evananderson / ts_block Goto Github PK

The title is self explaining. It would be nice if can added a list of IPs, which are never blocked.
Reason: If I mistype the password from my office, with a known IP, I don't want to wait 5 minutes to try again.

My last blocked IP was 3/31/2014 which I thought was odd, so logged into a remote system and hammered my server 6 times with Administrator, which should have been immediately blocked. After that I was able to authenticate with a correct login & password.

I have enabled Debug and I can see nothing out of the ordinary. I use a modified script that ignores private IPs so I restored the original script and it behaves the same way: nothing logged, nothing blocked.

Could a MS patch have broken it?

It is running on Windows 2008 R2.

I've had multiple people email me with problems that would have been easier to resolve w/ a debugging command-line argument (versus having to have them modify the script).

Users have reported that multiple blocks are being generated, complete with multiple "Advanced Firewall" rules. I will attempt to repro the issue and, if I am so able, refactor the code to prevent the multiple blocks from being created.

Hello,
i have server 2008 R2 and installed ts_block_20120530.msi
The service and map where creating and i start the ts_block service.
So far so good.

When i connect to the terminal server with root, administrator or several other usernames nothing happens. No rules in the firewall.

Can you tell me if i mis some configuration ?

regards, Dutchmen

Hello,
thank you for your script.

I'd want to install it on our Windows 2008 R2 web server, but I receive an error from MSI when I try to launch it: "This Installation package could not be opened".

Furthermore, when I tried it in cscript/wscript, I don't know where exactly to look in the Firewall for new rules to understand if it's working or not. All items I checked doesn't show any rules in relation with TS_BLOCK

Could you help me with these problems?

Thank you again,
Alberto
(Italy)

Does this work for IIS/FTP log on attempts?

THX

I did use this script for a long time under Win2008. But now, under Win2012 it does nothing. In Debugmode it is waiting in busy-loop but no event is noticed.
It looks like that the Select Statement is no longer valid.

This was wholly unintended functionality. I will write code to identify and remove blocks that have persisted.

It looks like an initialization routine to query the Advanced Firewall rules for rules with a known naming convention and parsing those rule names to extract the appropriate block expiration time should be sufficient.

ID 4625 Guest type 3 hacking suspicion.

cd %ProgramFiles%
md ts_block
cd ts_block
nssm install ts_block %SystemRoot%\System32\cscript.exe "\"%ProgramFiles%\ts_block\ts_block.vbs\""

or

md "%ProgramFiles%\ts_block"

echo ts_block Download
powershell.exe -Command "& {Invoke-WebRequest -OutFile $env:ProgramFiles\ts_block\ts_block-master.zip -Uri "https://github.com/EvanAnderson/ts_block/archive/refs/heads/master.zip"}
tar -zxvf "%ProgramFiles%\ts_block\ts_block-master.zip" -C "%ProgramFiles%\ts_block"
xcopy "%ProgramFiles%\ts_block\ts_block-master" "%ProgramFiles%\ts_block"/E

echo nssm Download or install 
bitsadmin /transfer 1234 /download "http://nssm.cc/release/nssm-2.24.zip" "%ProgramFiles%\ts_block\nssm-2.24.zip"
tar -zxvf "%ProgramFiles%\ts_block\nssm-2.24.zip" -C "%ProgramFiles%\ts_block"
copy "%ProgramFiles%\ts_block\nssm-2.24\win64\nssm.exe" "%ProgramFiles%\ts_block\"
cd "%ProgramFiles%\ts_block\"
nssm install ts_block %SystemRoot%\System32\cscript.exe "\"%ProgramFiles%\ts_block\ts_block.vbs\""

echo error..?
echo Deleting the service (If you register by mistake, the service specified as `Error creating service! CreateService():` already exists.)
echo https://kitty-geno.tistory.com/151
nssm remove ts_block

This installed successfully. thank you.
Windows 10 Insider 64bit [Version 10.0.19044.1889]
(I'm not good at computers, so I wrote the commands by asking.)

I hope this program will be updated someday.
Applicable to Windows 10-11. I would like to change it to

Oh my symptoms.
C:\Windows\System32
There were signs that the folder had been opened.
And my chrome was... suspicious. As if someone had opened it once.

5379 Microsoft Windows security
And this event happens a lot.
This has nothing to do with the above program.
These are my symptoms.

Hi,

On Windows Server 2008 R2 I'm having problems of installation:

When I execute the .msi it opens-&-closes a pair of command prompts very quickly and then says "There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or vendor package.".

