PowerShell ile RDP ataklarını engellemenin yolu (tr-TR)

%3CLINGO-SUB%20id%3D%22lingo-sub-1377735%22%20slang%3D%22en-US%22%3EPowerShell%20ile%20RDP%20ataklar%C4%B1n%C4%B1%20engellemenin%20yolu%20(tr-TR)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1377735%22%20slang%3D%22en-US%22%3E%3CP%3EWindows%20firewall%20%C3%BCzerinde%20olu%C5%9Fturaaca%C4%9F%C4%B1n%C4%B1z%20RDP%20atak%20engelleme%20kurall%C4%B1n%C4%B1za%20atak%20yapan%20IP%20adreslerini%20ekleyen%20bu%20script%20ile%20yanl%C4%B1%C5%9F%20deneme%20yapan%20RDP%20isteklerinin%20IP%20adreslerini%20windows%20firewall%20%C3%BCzerindeki%26nbsp%3B%20kural%C4%B1n%C4%B1za%20ekliyor.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%23%20Firewall%20uzerinde%20tanimladiginiz%20kuralin%20adini%20yaz%C4%B1n%C4%B1z%0A%24firewallRuleName%20%3D%20%22RDP%20Atak%20Engelle%22%0A%20%0A%23%20Karalisteye%20eklenmetecek%20IP%20adreslerini%20yada%20hostnamelerini%20tanimlayiniz.%0A%24whiteList%20%3D%20%40(%0A%20%20%20%5BSystem.Net.Dns%5D%3A%3AGetHostAddresses(%22powershell-ozan%2C%20Ozan-WI%2C%20192.168.2.101%22).IPAddressToString%0A%20%20%20)%0A%20%0A%20%0A%23%23%23%20kod%20%23%23%23%0AWrite-Host%20%22Running%20at%20%24(Get-Date)%22%0A%24regExIp%20%3D%20%22%5Cd%5Cd%3F%5Cd%3F.%5Cd%5Cd%3F%5Cd%3F.%5Cd%5Cd%3F%5Cd%3F.%5Cd%5Cd%3F%5Cd%3F%22%0A%20%0A%23%20RDS%20icin%20olusan%20Event%20loglardan%20140%20tanesini%20incele%0A%24currentAttackers%20%3D%20Get-Winevent%20Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%2FOperational%20%7C%20Where-Object%20%7B%24_.Id%20-eq%20140%7D%20%7C%20Select%20Message%20-ExpandProperty%20Message%0A%20%0A%23%20Response%20yok%20ise%20sald%C4%B1r%C4%B1%20yoktur.%0Aif%20(%24currentAttackers%20-eq%20%24null)%20%7B%0A%20%20%20Write-Host%20%22No%20current%20attackers%22%0A%20%20%20return%0A%7D%0A%20%0A%23%20Her%20sald%C4%B1r%C4%B1%20mesaj%C4%B1n%C4%B1%20al%C4%B1n%20ve%20yukar%C4%B1daki%20regExIP'i%20kullanarak%20IP'yi%20filtreleyin%0Afor%20(%24i%20%3D%200%3B%20%24i%20-lt%20%24currentAttackers.Count%3B%20%24i%2B%2B)%20%7B%0A%20%20%20if%20(%24currentAttackers%5B%24i%5D%20-match%20%24regExIp)%7B%0A%20%20%20%20%20%20%24currentAttackers%5B%24i%5D%20%3D%20%24Matches%5B0%5D%0A%20%20%20%7D%0A%7D%0A%20%0A%23%20Bilinen%20sald%C4%B1rganlar%C4%B1%20g%C3%BCvenlik%20duvar%C4%B1%20kurallar%C4%B1ndan%20al%C4%B1n%0A%24knownAttackers%20%3D%20(Get-NetFirewallRule%20-DisplayName%20%24firewallRuleName%20%7C%20Get-NetFirewallAddressFilter).RemoteAddress%0Aif%20(%24knownAttackers%20-eq%20%24null)%7B%0A%20%20%20%24knownAttackers%20%3D%20%40()%0A%7D%0A%24knownAttackers%20%3D%20%24knownAttackers%20%7C%20Sort-Object%20-Unique%0A%20%0A%23%20Kaydedilen%20her%20login%20kayd%C4%B1n%C4%B1%20kontrol%20et%20ve%20daha%20%C3%B6nce%20sald%C4%B1rgan%20olarak%20bilinip%20bilinmedi%C4%9Fini%20kontrol%20et%0Aforeach(%24newAttacker%20in%20%24currentAttackers)%20%7B%0A%20%20%20if%20(%24knownAttackers.Contains(%24newAttacker))%20%7B%20%23Bilinen%20bir%20IP%20ise%20i%C5%9Flem%20yapma%0A%20%20%20%20%20%20continue%0A%20%20%20%7D%0A%20%20%20elseif%20(%24whiteList%20-contains%20%24newAttacker)%20%7B%20%23Beyaz%20Listeye%20al%C4%B1nm%C4%B1%C5%9F%20ise%20i%C5%9Flem%20yapma%0A%20%20%20%20%20%20Write-Host%20%22%24newAttacker%20is%20dynamically%20whitelisted%22%0A%20%20%20%20%20%20continue%0A%20%20%20%7D%0A%20%20%20else%7B%20%23yeni%20bir%20sald%C4%B1rgan%20kara%20listeye%20ekle%20%0A%20%20%20%20%20%20%24knownAttackers%20%2B%3D%20%24newAttacker%0A%20%20%20%20%20%20Write-Host%20%22Added%20%24newAttacker%22%0A%20%20%20%7D%0A%7D%0A%20%0A%23%20dublicate'leri%20kald%C4%B1r%C4%B1n%0A%24knownAttackers%20%3D%20%24knownAttackers%20%7C%20Sort-Object%20-Unique%0AWrite-Host%20%22%24(%24knownAttackers.Count)%20IPs%20on%20blacklist%22%0A%20%0A%23%20T%C3%BCm%20bilinen%20ve%20t%C3%BCm%20yeni%20tespit%20edilen%20sald%C4%B1rganlarla%20Firwall%20kurallar%C4%B1n%C4%B1%20d%C3%BCzenle%0ASet-NetFirewallRule%20-DisplayName%20%24firewallRuleName%20%22RDP%20Atak%20Engelle%22%20-RemoteAddress%20%24knownAttackers%0AWrite-Host%20%22%22%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1377735%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Windows firewall üzerinde oluşturaacağınız RDP atak engelleme kurallınıza atak yapan IP adreslerini ekleyen bu script ile yanlış deneme yapan RDP isteklerinin IP adreslerini windows firewall üzerindeki  kuralınıza ekliyor.

