search

devnulli / EvlWatcher

a "fail2ban" style modular log file analyzer for windows
MIT License
400 stars 49 forks source link

Support IPv6 addresses #81

Closed Pegasus-RPG closed 2 years ago

Pegasus-RPG commented 2 years ago

Hello. Does EvlWatcher already support IPv6 addresses? I don't see the standard link-local addresses in the default white list so I'm assuming not.

So this is a feature request to add IPv6 support. :)

devnulli commented 2 years ago

I think I could do that but i would need an example log entry.

Let's also ask @JReming85 if he maybe happens to have Ipv6 bruters.

JReming85 commented 2 years ago

Sorry my windows bare metals do not have IPv6 addresses.. Let me see if I can throw one up on my local network and see if I can get some for you.

Ozaroth commented 2 years ago

Hi, ipv6 is not natively working but i make a rule :

<Task Name="BlockRDPBrutersByRdpCore131_IPV6" Active="true">
      <!-- the description ..-->
      <Description>
          This rule checks the RdpCoreTS/Operational Log for any opening connections. It is not perfect, as it will count failed AND successful connections, but this works ok in normal day life
          This is necessary because login attempts with an existing user are NOT logged in the 140 event by Microsoft for some reasons.
        </Description>
      <!-- this is the time a temporary ban is issued for, in seconds-->
      <LockTime>
          3600
        </LockTime>
      <!-- this is used for rules that only need new events for evaluating. If you dont know what this does, leave it set to false-->
      <OnlyNew>
          False
        </OnlyNew>
      <!-- this is the timeframe (in seconds) to be inspected-->
      <EventAge>
          120
        </EventAge>
      <!-- this is the amount of times an entry must occure within the time frame to be considered a brute force attempt-->
      <TriggerCount>
          5
        </TriggerCount>
      <!-- after this amount of times temporarily banned, the ban will become permanent (enter a negative number to disable permanent bans) -->
      <PermaBanCount>
          3
        </PermaBanCount>
      <!-- This is the place where the rule looks for entries-->
      <EventPath>
          Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
        </EventPath>
      <!-- This was introduced because sole regex matching is too CPU intensive. it incredibly speeds up the filtering when you enter some (or at least one) words that MUST be contained in the LogEntry to undergo the regex inspection-->
      <RegexBoosters>
        <Booster>131</Booster>
        <Booster>ClientIP</Booster>
      </RegexBoosters>
      <!-- This is the regex that tries to extract an IP from the entries that contain the booster words for more infos see regex101.com-->
      <Regex>
          ([a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7}|::|:(?::[a-f0-9]{1,4}){1,6}|[a-f0-9]{1,4}:(?::[a-f0-9]{1,4}){1,5}|(?:[a-f0-9]{1,4}:){2}(?::[a-f0-9]{1,4}){1,4}|(?:[a-f0-9]{1,4}:){3}(?::[a-f0-9]{1,4}){1,3}|(?:[[a-f0-9]{1,4}:){4}(?::[a-f0-9]{1,4}){1,2}|(?:[a-f0-9]{1,4}:){5}:[a-f0-9]{1,4}|(?:[a-f0-9]{1,4}:){1,6}:)
        </Regex>
    </Task>

This rule catch the ipv6, the ip is listed in the ban list BUT EvlWatcher do not add the ipv6 in the firewall rule :/

Sorry for my bad english.

Ozaroth commented 2 years ago

The event ID 4625 not provide a full ipv6 adress but event 131 and 140 yes.

XML log entry :

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" Guid="{1139c61b-b549-4251-8ed3-27250a1edec8}" /> 
  <EventID>131</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>4</Task> 
  <Opcode>15</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2021-10-23T12:28:27.880030900Z" /> 
  <EventRecordID>213380915</EventRecordID> 
  <Correlation ActivityID="{f420bbd7-e00b-412d-83d8-2ca6816f0000}" /> 
  <Execution ProcessID="1328" ThreadID="1736" /> 
  <Channel>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</Channel> 
  <Computer>XXXXX</Computer> 
  <Security UserID="S-1-5-20" /> 
  </System>
- <EventData>
  <Data Name="ConnType">TCP</Data> 
  <Data Name="ClientIP">[2a0d:e487:16f:ff17::ffff:ffff]:52678</Data> 
  </EventData>
  </Event>
devnulli commented 2 years ago

hi ozaroth, thats great, thank you.

i'll modify evlwatcher so that it can handle ipv6

Ozaroth commented 2 years ago

Thank you !

geoced commented 2 years ago

Here is an example of an OpenSSH event for an IPv6 address. It's a link-local address, so it should be whitelisted, assuming the default list of whitelisted IP patterns is updated to include IPv6 addresses as well.

sshd: Failed password for user from fe80::f829:87f0:45c6:192a%15 port 2420 ssh2