Closed davidwhthomas closed 10 years ago
davidwhthomas
commented
12 years ago Note, when I enabled the DEBUGGING mode, I saw in the log the blackhole IP was 192.168.168.118, different from the one I set in the script.
If I ping that address, it returns a response, so perhaps that's the issue?
Note also, ROUTE and NETSH are available in the path.
EvanAnderson
commented
12 years ago I'd have to see your edit to the script to say. I know it can work in a W2K3 environment because I run it in several and have heard from others who do. I suspect your modification has unintended consequences.
Alternatively, put the stock script back and use the ADM file included in the MSI to create a registry setting to specify your blackhole IP. The installer doesn't create any registry entries-- that's handled by the ADM file.
EA / Wellbury LLC
On Jun 17, 2012, at 0:48, davidwhthomasreply@reply.github.com wrote:
Hi, thanks for releasing this application, it looks promising.
I just installed via the MSI installer on a Windows 2003 server.
The installer appeared to run, but gave no confirmation message after completing.
However, looking in "Services" I saw "ts_block" was there, but not started.
I also took a look in the registry, and there were no keys created under HKLM/Software/Policies/Wellbury LLC/* with "Wellbury LLC" absent there.
I'd edited the .vbs script in Program Files to add the blackhole IP 192.168.168.28 ( which doesn't exist, but is on the subnet )
I then started the service and tested it with the "administrator" username over RDP
Later, I saw the event log to the effect that my IP had been blocked for 5 minutes.
However, I could still keep trying to login, with no block appearing in place for "administrator" or any other username and I logged in via my usual username instead.
So, the issue is, the application was installed from MSI, service started, log entries created, but no block appears to actually occur.
thanks,
DT
Reply to this email directly or view it on GitHub: https://github.com/EvanAnderson/ts_block/issues/3
davidwhthomas
commented
12 years ago Thanks for the reply,
I did notice I'd set the blackhole IP incorrectly, putting the value where the registry key name is meant to be.
I tried hard coding it as the return value from the get BlackHoleIP() function and it came up correctly in the debug log, but same result with user not blocked.
What's the expected behaviour when a user attempts access from a blocked IP?
Other than that, the script is default.
davidwhthomas
commented
12 years ago OK, I tried again with the default file, just DEBUGGING = 1, The issue persists.
file contents are here: https://gist.github.com/2943569
Thanks again,
DT
davidwhthomas
commented
12 years ago I installed the .ADM file under the domain group policy objects, enabled and set the default values. Unfortunately it still doesn't work :-(
davidwhthomas
commented
12 years ago Ok, and even after a complete uninstall / reinstall and reapplying the ADM settings, service is up and running, logs suggest it's blocking IP, but I can access RDP login screen no problem... oh well.
EvanAnderson
commented
12 years ago Ok, and even after a complete uninstall / reinstall and reapplying the ADM settings, service is up and running, logs suggest it's blocking IP, but I can access RDP login screen no problem... oh well.
I don't have any ideas immediately, but perhaps we can get to the bottom of it.
Is the server you're installing it onto single or multi-homed?
When the block occurs the script executes the "route.exe" command substituting in the black hole IP address and the blocked IP in the format:
route add blockedIP 255.255.255.255 blackHoleIP
This should route any response traffic from the server to the blockedIP to the non-existant host on blackHoleIP, which results in the host using the blockedIP being denied two-way communication with the server.
You should be able to examine the routing table (using "route print") while the script has an IP "blocked" and verify that a blocking entry is present.
Just to double-check your testing methodology: You're accessing the server from another computer using a Remote Desktop Protocol client to generate the block.
EA / Wellbury LLC
davidwhthomas
commented
12 years ago Thanks Evan,
I ran another test
Failed RDP login past limit Logged in successfully Saw my IP address was blocked in the Event Log "Blocked 202.89.152.[x] until 6/18/2012 8:24:41 PM" ([x] = final octet) Ran cmd > route print No sign of my IP in the list of routed IPs there.
Yes, I'm accessing over RDP, using Gnome-RDP from a linux box over to Win2K3,
Note, I also tried with debugging mode on and testing mode on with 10 test IP addresses, none of those were visible in route print either?
regards,
David
davidwhthomas
commented
12 years ago Looking at the ts_block service, I see the run parameter is
"C:\Program Files\ts_block\nssm.exe" run
In task manager, there's no sign of wscript.exe running.
Is that correct?
