Created
June 26, 2013 19:12
-
-
Save adautoneto/5870540 to your computer and use it in GitHub Desktop.
Blocks all IPs that failed to login after 20 attempts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $DT = [DateTime]::Now.AddDays(-1) # check only last 24 hours | |
| $l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} } # select Ip addresses that has audit failure | |
| $g = $l | group-object -property IpAddress | where {$_.Count -gt 20} | Select -property Name # get ip adresses, that have more than 20 wrong logins | |
| $fw = New-Object -ComObject hnetcfg.fwpolicy2 # get firewall object | |
| $ar = $fw.rules | where {$_.name -eq 'BlockAttackers'} # get firewall rule named 'BlockAttackers' (must be created manually) | |
| $arRemote = $ar.RemoteAddresses -split(',') #split the existing IPs into an array so we can easily search for existing IPs | |
| $w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') } # get ip addresses that are not already in firewal rule. Include the subnet mask which is automatically added to the firewall remote IP declaration. | |
| $w| %{$ar.remoteaddresses += ',' + $_.Name} # add IPs to firewall rule |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment