PSLogonFailure Version History
|Upgrading from pre-1.4|
Given the rule name changes, and the addition of new rules as part of service blocking, please manually remove all PSLogonFailures created firewall rules (they should start PSLogonFailures - Block) to ensure old rules are not left behind.
Release date: 2013-02-09
- Previously, if no IPs were blocked the event log text didn't make sense (it said “were blocked from : “ with no service name). This has been corrected.
Improvements: Added local blacklist processing so an attacker can be persistently blocked. See the $blacklist variable which defines the path. This feature is explained in the install guide.
Release date: 2012-12-20
Improvements: Changed the whitelist to be based on a text file, rather than a hash table. This makes it significantly easier to manage.
Release date: 2012-11-26
- Corrected code that removes firewall rules (moved it to a function) to ensure rules were correctly removed if there were no events in the time period (see 1.4 known bugs) or if there no problems.
- Found the published version of 1.3 was actually broken so not working on Server 2008. Corrected, apologies.
Release date: Unreleased
- Choice of additional services to block.
- Updated block message to state what services are being blocked.
- Added additional guidance comments in customisation section
- RDP rule is now always called PSLogonFailures - Block RDP to avoid accidentally leaving other ports blocked in the event of $RDPPort being changed.
- Default whitelist is now 127.0.0.1 so remember to customise the $whitelist.
Release date: 2012-11-22
- $LogName variable is now actually used by the script. Previously, even if you changed that variable the script still evaluated the Security log. Ultimately, the security log is where you're going to want to be checking so best not to change this.
- Corrected typo in the Install Guide
- Script now works with Server 2008 (i.e. not R2) meaning this can be deployed to SBS2008 and Server2008 Windows installations.
- Install Guide PDF (in the Zip) is now in full colour.
Release date: 2011-09-22
- Renamed script file --> PSLogonFailures.ps1
- Configurable variables for "log at start" ($WriteLogStart) and "log at end" ($WriteLogEnd) so they can be independantly disabled/enabled.
- When attacks are blocked, make the event an error and have an event ID of 1236 (rather than the 1234/Information used for all messages from it atm).
- Changed the firewall name to include the $RDPPort (e.g. PSLogonFailures - Block 3389)
Release date: 2011-09-13
Initial release of the script.