I've checked that ROUTE, NETSH and EVENTCREATE are available from the command prompt.

What can be the problem?
Thanks,
SntsDev

Hi, thanks for releasing this application, it looks promising.

I just installed via the MSI installer on a Windows 2003 server.

The installer appeared to run, but gave no confirmation message after completing.

However, looking in "Services" I saw "ts_block" was there, but not started.

I also took a look in the registry, and there were no keys created under HKLM/Software/Policies/Wellbury LLC/* with "Wellbury LLC" absent there.

I'd edited the .vbs script in Program Files to add the blackhole IP 192.168.168.28 ( which doesn't exist, but is on the subnet )

I then started the service and tested it with the "administrator" username over RDP

Later, I saw the event log to the effect that my IP had been blocked for 5 minutes.

However, I could still keep trying to login, with no block appearing in place for "administrator" or any other username and I logged in via my usual username instead.

So, the issue is, the application was installed from MSI, service started, log entries created, but no block appears to actually occur.

thanks,

DT

Hi,

I've been looking for something like this for use at home for a good while, and it does a really good job - thanks very much. It still works a treat on Server 2019.

Adding two things would make it even more useful (to me at least, but I'd bet others too):
Watching for VPN login failures too
Logging to a file (so I can read that with another app that doesn't talk windows event logs)

I havent ever touched VB before though, and get nowhere fast trying to add these to ts_block.
Anyone kind enough to point me in the right direction please?

Also, there's one (minor) issue I've found while using it:
If it's created a firewall rule, and you then restart the machine its running on - the rule's left there forever.
It seems that wildcards cant be used when removing firewall rules, so 'remove Blackhole*' wont do the trick. Is just removing all during startup even a valid approach though?
Is there some other way to remove old rules after a restart, or maybe re-import them then remove them once the right periods passed?

Skript add 0.0.0.0 which blocks broadcast for example DHCP request :-/

I ran the MSI as instructed and get the error "Error creating service!"

I'm running Windows Server 2003

The MSI files are in the folder C:\program files\Ts_block

here's what I typed on the command prompt

nssm install Ts_block c:\windows\system32\cscript32.exe C:\program files\ts_block\ts_block.vbs

When an RDP client that supports SSL/TLS (rather than only "RDP" security, as was the case with older clients) fails authentication to the RDP server an IP address for the client won't be logged when the NtLmSsp security provider is used.

Arguably, SSL/TLS is a Good Thing(tm) (see http://technet.microsoft.com/en-us/magazine/ff458357.aspx) for details and I am wary of other invalid RDP logon block products suggestions to force the security layer to "RDP" (see http://rdpguard.com/windows-server-how-to-catch-failed-logons.aspx) because, while it does cause IP addresses to be logged, it prevents useful features (like mutual authentication) from being used.

The "Cyberarms IDDS" product came up with a workaround that allows the SSL/TLS security layer to remain enabled while still being able to log IP addresses. I'm going to look at their product to see if I'm able to determine what they're doing, however anything that involves compiled code is probably going to be above my interest level for ts_block.

The README refers to an MSI package but it hasn't been created yet.

I am the only one who since the nov2014 rdp security update no longer receives the 4625 events no matter what the settings?

Update: So my boxes (4 hanging off the public internet - don't ask) running this used to get hundreds 4625 attempts per day prior to nov 11th, then when I applied that months updates one which included an rdp\ts related update they all stopped. Literally for a month, till today dec 11th I did not receive a single bad logon attempt 4625 (except one I generated myself to see if I could) - very strange, it's as if the botnets and related folks all took a month off, which of course I know they haven't. I was thinking it was had something to do the the Nov rdp\ts update that talked like it made some change related to logging though it was never specific. Anyway I see today for the first time I finally received 2 bad attempts from random ips, besides the timing being interesting I'm closing this as it indicates to me it must not have been a ts_block\rdp related issue.

Make sure the script can't block 0.0.0.0 and 255.255.255.255.

That shouldn't ever happen, since the only way the script gets IP addresses is from IPs that failed logons from the Event Log, but it's not a big deal to special-case except them anyway.

Users may not be aware that the Windows Server 2003 defaults do not include the right auditing settings to make this tool effective.

Hi, I have installed ts_block on 3 different 2003 small business servers. All three were working and blocking rdp attacks for serveral days. All of a sudden, on all three servers, the ts_block service showed up as being paused and I could not start it (error starting service). All three servers are running 2003 sbs, Trend micro advanced Security suite. Any Idea's why and how to fix. Thanks.