 

# Firewall uzerinde tanimladiginiz kuralin adini yazınız
$firewallRuleName = "RDP Atak Engelle"
 
# Karalisteye eklenmetecek IP adreslerini yada hostnamelerini tanimlayiniz.
$whiteList = @(
   [System.Net.Dns]::GetHostAddresses("powershell-ozan, Ozan-WI, 192.168.2.101").IPAddressToString
   )
 
 
### kod ###
Write-Host "Running at $(Get-Date)"
$regExIp = "\d\d?\d?.\d\d?\d?.\d\d?\d?.\d\d?\d?"
 
# RDS icin olusan Event loglardan 140 tanesini incele
$currentAttackers = Get-Winevent Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational | Where-Object {$_.Id -eq 140} | Select Message -ExpandProperty Message
 
# Response yok ise saldırı yoktur.
if ($currentAttackers -eq $null) {
   Write-Host "No current attackers"
   return
}
 
# Her saldırı mesajını alın ve yukarıdaki regExIP'i kullanarak IP'yi filtreleyin
for ($i = 0; $i -lt $currentAttackers.Count; $i++) {
   if ($currentAttackers[$i] -match $regExIp){
      $currentAttackers[$i] = $Matches[0]
   }
}
 
# Bilinen saldırganları güvenlik duvarı kurallarından alın
$knownAttackers = (Get-NetFirewallRule -DisplayName $firewallRuleName | Get-NetFirewallAddressFilter).RemoteAddress
if ($knownAttackers -eq $null){
   $knownAttackers = @()
}
$knownAttackers = $knownAttackers | Sort-Object -Unique
 
# Kaydedilen her login kaydını kontrol et ve daha önce saldırgan olarak bilinip bilinmediğini kontrol et
foreach($newAttacker in $currentAttackers) {
   if ($knownAttackers.Contains($newAttacker)) { #Bilinen bir IP ise işlem yapma
      continue
   }
   elseif ($whiteList -contains $newAttacker) { #Beyaz Listeye alınmış ise işlem yapma
      Write-Host "$newAttacker is dynamically whitelisted"
      continue
   }
   else{ #yeni bir saldırgan kara listeye ekle 
      $knownAttackers += $newAttacker
      Write-Host "Added $newAttacker"
   }
}
 
# dublicate'leri kaldırın
$knownAttackers = $knownAttackers | Sort-Object -Unique
Write-Host "$($knownAttackers.Count) IPs on blacklist"
 
# Tüm bilinen ve tüm yeni tespit edilen saldırganlarla Firwall kurallarını düzenle
Set-NetFirewallRule -DisplayName $firewallRuleName "RDP Atak Engelle" -RemoteAddress $knownAttackers
Write-Host ""

 

0 Replies