-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathBlockIP.cmd
86 lines (69 loc) · 2.71 KB
/
BlockIP.cmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
@echo off
SetLocal EnableDelayedExpansion
set blocklistfile="%~dp0BlockIP.list"
set logfile="%~dp0BlockIP.log"
set tmpfile="%~dp0BlockIP.tmp"
echo Start...
:: Check for reset parameter
if "%1" == "reset" echo Resetting... & goto reset
:: Get last bad login ip (in last 5 min (300000) )
wevtutil qe Security /c:1 /rd:true /f:text /q:"*[System[EventID=4625 and TimeCreated[timediff(@SystemTime) <= 300000]]]" | find "Source Network Address:" > "%tmpfile%"
for /f "tokens=4" %%a in ('type %tmpfile%') do (set ip=%%a)
echo IP address: %ip%
if [%ip%]==[] goto end
if [%ip%]==[-] goto end
:: Get amount of bad logins from this ip (in last 60 min (3600000))
wevtutil qe Security /c:3 /rd:true /f:text /q:"*[System[EventID=4625 and TimeCreated[timediff(@SystemTime) <= 3600000]]] and *[EventData[Data[@Name='IpAddress'] and (Data='%ip%')]]" | find /c "%ip%" > "%tmpfile%"
for /f "tokens=1" %%a in ('type %tmpfile%') do (set count=%%a)
echo Attempts: %count%
:: Block ip if 3 or more bad attempts
if %count% lss 3 goto end
:: Ignore local ip addresses
set iptest=b%ip%e
if not [%iptest%]==[%iptest:b192.168.=%] goto localip
if not [%iptest%]==[%iptest:b10.=%] goto localip
:: Create firewall rule for new ip blocklist
echo Blocking IP address!
echo %date% %time% Blocking IP address %ip% >> %logfile%
call :addToUniqueLimitedList %blocklistfile% 100 %ip%
:reset
call :joinList %blocklistfile%
if "%join%" == "" netsh advfirewall firewall delete rule name=BlockIP & goto end
netsh advfirewall firewall set rule name=BlockIP new remoteip=%join%
if %errorlevel% equ 1 netsh advfirewall firewall add rule name=BlockIP dir=in action=block remoteip=%join%
goto end
:addToUniqueLimitedList
:: Usage: call :addToUniqueLimitedList "<filename>" <maxlines> "<line to add>"
findstr /x /c:"%~3" %1>nul
if %errorlevel% equ 0 exit /b
(echo %~3)>>%1
:removelines
call :countlines %1
if %count% leq %2 exit /b
call :removefirstline %1
goto removelines
:countlines
:: Usage: call :countlines "<filename>"
:: Returns: the variable %count% will be set with the number of lines in the file
for /f "tokens=3" %%a in ('find /v /c "#$#" %1') do (set count=%%a)
exit /b
:removefirstline
:: Usage: call :removefirstline "<filename>"
findstr /v /n "#$#" %1 > "temp1.tmp"
findstr /v /b "1:" "temp1.tmp" > "temp2.tmp"
copy nul %1>nul
for /f "tokens=2 delims=:" %%a in ('type "temp2.tmp"') do ((echo %%a)>>%1)
del "temp1.tmp" "temp2.tmp"
exit /b
:joinList
:: Usage: call :joinList "<filename>"
:: Returns: %join% all the lines from the file joined to one comma separated string
set join=
for /f "tokens=*" %%a in ('type %1') do (set join=!join!%%a,)
exit /b
:localip
echo IP address is local
echo %date% %time% Ignoring local ip %ip% >> %logfile%
:end
if exist %tmpfile% del %tmpfile%
echo Done.