GitHub - chaddoncooper/Windows-IP-Ban-Service: IPBan Monitors failed security audit in Windows Event Viewer and bans ip addresses using netsh. Wide range of customization and unlimited ip address ban count. Download binaries here: -->

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 123 Commits
Properties		Properties
Scripts		Scripts
.gitignore		.gitignore
CHANGELOG.txt		CHANGELOG.txt
ExpressionsToBlockConfigSectionHandler.cs		ExpressionsToBlockConfigSectionHandler.cs
IPBan.csproj		IPBan.csproj
IPBan.sln		IPBan.sln
IPBanConfig.cs		IPBanConfig.cs
IPBanService.cs		IPBanService.cs
IPBanServiceRunner.cs		IPBanServiceRunner.cs
IPBanWindowsFirewall.cs		IPBanWindowsFirewall.cs
IPBlockCount.cs		IPBlockCount.cs
LICENSE.txt		LICENSE.txt
Logger.cs		Logger.cs
README		README
app.config		app.config
banfile_test.txt		banfile_test.txt
packages.config		packages.config

Repository files navigation

*******************************************************************************
***** Requires .NET 4.0 and Windows Vista or Windows Server 2008 or newer *****
*******************************************************************************

Extract files to a place on your computer. Right click on all the extracted files and select properties. Make sure to select "unblock" if the option is available.

To run as a Windows service (example: sc create IPBAN type= own start= auto binPath= d:\system\ipban\ipban.exe DisplayName= IPBAN). The service writes a log file to the same directory as the service, so run as SYSTEM to ensure permissions.

Make sure to look at the config file for configuration options

To debug as a console app and troubleshoot, run "IPBAN.EXE debug"

Make sure you are logging failed login attempts via local security policy / audit policy.

You *MUST* make this change to the local security policy to ensure ip addresses show up: 
Change Local Security Policy -> Local Policies -> Audit Policy and turn failure logging on for "audit account logon events" and "audit logon events".
From an admin command prompt: auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable

If you still don't see ip addresses being logged, do the following:

- Make sure to read this stackoverflow thread about ip addresses not getting logged: http://stackoverflow.com/questions/1734635/event-logging-ipaddress-does-not-always-resolve
- Network security: LAN Manager authentication level -- Send NTLMv2 response only. Refuse LM & NTLM
- Network security: Restrict NTLM: Audit Incoming NTLM Traffic -- Enable auditing for all accounts
- Network security: Restrict NTLM: Incoming NTLM traffic -- Deny all accounts
- Do not allow for passwords to be saved -- Enabled
- Prompt for credentials on the client computer -- Enabled

If you want to run in Visual Studio, make sure to run Visual Studio as administrator.

For reference, here is a regex that matches any 32 bit ip address:
(?<ipaddress>^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$)

Please visit http://www.digitalruby.com/securing-your-windows-dedicated-server/ for more information about this program.

I do consulting and contracting if you need extra customizations for this software.

Enjoy!

Donations are accepted, any amount is appreciated, I work on this project for free to benefit the world.

Donation addresses...

Paypal: jjxtra@gmail.com (pick the send to friends and family with bank account option to avoid fees)

Bitcoin: 1GBz8ithHvTqeRZxkmpHx5kQ9wBXuSH8AG

Ethereum: 0x0d9Fc4ef1F1fBF8696D276678ef9fA2B6c1a3433

Litecoin: LWxRMaVFeXLmaq5munDJxADYYLv2szYi9i

Vertcoin: Vcu6Fqh8MGiLEyyifNSCgoCuQShTijzwFx

-Jeff Johnson, CEO/CTO Digital Ruby, LLC
http://www.digitalruby.com
email: support@digitalruby.com

About

IPBan Monitors failed security audit in Windows Event Viewer and bans ip addresses using netsh. Wide range of customization and unlimited ip address ban count. Download binaries here: -->

www.digitalruby.com/securing-your-windows-dedicated-server/

Readme

MIT license