Many servers on the Internet are subject to brute force attacks where an attacker (be that bot or human) keeps trying to break into a system using different user names and passwords. The more an attack is allowed to continue, the greater chance there is of the attacker gaining access to the system - even with a strong password policy. This is where PSLogonFailures comes in handy.
PSLoggonFailures was written initially to prevent brute force attacks against the remote desktop login (who give a logon type of 10) but could be adjusted to protect other mechanisms too (protection of other mechanisms not yet tested).
What does it do?
This script checks in the security log of a Windows system and finds the failed logon attempts. For each remote host that fails a logon a count is started and when the count reaches the specified threshold the IP of the "user" is blocked by the Windows firewall.
A whitelist of IP addresses can be specified to ensure legitimate users do not get locked out (although it could be argued if they've failed to logon that number of times perhaps they should be blocked!).
You can stay up-to-date with development of PSLogonFailures by subscribing to the PSLogonFailures development blog RSS feed.
- Size: 89.4KB
- MD5Sum: c7b8898b03bdf0bd6594fe235f55847f
- SHA1Sum: 4d16a0fec1bfd16f1ff59608ac82d15d399fadbc
Zip file contents
- The script (PSLogonFailures.ps1)
- PDF of the Installation guide
- whitelist.txt containing a single IP (localhost)
- blacklist.txt - an empty text file
How much does it cost?
This script is released free of charge and is released without warranty of any kind under the GNU GPL. You may make changes to the script but:
- Please leave the original attribution intact (it's only polite).
- You may not charge for this script (or for scripts derived from it). However, you may charge for your time in installing it.
It has become apparent there is a bug in the Windows Server 2008 version of Get-WinEvent that causes this script to fail. See Troubleshooting.
The PSLogonFailures script was written by Jonathan Haddock (the maintainer of this wiki) and Andrew Cassidy. Jonathan and Andee were at school together and have a large amount of experience in administering computer networks.
If you wish to look back over previous versions click this link: File:PSLogonFailures.zip.