Perhaps the service should be passing the vbs file to the above run parameter?
israelt
commented
12 years ago On Windows server 2003 R2 32bits:
All work great but I don't have this registry key (HKLM/Software/Policies/Wellbury LLC/) in the computer.
Great soft utility Evan!
EvanAnderson
commented
12 years ago All work great but I don't have this registry key (HKLM/Software/Policies/Wellbury LLC/) in the computer.
Glad to hear it's working for you.
The ts_block script doesn't create any registry entries. You would only have those entries if you created them (either manually or by using the included ADM file).
EA / Wellbury LLC
EvanAnderson
commented
12 years ago @davidwhthomas: 'wscript.exe' isn't by ts_block (because script execution would halt while modal windows were displayed on the service desktop). The command-line you're seeing for 'nssm.exe' in the ts_block service parameters is accurate. cscript.exe is used to execute the script and, based on the presence of Event Log messages coming from the script I'd say it's running.
It's unclear to me why the entries that are supposed to be created by route.exe aren't being created properly on the machine you're testing on. All I can think is that route.exe isn't in the PATH for the ts_block service.
Were I you I'd probably use "Process Monitor" to watch the cscript.exe process running ts_block and observe the command-lines passed to child route.exe processes that it creates.
b1rdex
commented
12 years ago Hey there.
Tried to block bruteforce with your tool and stucked. It ran perfectly but didn't block anything. I thought it's because of my copy of windows is russian.
I opened event viewer/security and there was only 'audit success'. It's a case! Looks like win 2003 have defaults to only log successful tries. Opened gpedit.msc, coumputer/windows/local/audit/login → success and failure.
And result appeared just after 5 seconds :)
Logging bad attempt from 31.185.0.11, attempt # 1
Logging bad attempt from 31.185.0.11, attempt # 2
Logging bad attempt from 31.185.0.11, attempt # 3
Logging bad attempt from 31.185.0.11, attempt # 4
Logging bad attempt from 31.185.0.11, attempt # 5
Executing route add 31.185.0.11 mask 255.255.255.255 192.168.254.1
Event Log - Event ID: 256, Type: INFORMATION - Blocked 31.185.0.11 until 02.08.2
012 11:45:46I think you shoul add this to readme because it's not obvious.
EvanAnderson
commented
12 years ago I'm glad to hear that it is working for you and on a Russian version of Windows.
I will make a note to include details about auditing in the README file.
kimala
commented
12 years ago Hi,
Thankyou for sharing this program.
How do I verify TS_Block is running. I installed the TS_BLock, applied the .adm file and use the nssm to create a service on a Windows 2003 server. But the event log is still filling up with failure logins. I tried to use nssm again, and it tells me that service is aready installed. What settings for Block Attempts, Block Duration, Block Timeout do you recommend?
Kim
b1rdex
commented
12 years ago @kimala you should stop service and start ts_block.vbs manually to debug it's settings.
jaredgerber
commented
11 years ago Evan:
Thank you for sharing your coding talent and time to help stop brute force attacks.
I fumbled around a bit to get it installed on my Windows 2003 Server -- so I'm sharing my experience and adding some notes in hope to make things a little easier for others to install for their needs.
Prerequisites:
Installation of Service
Loading TS_Block.adm
Logging
I would be cool to know if there are any other logs or way to know it's working.
Thanks again,
Jared
jaredgerber
commented
11 years ago Evan:
I had over 50 successful blocks revealed in the Event Log -> Application. Thanks!!!
Jared
EvanAnderson
commented
10 years ago I'm closing this due to inactivity
Hi, thanks for releasing this application, it looks promising.
I just installed via the MSI installer on a Windows 2003 server.
The installer appeared to run, but gave no confirmation message after completing.
However, looking in "Services" I saw "ts_block" was there, but not started.
I also took a look in the registry, and there were no keys created under HKLM/Software/Policies/Wellbury LLC/* with "Wellbury LLC" absent there.
I'd edited the .vbs script in Program Files to add the blackhole IP 192.168.168.28 ( which doesn't exist, but is on the subnet )
I then started the service and tested it with the "administrator" username over RDP
Later, I saw the event log to the effect that my IP had been blocked for 5 minutes.
However, I could still keep trying to login, with no block appearing in place for "administrator" or any other username and I logged in via my usual username instead.
So, the issue is, the application was installed from MSI, service started, log entries created, but no block appears to actually occur.
thanks,
DT