![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2015-05-06
介紹
ts_block - VBScript(acts as a WMI event sink to receive events logged by Windows)
Link: https://github.com/EvanAnderson/ts_block
Support OS:
- Vista
- 2008
- win 7
- 2008 R2
Default settings:
- Block Immediately Usernames - administrator, root, guest
- Logon attempts allowed - 5 in 120 seconds (2 minutes)
- Duration of block - 300 seconds (5 minutes)
Windows XP = (remote IP address is not included in the event log )
Windows 7 = "Advanced Firewall" is used
External executables required
- route.exe
- netsh.exe
- evencreate.exe
C:\Program Files\ts_block
- ts_block.vbs
- nssm.exe
- devcon.exe
Registry:
HKLM\Software\Policies\Wellbury LLC\ts_block
- BlockAttempts
- BlockDuration
- BlockTimeout # reset the count of failed logon attempts
Script Testing
Default: double-click <-- WSCRIPT.EXE
CSCRIPT.EXE utility <-- message logging to pop-up
修改 Script:
' debugging output Const DEBUGGING = 1
測試:
CSCRIPT.EXE ts_block.vbs
intBlackHoleStyle = 1 Decided on black-hole IP address 10.0.0.1, interface Microsoft Loopback Adapter - VirtualBox Bridged Networking Driver Miniport Event Log - Event ID: 1, Type: INFORMATION - Block Duration: 1200 Event Log - Event ID: 1, Type: INFORMATION - Block Attempts: 5 Event Log - Event ID: 1, Type: INFORMATION - Block Timeout: 120 Event Log - Event ID: 1, Type: INFORMATION - Blackhole IP: 10.0.0.1 Event Log - Event ID: 1, Type: INFORMATION - ts_block version 20110831 started. Entering normal operation busy-wait loop.
當 block IP 時:
Executing route add 123.202.144.65 mask 255.255.255.255 10.0.0.1 Event Log - Event ID: 256, Type: INFORMATION - Blocked 123.202.144.65 until 2014/1/6 03:03:58
route print
123.202.x.x 255.255.255.255 10.0.0.1 10.0.0.1 1
un-block:
route delete 123.202.x.x
Manual Installation:
當 testing 過沒有問題後, 那就可以 copy nssm.exe 去 "%ProgramFiles%\ts_block"
之後執行:
nssm install ts_block %SystemRoot%\System32\cscript.exe "\"%ProgramFiles%\ts_block\ts_block.vbs\""
output:
Service "ts_block" installed successfully!
MSI Installation: (ts_block_20120530) 安裝後情況
- Program: C:\Program Files\ts_block
- Service: ts_block
Logs:
Windows event logs
application section:
Service start
ts_block version 20110831 started.
Block someone
Blocked x.x.x.x until 7/5/2015 11:23:00
even id:
Const EVENTLOG_SOURCE = "ts_block" <-- 可以在 event log 用 filter 找出相關 event
Const EVENTLOG_TYPE_INFORMATION = "INFORMATION"
Const EVENTLOG_TYPE_ERROR = "ERROR"
Const EVENTLOG_ID_STARTED = 1
Const EVENTLOG_ID_BLOCK = 256
Const EVENTLOG_ID_UNBLOCK = 257
Block 的設定
Block Immediately Usernames:
dictBlockImmediatelyUsers.Add "administrator", 1 <--- Default 有這個 dictBlockImmediatelyUsers.Add "guest", 1
次數
Const DEFAULT_BLOCK_ATTEMPTS = 5 ' Timeout for attempts before a new attempt is considered attempt Const DEFAULT_BLOCK_TIMEOUT = 120
解封
Const DEFAULT_BLOCK_DURATION = 300
Black-hole traffic (Black-hole route):
- Microsoft Loopback Adapter
- no default gateway
原理:
route to "lo" (127.0.0.1) doesn't work on Windows.
The "route" command will fail if the destination specified isn't local to one of machine's interfaces
REG:
Parameter: BlackholeIP
Type: REG_SZ
Explanation: The IP address used for the black-hole route (for Windows Server 2003).
Window 安裝 interface
devcon.exe install %windir%\inf\netloop.inf *msloop
* a network interface with a static IP address assigned and no default gateway specified
output:
Device node created. Install is complete when drivers are updated... Updating drivers for *msloop from C:\WINDOWS\inf\netloop.inf. Drivers updated successfully.
