From ad4984992a8a734758f06ae55cdae3102149d8bb Mon Sep 17 00:00:00 2001 From: hsteinmueller Date: Wed, 7 Oct 2020 11:41:32 +0200 Subject: [PATCH 1/2] blacklist -> blocklist, whitelist -> allowlist --- script/PSLogonFailures.ps1 | 62 ++++++++++++------------- script/{whitelist.txt => allowlist.txt} | 0 script/{blacklist.txt => blocklist.txt} | 0 3 files changed, 31 insertions(+), 31 deletions(-) rename script/{whitelist.txt => allowlist.txt} (100%) rename script/{blacklist.txt => blocklist.txt} (100%) diff --git a/script/PSLogonFailures.ps1 b/script/PSLogonFailures.ps1 index d71920d..1db7676 100644 --- a/script/PSLogonFailures.ps1 +++ b/script/PSLogonFailures.ps1 @@ -25,10 +25,10 @@ $BlockSMTP = 0 # Set to 1 blocks SMTP traffic on port 25 $BlockRWW_RDP = 0 # When set to 1, blocks port 4125, used by SBS servers to proxy RDP connections. $fwprofile = "Any" # Set to "Any" to apply to all networks (public, domain, private / home) -# Full path to the whitelist, e.g. c:\psl\whitelist.txt : -$whitelist = 'C:\psl\whitelist.txt' -# Full path to blacklist e.g: c:\psl\blacklist.txt -$blacklist = 'C:\psl\blacklist.txt' +# Full path to the allowlist, e.g. c:\psl\allowlist.txt : +$allowlist = 'C:\psl\allowlist.txt' +# Full path to blocklist e.g: c:\psl\blocklist.txt +$blocklist = 'C:\psl\blocklist.txt' ############################ # Do not edit beneath here # @@ -39,12 +39,12 @@ $WinVer = [System.Environment]::OSVersion.Version #Deal with the lists: $blocklist = @{} -if (test-path $whitelist) { - write-host "Whitelist found" -foregroundcolor green +if (test-path $allowlist) { + write-host "Allowlist found" -foregroundcolor green } else { - # If the whitelist can't be found: - Write-host "Unable to find the whitelist file, exiting for your protection." -foregroundcolor red -backgroundcolor gray - Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the whitelist. Exiting for your protection. `n Whitelist claims to be at: $whitelist" -Source $WriteLogSource -EntryType Error -id 1237 + # If the allowlist can't be found: + Write-host "Unable to find the allowlist file, exiting for your protection." -foregroundcolor red -backgroundcolor gray + Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the allowlist. Exiting for your protection. `n Allowlist claims to be at: $allowlist" -Source $WriteLogSource -EntryType Error -id 1237 exit } @@ -59,13 +59,13 @@ function DeletePSLFirewallRules { netsh advfirewall firewall del rule name="PSLogonFailures - Block All TCP" } -function ProcessBlacklists { - write-host Processing blacklists -foregroundcolor yellow - if (test-path $blacklist){ - if ((get-content $blacklist|measure-object).count -gt 0){ - #Add the blacklist to the $blocklist - $blacklist_content = get-content $blacklist - foreach ($BlIP in $blacklist_content){ +function ProcessBlocklists { + write-host Processing blocklists -foregroundcolor yellow + if (test-path $blocklist){ + if ((get-content $blocklist|measure-object).count -gt 0){ + #Add the blocklist to the $blocklist + $blocklist_content = get-content $blocklist + foreach ($BlIP in $blocklist_content){ if($blocklist.ContainsKey($BlIP)){ $blocklist[$BlIP] = $blocklist[$BlIP]+1 }else{ @@ -74,15 +74,15 @@ function ProcessBlacklists { } } } else { - Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the blacklist.`n Blacklist claims to be at: $blacklist" -Source $WriteLogSource -EntryType Error -id 1239 + Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the blocklist.`n Blocklist claims to be at: $blocklist" -Source $WriteLogSource -EntryType Error -id 1239 } } -function ProcessWhitelist{ - write-host Processing Whitelist -foregroundcolor yellow - $whitelistIPs = get-content $whitelist - foreach ($ip in $whitelistIPs) +function ProcessAllowlist{ + write-host Processing Allowlist -foregroundcolor yellow + $allowlistIPs = get-content $allowlist + foreach ($ip in $allowlistIPs) { if ($blocklist.containskey($ip)){ $badwhites = "$badwhites `n $ip" @@ -169,10 +169,10 @@ function AddFirewallRules { } -function BlockBlacklistOnly { +function BlockBlocklistOnly { #This will be called if the