PSLogonFailures

From Jonsdocswiki
Jump to: navigation, search

Many servers on the Internet are subject to brute force attacks where an attacker (be that bot or human) keeps trying to break into a system using different user names and passwords. The more an attack is allowed to continue, the greater chance there is of the attacker gaining access to the system - even with a strong password policy. This is where PSLogonFailures comes in handy.

PSLoggonFailures was written initially to prevent brute force attacks against the remote desktop login (who give a logon type of 10) but could be adjusted to protect other mechanisms too (protection of other mechanisms not yet tested).

Contents

What does it do?

This script checks in the security log of a Windows system and finds the failed logon attempts. For each remote host that fails a logon a count is started and when the count reaches the specified threshold the IP of the "user" is blocked by the Windows firewall.

A whitelist of IP addresses can be specified to ensure legitimate users do not get locked out (although it could be argued if they've failed to logon that number of times perhaps they should be blocked!).

Stay up-to-date

You can stay up-to-date with development of PSLogonFailures by subscribing to the PSLogonFailures development blog RSS feed.

Download

You can download the script here as a zip file: PSLogonFailures.zip. Please ensure you read the Installation guide and system requirements

  • Size: 89.4KB
  • MD5Sum: c7b8898b03bdf0bd6594fe235f55847f
  • SHA1Sum: 4d16a0fec1bfd16f1ff59608ac82d15d399fadbc

Zip file contents

  • The script (PSLogonFailures.ps1)
  • PDF of the Installation guide
  • whitelist.txt containing a single IP (localhost)
  • blacklist.txt - an empty text file

How much does it cost?

This script is released free of charge and is released without warranty of any kind under the GNU GPL. You may make changes to the script but:

  • Please leave the original attribution intact (it's only polite).
  • You may not charge for this script (or for scripts derived from it). However, you may charge for your time in installing it.

If you find this script useful, please drop the authors a quick email as a thank you. The authors can be contacted via Jonathan: Jonathanemail.jpg

Known Issues

It has become apparent there is a bug in the Windows Server 2008 version of Get-WinEvent that causes this script to fail. See Troubleshooting.

Credits

The PSLogonFailures script was written by Jonathan Haddock (the maintainer of this wiki) and Andrew Cassidy. Jonathan and Andee were at school together and have a large amount of experience in administering computer networks.

Previous versions

If you wish to look back over previous versions click this link: File:PSLogonFailures.zip.

See Also

Personal tools