Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

blacklist -> blocklist, whitelist -> allowlist #2

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

blacklist -> blocklist, whitelist -> allowlist #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ad49849
blacklist -> blocklist, whitelist -> allowlist
hsteinmueller Oct 7, 2020
003a29f
fixed double blocklist error
hsteinmueller Oct 7, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 31 additions & 31 deletions script/PSLogonFailures.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,10 @@ $BlockSMTP = 0 # Set to 1 blocks SMTP traffic on port 25
$BlockRWW_RDP = 0 # When set to 1, blocks port 4125, used by SBS servers to proxy RDP connections.
$fwprofile = "Any" # Set to "Any" to apply to all networks (public, domain, private / home)

# Full path to the whitelist, e.g. c:\psl\whitelist.txt :
$whitelist = 'C:\psl\whitelist.txt'
# Full path to blacklist e.g: c:\psl\blacklist.txt
$blacklist = 'C:\psl\blacklist.txt'
# Full path to the allowListFile, e.g. c:\psl\allowlist.txt :
$allowListFile = 'C:\psl\allowlist.txt'
# Full path to blocklist e.g: c:\psl\blocklist.txt
$blockListFile = 'C:\psl\blocklist.txt'

############################
# Do not edit beneath here #
Expand All @@ -39,12 +39,12 @@ $WinVer = [System.Environment]::OSVersion.Version
#Deal with the lists:
$blocklist = @{}

if (test-path $whitelist) {
write-host "Whitelist found" -foregroundcolor green
if (test-path $allowListFile) {
write-host "Allowlist found" -foregroundcolor green
} else {
# If the whitelist can't be found:
Write-host "Unable to find the whitelist file, exiting for your protection." -foregroundcolor red -backgroundcolor gray
Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the whitelist. Exiting for your protection. `n Whitelist claims to be at: $whitelist" -Source $WriteLogSource -EntryType Error -id 1237
# If the allowlist File can't be found:
Write-host "Unable to find the allowlist file, exiting for your protection." -foregroundcolor red -backgroundcolor gray
Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the allowlist file. Exiting for your protection. `n Allowlist claims to be at: $allowListFile" -Source $WriteLogSource -EntryType Error -id 1237
exit
}

Expand All @@ -59,13 +59,13 @@ function DeletePSLFirewallRules {
netsh advfirewall firewall del rule name="PSLogonFailures - Block All TCP"
}

function ProcessBlacklists {
write-host Processing blacklists -foregroundcolor yellow
if (test-path $blacklist){
if ((get-content $blacklist|measure-object).count -gt 0){
#Add the blacklist to the $blocklist
$blacklist_content = get-content $blacklist
foreach ($BlIP in $blacklist_content){
function ProcessBlocklists {
write-host Processing blocklists -foregroundcolor yellow
if (test-path $blockListFile){
if ((get-content $blockListFile|measure-object).count -gt 0){
#Add the blockListFile to the $blocklist
$blocklist_content = get-content $blockListFile
foreach ($BlIP in $blocklist_content){
if($blocklist.ContainsKey($BlIP)){
$blocklist[$BlIP] = $blocklist[$BlIP]+1
}else{
Expand All @@ -74,15 +74,15 @@ function ProcessBlacklists {
}
}
} else {
Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the blacklist.`n Blacklist claims to be at: $blacklist" -Source $WriteLogSource -EntryType Error -id 1239
Write-EventLog -LogName $WriteLog -Message "PSLogonFailures.ps1 cannot load the blocklist.`n Blocklist claims to be at: $blockListFile" -Source $WriteLogSource -EntryType Error -id 1239
}

}

function ProcessWhitelist{
write-host Processing Whitelist -foregroundcolor yellow
$whitelistIPs = get-content $whitelist
foreach ($ip in $whitelistIPs)
function ProcessAllowlist{
write-host Processing Allowlist -foregroundcolor yellow
$allowListIPs = get-content $allowListFile
foreach ($ip in $allowListIPs)
{
if ($blocklist.containskey($ip)){
$badwhites = "$badwhites `n $ip"
Expand Down Expand Up @@ -169,18 +169,18 @@ function AddFirewallRules {

}

function BlockBlacklistOnly {
function BlockBlocklistOnly {
#This will be called if the local security log doesn't have any failed logins.
. ProcessBlacklists
. ProcessWhitelist
. ProcessBlocklists
. ProcessAllowlist
. AddFirewallRules

}

function WriteEndLog{
if ($WriteLogEnd -eq 1){
if ($WriteLogType -eq 'Error'){
Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following whitelisted IPs are also attacking (or on a blacklist): $badwhites `n Whitelist file: $whitelist" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID
Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following allowed IPs are also attacking (or on a blocklist): $badwhites `n Allowlist file: $allowListFile" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID
} else {
Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1. There were no failed logon attempts in the security log. Removing the firewall rule." -Source $WriteLogSource -id $WriteLogID
}
Expand All @@ -197,7 +197,7 @@ trap [Exception]
write-host "No Entries (TRAP)"

DeletePSLFirewallRules
. BlockBlacklistOnly
. BlockBlocklistOnly
WriteEndLog
exit
} else {
Expand All @@ -209,7 +209,7 @@ trap [Exception]

if ($WriteLogStart -eq 1){
# Log the fact this script is starting.
Write-EventLog -LogName $WriteLog -Message "Starting PSLogonFailures.ps1. `n Windows Version $WinVer . `n Your whitelist: $whitelist" -Source $WriteLogSource -id 1234
Write-EventLog -LogName $WriteLog -Message "Starting PSLogonFailures.ps1. `n Windows Version $WinVer . `n Your allowList: $allowListFile" -Source $WriteLogSource -id 1234
}

$interval = (get-date) - (new-timespan -minutes $minutes)
Expand All @@ -220,8 +220,8 @@ if ($WinVer.major -eq 6 -and $WinVer.minor -eq 0){
$event = get-winevent -FilterHashtable @{ logname=$LogName; ID=4625; StartTime=$interval }
}

#Add the Blacklist to the $blocklist
ProcessBlacklists
#Add the blockListFile to the $blocklist
ProcessBlocklists

foreach ($ip in $event){

Expand Down Expand Up @@ -252,7 +252,7 @@ ProcessBlacklists

}

# Deal with the whitelist
# Deal with the allowListFile
. ProcessWhiteList
# Remove any stale rules
. DeletePSLFirewallRules
Expand All @@ -261,5 +261,5 @@ ProcessBlacklists
WriteEndLog

#if ($WriteLogEnd -eq 1){
# Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following whitelisted IPs are also attacking: $badwhites `n Whitelist file: $whitelist" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID
# Write-EventLog -LogName $WriteLog -Message "Finished PSLogonFailures.ps1.`nThe following IPs were blocked $BlockedServices : `n $remoteIPs `n The following allowed IPs are also attacking: $badwhites `n Allowlist file: $allowListFile" -EntryType $WriteLogType -Source $WriteLogSource -id $WriteLogID
#}
0 script/whitelist.txt → script/allowlist.txt
View file
Open in desktop
File renamed without changes.
0 script/blacklist.txt → script/blocklist.txt
View file
Open in desktop
File renamed without changes.