Skip to content
This repository has been archived by the owner on Oct 2, 2022. It is now read-only.

IPBan Monitors failed security audit in Windows Event Viewer and bans ip addresses using netsh

License

Notifications You must be signed in to change notification settings

codref/Windows-IP-Ban-Service

 
 

Repository files navigation

*******************************************************************************
***** Requires .NET 4.0 and Windows Vista or Windows Server 2008 or newer *****
*******************************************************************************

Extract files to a place on your computer. Right click on all the extracted files and select properties. Make sure to select "unblock" if the option is available.

To run as a Windows service (example: sc create IPBAN type= own start= auto binPath= d:\system\ipban\ipban.exe DisplayName= IPBAN). The service writes a log file to the same directory as the service, so run as SYSTEM to ensure permissions.

Make sure to look at the config file for configuration options

To debug as a console app and troubleshoot, run "IPBAN.EXE debug"

Make sure you are logging failed login attempts via local security policy

Make sure to read this stackoverflow thread about ip addresses not getting logged: http://stackoverflow.com/questions/1734635/event-logging-ipaddress-does-not-always-resolve
In summary, change these local security options:
- Network security: LAN Manager authentication level -- Send NTLMv2 response only. Refuse LM & NTLM
- Network security: Restrict NTLM: Audit Incoming NTLM Traffic -- Enable auditing for all accounts
- Network security: Restrict NTLM: Incoming NTLM traffic -- Deny all accounts
- Do not allow for passwords to be saved -- Enabled
- Prompt for credentials on the client computer -- Enabled

If you want to run in Visual Studio, make sure to run Visual Studio as administrator

For reference, here is a regex that matches any 32 bit ip address:
(?<ipaddress>^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)

Please visit http://www.digitalruby.com/securing-your-windows-dedicated-server/ for more information about this and other products that we are making.

Enjoy!

-Jeff Johnson, CTO Digital Ruby, LLC

About

IPBan Monitors failed security audit in Windows Event Viewer and bans ip addresses using netsh

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C# 100.0%