Sonntag, 9. Dezember 2012

Automatically banning IPs with Windows Firewall after scanning the eventlog

When you expose your Windows Server to the net, you will find out very quickly that your server will be hammered by RDP-Bruteforcers who try to log into your system:

If what you want is an out of the box solution (Install & done) you can find a free tool here, and probably should go on reading this:

EDIT 2016-12-04: SO MANY PEOPLE ASKED ABOUT A WIN10 VERSION, I HAVE DECIDED TO START WORKING ON IT. (but its a shame that win 10 STILL hasnt got any protection for this)

Version: 1.4 (released 04-05-2015)
-> Download the current version of EvlWatcher (free for personal and commercial use)

- a lot of people demanded a whitelist, so i added it
- pimped the management console

The software is totally yours, but I would appreciate a little comment on this blog if you use it, and maybe some feature requests in your comments to improve it.

If you rather refrain from downloading third party software for your server, you can also have a look at this blog:

  Things to do when you expose your windows server

There you can find answers to solve this problem without installing untrustworthy stuff ;). Be warned however, you should not be a complete beginner for this.

You should also know that there are some best practices which would probably also help reducing RDP attacks:
  • use VPN
    • RDP exposed to the web is considered as a bad practice actually. I don't care much about that, because I think its more convenient, but just so you know :)
  •  move RDP away from the default port.
    • reason why I don't like that either is the same as above.  :)

Documentation (current Version):

Basically, you install the service using the setup.exe and your PC should be protected against RDP-Brute forcers.

Below are some details:

You need to have the Microsoft .NET Framework 4.0 Client Profile or above installed.

I wrapped an installer around this software for easy setup, you can install the program (and optionally- the source files) using the

What it does:

It installs a service which scans the event log for anomalies every 30 seconds (by default).
When the service finds out that someone is taunting your server with RDP-login attempts, it adds the remote IP to a generic rule in the windows firewall which locks out the attacker. After 2 hours (default), the ban will be lifted, i.e. the IP will be removed from the rule.

After the service is terminated, the rule is deleted again.
When someone got his 3rd strike, he will be put on a permanent ban list, where you can only manually remove him.

After a successful installation, you should see the following service in your service list:

The rule it creates using the Windows Firewall API is called EvlWatcher.
You see the rule as disabled when no IP is currently being blocked, otherwise you can see the list of blocked IPs in the "Scope" section.

You dont have to enable it manually! It enables as soon as an IP needs to be blocked!

To uninstall the program:

Call the uninstaller as usual

Management Console (Version 1.4)

It was the queen of ugly for a while, but it has greatly improved in 1.4, finally.

To roll out your config to other PCs, just move the config.xml

Here's a screenshot:

Older Versions

Version 1.4

Download Version 1.4

Changes in 1.4

  • Removed FTP Task
  • Added white-list feature
  • Pimped the management console 

Version 1.2 

Download Version 1.2

Changes in 1.2

  • EvlWatcher now implements a WCF Service Pattern, so you can implement your Custom Management Console
  • EvlWatcher brings a Management Console, where you can configure some properties, as well as a blacklist
  • Some internal changes
    • Using System.IPAdress instead of string for method signatures
    • The Service core can pass properties to the tasks.
    • By request, the whole solution is provided instead of the single sources

Version 1.1 (stable)

Version 1.1 works reliably with older servers, which do not have a high .NET Framework version installed.(requires .NET Framework 2.0)

Download Version 1.1

Changes in 1.1

  • Uninstaller now completely removes the program. (previous version left some files to delete in the programs folder)
  • Added a message to the EventLog when someone is banned
  • Supports IPv6  
  • You can optionally install a task which blocks FTP Bruters. However, this is still in Beta, and its reaction time is very slow (between 30s and 1h:00min:30sec), depending on when FTP dumps its logs. Don't install it if you don't need to.

Version 1.0 (obsolete)

 You can no longer get Version 1.0, it was reliable, but did not work with IPv6

Greetings, Michael