local security log doesn't have any failed logins. - . ProcessBlacklists - . ProcessWhitelist + . ProcessBlocklists + . ProcessAllowlist . AddFirewallRules } @@ -180,7 +180,7 @@ function BlockBlacklistOnly { function WriteEndLog{ if ($WriteLogEnd -eq 1){ if ($WriteLogType -eq 'Error'){ - Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following whitelisted IPs are also attacking (or on a blacklist): $badwhites `n Whitelist file: $whitelist" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID + Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following allowed IPs are also attacking (or on a blocklist): $badwhites `n Allowlist file: $allowlist" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID } else { Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1. There were no failed logon attempts in the security log. Removing the firewall rule." -Source $WriteLogSource -id $WriteLogID } @@ -197,7 +197,7 @@ trap [Exception] write-host "No Entries (TRAP)" DeletePSLFirewallRules - . BlockBlacklistOnly + . BlockBlocklistOnly WriteEndLog exit } else { @@ -209,7 +209,7 @@ trap [Exception] if ($WriteLogStart -eq 1){ # Log the fact this script is starting. - Write-EventLog -LogName $WriteLog -Message "Starting PSLogonFailures.ps1. `n Windows Version $WinVer . `n Your whitelist: $whitelist" -Source $WriteLogSource -id 1234 + Write-EventLog -LogName $WriteLog -Message "Starting PSLogonFailures.ps1. `n Windows Version $WinVer . `n Your allowlist: $allowlist" -Source $WriteLogSource -id 1234 } $interval = (get-date) - (new-timespan -minutes $minutes) @@ -220,8 +220,8 @@ if ($WinVer.major -eq 6 -and $WinVer.minor -eq 0){ $event = get-winevent -FilterHashtable @{ logname=$LogName; ID=4625; StartTime=$interval } } -#Add the Blacklist to the $blocklist -ProcessBlacklists +#Add the Blocklist to the $blocklist +ProcessBlocklists foreach ($ip in $event){ @@ -252,7 +252,7 @@ ProcessBlacklists } -# Deal with the whitelist +# Deal with the allowlist . ProcessWhiteList # Remove any stale rules . DeletePSLFirewallRules @@ -261,5 +261,5 @@ ProcessBlacklists WriteEndLog #if ($WriteLogEnd -eq 1){ -# Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following whitelisted IPs are also attacking: $badwhites `n Whitelist file: $whitelist" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID +# Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following allowed IPs are also attacking: $badwhites `n Allowlist file: $allowlist" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID #} diff --git a/script/whitelist.txt b/script/allowlist.txt similarity index 100% rename from script/whitelist.txt rename to script/allowlist.txt diff --git a/script/blacklist.txt b/script/blocklist.txt similarity index 100% rename from script/blacklist.txt rename to script/blocklist.txt From 003a29f6b566f375e17f7e2b1dc5691f8afe58e2 Mon Sep 17 00:00:00 2001 From: hsteinmueller Date: Wed, 7 Oct 2020 14:28:52 +0200 Subject: [PATCH 2/2] fixed double blocklist error --- script/PSLogonFailures.ps1 | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/script/PSLogonFailures.ps1 b/script/PSLogonFailures.ps1 index 1db7676..9e13552 100644 --- a/script/PSLogonFailures.ps1 +++ b/script/PSLogonFailures.ps1 @@ -25,10 +25,10 @@ $BlockSMTP = 0 # Set to 1 blocks SMTP traffic on port 25 $BlockRWW_RDP = 0 # When set to 1, blocks port 4125, used by SBS servers to proxy RDP connections. $fwprofile = "Any" # Set to "Any" to apply to all networks (public, domain, private / home) -# Full path to the allowlist, e.g. c:\psl\allowlist.txt : -$allowlist = 'C:\psl\allowlist.txt' +# Full path to the allowListFile, e.g. c:\psl\allowlist.txt : +$allowListFile = 'C:\psl\allowlist.txt' # Full path to blocklist e.g: c:\psl\blocklist.txt -$blocklist = 'C:\psl\blocklist.txt' +$blockListFile = 'C:\psl\blocklist.txt' ############################ # Do not edit beneath here # @@ -39,12 +39,12 @@ $WinVer = [System.Environment]::OSVersion.Version #Deal with the lists: $blocklist = @{} -if (test-path $allowlist) { +if (test-path $allowListFile) { write-host "Allowlist found" -foregroundcolor green } else { - # If the allowlist can't be found: + # If the allowlist File can't be found: Write-host "Unable to find the allowlist file, exiting for your protection." -foregroundcolor red -backgroundcolor gray - Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the allowlist. Exiting for your protection. `n Allowlist claims to be at: $allowlist" -Source $WriteLogSource -EntryType Error -id 1237 + Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the allowlist file. Exiting for your protection. `n Allowlist claims to be at: $allowListFile" -Source $WriteLogSource -EntryType Error -id 1237 exit } @@ -61,10 +61,10 @@ function DeletePSLFirewallRules { function ProcessBlocklists { write-host Processing blocklists -foregroundcolor yellow - if (test-path $blocklist){ - if ((get-content $blocklist|measure-object).count -gt 0){ - #Add the blocklist to the $blocklist - $blocklist_content = get-content $blocklist + if (test-path $blockListFile){ + if ((get-content $blockListFile|measure-object).count -gt 0){ + #Add the blockListFile to the $blocklist + $blocklist_content = get-content $blockListFile foreach ($BlIP in $blocklist_content){ if($blocklist.ContainsKey($BlIP)){ $blocklist[$BlIP] = $blocklist[$BlIP]+1 @@ -74,15 +74,15 @@ function ProcessBlocklists { } } } else { - Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the blocklist.`n Blocklist claims to be at: $blocklist" -Source $WriteLogSource -EntryType Error -id 1239 + Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the blocklist.`n Blocklist claims to be at: $blockListFile" -Source $WriteLogSource -EntryType Error -id 1239 } } function ProcessAllowlist{ write-host Processing Allowlist -foregroundcolor yellow - $allowlistIPs = get-content $allowlist - foreach ($ip in $allowlistIPs) + $allowListIPs = get-content $allowListFile + foreach ($ip in $allowListIPs) { if ($blocklist.containskey($ip)){ $badwhites = "$badwhites `n $ip" @@ -180,7 +180,7 @@ function BlockBlocklistOnly { function WriteEndLog{ if ($WriteLogEnd -eq 1){ if ($WriteLogType -eq 'Error'){ - Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following allowed IPs are also attacking (or on a blocklist): $badwhites `n Allowlist file: $allowlist" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID + Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following allowed IPs are also attacking (or on a blocklist): $badwhites `n Allowlist file: $allowListFile" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID } else { Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1. There were no failed logon attempts in the security log. Removing the firewall rule." -Source $WriteLogSource -id $WriteLogID } @@ -209,7 +209,7 @@ trap [Exception] if ($WriteLogStart -eq 1){ # Log the fact this script is starting. - Write-EventLog -LogName $WriteLog -Message "Starting PSLogonFailures.ps1. `n Windows Version $WinVer . `n Your allowlist: $allowlist" -Source $WriteLogSource -id 1234 + Write-EventLog -LogName $WriteLog -Message "Starting PSLogonFailures.ps1. `n Windows Version $WinVer . `n Your allowList: $allowListFile" -Source $WriteLogSource -id 1234 } $interval = (get-date) - (new-timespan -minutes $minutes) @@ -220,7 +220,7 @@ if ($WinVer.major -eq 6 -and $WinVer.minor -eq 0){ $event = get-winevent -FilterHashtable @{ logname=$LogName; ID=4625; StartTime=$interval } } -#Add the Blocklist to the $blocklist +#Add the blockListFile to the $blocklist ProcessBlocklists foreach ($ip in $event){ @@ -252,7 +252,7 @@ ProcessBlocklists } -# Deal with the allowlist +# Deal with the allowListFile . ProcessWhiteList # Remove any stale rules . DeletePSLFirewallRules @@ -261,5 +261,5 @@ ProcessBlocklists WriteEndLog #if ($WriteLogEnd -eq 1){ -# Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following allowed IPs are also attacking: $badwhites `n Allowlist file: $allowlist" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID +# Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following allowed IPs are also attacking: $badwhites `n Allowlist file: $allowListFile" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID #}