Automatically block RDP attacks using Windows Firewall and PowerShell

By accident I discovered, that in one of my eventlogs (“Applications and Services Logs\Microsoft\Windows\RemoteDesktopServices-RdpCoreTS\Operational”) several Entries with ID 140 are present. This events are logging attempts of users to login to my server via RDP but using wrong credentials. Obviously there should not be any attempt or maybe just one or two by myself. But in my case there are hundreds.

First I checked if my local and my domain administrator account are both disabled. This was the case so most of the login attempts will now also fail because the user is disabled. I assume most of them are trying to use this user. The user isn’t locked because of the attempts because there is enough time between the retries.

The text of the login attempt in the eventlog is “A connection from the client computer with an IP address of xxx.xxx.xxx.xxx failed because the user name or password is not correct.”.

So I created a PowerShell script that is reading this messages, filtering the IP out of it and add it to the Windows Firewall Blacklist.
One prerequirement is, that there is already a firewall rule with at least 2 blocked IP addresses. I was just too lazy to solve this in my script. To create this rule, start the Windows Firewall Settings and create a new rule at “Inbound Rules”.

Select “Custom” auswählen. Leave “All programs” (just click “Next“). Leave any Protocol Type and Port (just “Next“). In the Scope section at “Which remote IP addresses does this rule apply to” select “These IP addresses” and add two dummy addresses. i.e. 1.2.3.4 and 1.2.3.5. We need at least two addresses for the script. Click “next“.

Select “Block the connection“.

At “Profile” check all profiles. At the last page enter a good name for your rule. We will need the name in our script. Now your rule configuration is done.

 

Now the script. This is the code that works with the already stated prerequirements. Copy the text to a file with the ending .ps1.

### Variables ###
# The name of the firewall rule in Windows Firewall
$firewallRuleName = "Block RDP Attackers"

# IPs that will not be blacklisted. i.e. your home IP if you are using Dyndns or any other static IP
$whiteList = @(
   [System.Net.Dns]::GetHostAddresses("myhome.dyndns.org").IPAddressToString, #Example for DNS entry
   "89.20.58.68" #Example for IP
   )


### Script ###
Write-Host "Running at $(Get-Date)"
$regExIp = "\d\d?\d?.\d\d?\d?.\d\d?\d?.\d\d?\d?"

# Get the current Eventlogs with the 140 event
$currentAttackers = Get-Winevent Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational | Where-Object {$_.Id -eq 140} | Select Message -ExpandProperty Message

# If there is no response, there are no attacks
if ($currentAttackers -eq $null) {
   Write-Host "No current attackers"
   return
}

# Get each attackermessage and filter the IP from it using the regex above
for ($i = 0; $i -lt $currentAttackers.Count; $i++) {
   if ($currentAttackers[$i] -match $regExIp){
      $currentAttackers[$i] = $Matches[0]
   } 
}

# Get the already known attackers from the firewall rule
$knownAttackers = (Get-NetFirewallRule -DisplayName $firewallRuleName | Get-NetFirewallAddressFilter).RemoteAddress
if ($knownAttackers -eq $null){
   $knownAttackers = @()
}
$knownAttackers = $knownAttackers | Sort-Object -Unique

# Check each logged attacker and check if it is already known
foreach($newAttacker in $currentAttackers) {
   if ($knownAttackers.Contains($newAttacker)) { #If it is known, don't do anything
      continue
   }
   elseif ($whiteList -contains $newAttacker) { #If it is whitelisted, don't do anything
      Write-Host "$newAttacker is dynamically whitelisted"
      continue
   }
   else{ #otherwise it is a new attacker and add it to the blacklist
      $knownAttackers += $newAttacker
      Write-Host "Added $newAttacker"
   }
}

# remove dublicates (should not be there, but anyway...)
$knownAttackers = $knownAttackers | Sort-Object -Unique
Write-Host "$($knownAttackers.Count) IPs on blacklist"

# Setting Firwall rules with all known and all new attackers
Set-NetFirewallRule -DisplayName $firewallRuleName -RemoteAddress $knownAttackers
Write-Host ""

If you have a different name than “Block RDP Attackers” for the firewall rule, you have to change the line “$firewallRuleName = “Block RDP Attackers”” to your rule name.

Run the script “as administrator”. It will scan your eventlog and get all IPs that are mentioned in the events with the ID 140 in the corresponding log. This IPs will be added to the rule we created before and will block this IPs in the future.

I have a scheduled task for this script to run it frequently. In a timespan of just some hours already about 600 IP addresses are on my blocklist. If you configure the scheduled task, be sure that the checkbox “run with highest privileges” is checked.

Install VMware Remote Console (VMRC) silently

After I struggled some hours with doing this, I finally figured out the following command to install VMRC silently without a reboot and with setting the automatic software update procedures to disabled. Use this command:

VMware-VMRC-10.0.2-7096020.exe /s /v "/qn REBOOT=R EULAS_AGREED=1 AUTOSOFTWAREUPDATE=0 ATACOLLECTION=0"

To uninstall use this command (the GUID may be different on other VMRC versions):

MsiExec.exe /X{09E3AC7C-395C-47C6-9F66-4B9FB8325341} /qn /norestart

 

Update Certificate of VMware vCenter

I just had to update the certificate on my VMware lab environments vCenter and searched for a good manual about this. I didn’t find one complete one so I decide to post one here.

Here we go:

  1. Login to SSH on the vCenter Server (you need to activate SSH if it is disabled)
  2. Type shell into the console.
  3. Create a directory where we will store everything: mkdir /tmp/cert
  4. Execute chsh -s /bin/bash root to make it possible to connect via WinSCP later on
  5. Start the Certificate Manager: /usr/lib/vmware-vmca/bin/certificate-manager 
  6. Select the first option (“Replace Machine SSL certificate with custom certificate”)
  7. Enter the local administrator (i.e. administrator@vsphere.local)
  8. Select the first option (“1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate”)
  9. Type the path to the folder we created in step 3 (/tmp/cert)
  10. State the parameters of the Certificate. For the options “Name” and “Hostname” you need to state the FQDN of the server
  11. The CSR to create the certificate by your CA is stored in the output directory
  12. Download the CSR via WinSCP and create a certificate based on this. The certificate needs to be in Base64 format and you will need the public root certificate of your CA.
  13. Upload the Certificate and the root certificate to the /tmp/cert-Folder
  14. Continue the dialog (option 1) of if you had some time between, you can start allover again and select option 2 after starting the certificate manager instead of option 1.
  15. Now you have to state the paths to the Certificate, the Key and the root certificate of your CA
  16. When this is done, the wizard will install the certificate. This takes a while and will reconfigure and restart almost all services.

Tested on vCenter 6.5 and vCenter 6.7

Welcome

Welcome to the website of Kristian Reukauff. This site is about my public projects, apps and programming stuff as well as some topics about Smart Home.

Retro meets Modern: Settlers 3 and HyperV

Some days ago I remembered one old game I liked to play: Settlers 3 (“Siedler 3” in German). Like it is on old games, they are not running without any problems on modern operating systems. So I decided to buy the GoG.com-Version of Settlers 3 and it works. The next step was to try to run a multiplayer session with a friend of mine. The problem we had was, that we didn’t see the sessions of our games in the lobby. After some researching on the internet we didn’t find any hints about our issue. So we started to dig.
When we started Settlers 3 the first time, DirectPlay was installed. It is a kind of old network “Framework”. So maybe we have problems with network.
We figured out, that the problem is because of the multiple network adapters of my computer. Physically there is just one but I have Hyper-V running on my PC for development purposes and Hyper-V installs several additional pseudo adapters. After uninstall Hyper-V (just for testing), it works. So we are now sure it is because of the network adapters. I don’t want to uninstall or disable Hyper-V everytime I want to play Settlers. Hyper-V is for virtualization – why not running Settlers 3 in a virtual Machine?
I installed a Windows 10 VM, installed all Updates and Settlers 3 (GoG-Edition). I started the game for the first time and it crashed. I restarted the VM. When Windows was starting there was a dialog to “connect” to the VM. In my Microsoft Trainings I learned, that this is the connection dialog for the enhanced session – a kind of RDP connection. I also know that if you are connected via RDP, the graphic card is just an emulated one for the session. So I didn’t click the “connect” button and stay in the default session instead of changing to the enhanced session. I additionally disabled all windows firewalls before starting Settlers 3 again. And voila: it started. Also the Multiplayer session was running without any problems. Ingame I recommend to press F3 to change the resolution to the largest possible.

So in summary what to do if you want to play Settlers 3 on an Hyper-V enabled machine:
1. Install a new VM on Windows XP or higher
2. Connect to that VM WITHOUT enhanced session (you can also disable this in the VM settings)
3. Disable all firewalls in the VM
4. Install Settlers 3 GoG Edition and also DirectPlay on the first start in the VM
5. Happy gaming!