inbound firewall rules blocking traffic from the blocked host.
On these operating systems no special configuration of the registry or
network adapters is necessary.
Because Windows Server 2003 lacks sufficient features in its built-in
firewall functionality a black-hole host route is used. Unfortunately,
the "trick" commonly used on Linux to black-hole traffic with a route to
"lo" (127.0.0.1) doesn't work on Windows. The "route" command will fail
if the destination specified isn't local to one of machine's interfaces,
as well. As such, there are two options for selecting the destination
address used for the black-hole route.
You may specify the black-hole destination IP address as REG_SZ value as
described below in the "Registry Configuration Parameters" section. This
address must be local to (in the same IP subnet as) one of the server
computer's interfaces. It is recommended that you select an address that
is unused in your network. This is my preferred method of installation
because no device drivers need to be installed.
Alternatively you may install a network interface with a static IP
address assigned and no default gateway specified be present on the
server computer. A physical hardware device is not necessary as the
Microsoft Loopback Adapter serves the purposes of this application.
Details about installing the Microsoft Loopback Adapter is available
from: http://support.microsoft.com/kb/842561
After you have installed the Microsoft Loopback Adapter (or chosen an
unused physical hardware NIC) specify a static IP address and no
default gateway in the TCP/IP version 4 properties for the adapter. The
IP address and subnet mask assigned to this adapter should not match any
network in use in your enterprise and should be in the RFC 1918 space.
The ts_block script will locate the adapter with no default gateway
specified and use it as the destination for the black-hole route.
Registry Configuration Parameters
=================================
The following configuration paramters are available under the registry
path: HKLM\Software\Policies\Wellbury LLC\ts_block
Parameter: BlockAttempts
Type: REG_DWORD
Explanation: The number of sequential failed logon attempts (with
accounts that are not considered "block immediately" accounts) that will
trigger a block.
Parameter: BlockDuration
Type: REG_DWORD
Explanation: The duration, in seconds, of a block (either because of
reaching the BlockAttempts threshhold or because of a "block
immediately").
Parameter: BlockTimeout
Type: REG_DWORD
Explanation: The duration, in seconds, that must elapse between failed
logon attempts to reset the count of failed logon attempts for a given
IP address.
Parameter: BlackholeIP
Type: REG_SZ
Explanation: The IP address used for the black-hole route (for Windows
Server 2003). If not specified the default algorithm of selecting the IP
address of a network interface with no default gateway specified will be
used. This setting is not used in Windows Server 2008 and later versions
of Windows.
A Group Policy Administrative Template (ADM) file is included with this
distribution that is capable of setting these values. Deploying a GPO
near the top of the domain with the BlockAttempts, BlockDuration, and
BlockTimeout values specified and Site or OU-level GPOs with the
BlackholeIP value specified (as this will vary based on the subnets
where the server computers are located, and is only necessary for
Windows Server 2003 machines) is recommended.
Script Testing
==============
It is recommended that you copy the ts_block.vbs script to your desired
location, modify the configuration parameters if you are unsatisfied
with the defaults, and execute the script either. It is recommended that
you execute the script using the CSCRIPT.EXE utility, but it is possible
to execute the script using WSCRIPT.EXE via double-clicking on the
script file in Windows Explorer. Be aware that, should debugging be
enabled, execution is only effectively possible through CSCRIPT.EXE
because message logging to pop-up dialogs will "stall" the script until
the dialogs are dismissed.
Test the functionality of the script by performing both invalid logons
using both a "block immediately" account and attempting repeated logons
with a valid or invalid account that is not in the "block immediately"
list. Blocking and unblocking events will be logged in the Application
event log. (It is recommended that you perform your tests via a protocol
that won't cause you to lose communication with the server computer
during testing or from an IP address that isn't going to be blocked.)
Windows Service Installation
============================
A binary copy of the public domain "Non-Sucking Service Manager" (nssm,
available from http://iain.cx/src/nssm/) is included with ts_block to
facilitate installation as a Windows service. The Microsoft SRVANY tool
may also be used to run ts_block as a Windows Service.
If you choose to use nssm, copy the nssm.exe file to the location of
your choice (in "%ProgramFiles%\ts_block", for example).
After you are satisfied with the performance of the script in testing
and have copied nssm.exe to the desired location, install the script as
a Windows service using the following command-line (from the directory
where nssm was installed):
nssm install ts_block %SystemRoot%\System32\cscript.exe
"\"%ProgramFiles%\ts_block\ts_block.vbs\""
The command is depicted as two lines above but should be entered on a
single line. It is necessary to enter the "\" characters as depicted
such that the resulting registry entry is surrounded by double quotes.
This command will create a service set to start automatically. (If your
ts_block.vbs is stored in a path w/o spaces then you don't need to go
through those gyrations.)
After installing the service start it and verify that it functions
properly.
External Dependencies
=====================
The following external programs are required to be in the PATH for the
user context under which ssdh_block is executing:
ROUTE.EXE - For black-hole routing blocked IP addresses under Windows XP
NETSH.EXE - For creating Advanced Firewall rules on Windows Vista and
later versions of Windows
EVENTCREATE.EXE - For writing to the event log
(only if event logging is enabled)
Performance and Security
========================
A simple and fairly unscientific stress test function is included in the
script (and disabled by default). Testing with the parameters listed in
the script (but with the BLOCK_DURATION decreased from the default to 60
seconds) on a Windows Server 2003 SP2 x86 Stadard Edition machine
resulted in peak memory usage of 6,780KB. As the blocked queue drained
at the end of the test, the memory usage decreased slightly. On the face
of it, it would appear that the script can handle at least thousands of
unique IP addresses being blocked at a rate of one IP address every 10
to 50ms with no major issues.
Parameters passed to calls to external programs for creating Windows
Event Log entries or altering IP routes are sanitized through a regular
expression match (allowing only the characters 0-9, a-z, A-Z, and
period, underscore, space, right-leaning slash, colon, and minus).
Windows Installer Package (MSI)
===============================
A Windows Installer package (MSI) version of ts_block is included with
this distribution (along with the WiX source file used to create the
MSI). The MSI is self-contained (all necessary files are compressed and
embedded within it) and can be used for automated deployment of ts_block
as a service under NSSM. It has been tested using Group Policy Software
Installation Policy under Windows Server 2003, Windows Server 2008 R2,
and Windows 7. Uninstallation via Group Policy has also been tested.
Future Roadmap
==============
Exciting enhancement possibilities include:
- Loading values for "block immediately" usernames from the registry.