{"id":2086,"date":"2023-12-12T12:32:47","date_gmt":"2023-12-12T11:32:47","guid":{"rendered":"https:\/\/blog.mhasin.eu\/?p=2086"},"modified":"2023-12-12T12:33:36","modified_gmt":"2023-12-12T11:33:36","slug":"rdp-password-bruteforce","status":"publish","type":"post","link":"https:\/\/blog.mhasin.eu\/?p=2086","title":{"rendered":"RDP password BruteForce"},"content":{"rendered":"\n

Vytvorenie pravidla na firewall:<\/p>\n\n\n\n

New-NetFirewallRule -DisplayName \"BlockRDPBruteForce\" \u2013RemoteAddress 1.1.1.1 -Direction Inbound -Protocol TCP \u2013LocalPort 3389 -Action Block<\/code><\/pre>\n\n\n\n
Script ktory zabezpeci nacitanie IP ktore zadali 3x zle heslo a nasledne ich zablokuje cez FW:<\/p>\n\n\n\n
$Last_n_Hours = [DateTime]::Now.AddHours(-5)\n$badRDPlogons = Get-EventLog -LogName 'Security' -after $Last_n_Hours -InstanceId 4625 | ?{$_.Message -match 'logon type:\\s+(3)\\s'} | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }\n$getip = $badRDPlogons | group-object -property IpAddress | where {$_.Count -gt 5} | Select -property Name\n\n\n$log = \"C:\\rdp_blocked_ip.txt\"\n$current_ips = (Get-NetFirewallRule -DisplayName \"BlockRDPBruteForce\" | Get-NetFirewallAddressFilter ).RemoteAddress\nforeach ($ip in $getip)\n{\n$current_ips += $ip.name\n(Get-Date).ToString() + ' ' + $ip.name + ' The IP address has been blocked due to ' + ($badRDPlogons | where {$_.IpAddress -eq $ip.name}).count + ' attempts for 2 hours'>> $log # writing the IP blocking event to the log file\n}\nSet-NetFirewallRule -DisplayName \"BlockRDPBruteForce\" -RemoteAddress $current_ips\n\nDany PS1 script je potrebne spustat cez sheduller <\/code><\/pre>\n
 \t
 \t\t \t\t\"\"<\/a> \t\t  <\/span> \t\tSend article as PDF<\/span> \t\t  <\/span> \t\t \t\t \t<\/form> <\/div>","protected":false},"excerpt":{"rendered":"Vytvorenie pravidla na firewall: Script ktory zabezpeci nacitanie IP ktore zadali 3x zle heslo a nasledne ich zablokuje cez FW:    Send article as PDF   \n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"arc_restricted_post":false,"footnotes":""},"categories":[6],"tags":[29,28,27,30,31,26,24],"class_list":["post-2086","post","type-post","status-publish","format-standard","hentry","category-windows","tag-brute","tag-bruteforce","tag-ddos","tag-force","tag-prevention","tag-rdp","tag-windows"],"_links":{"self":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/2086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2086"}],"version-history":[{"count":1,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/2086\/revisions"}],"predecessor-version":[{"id":2087,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/2086\/revisions\/2087"}],"wp:attachment":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}