By following the steps below, you will be able to create a new policy and manage the filter lists and actions. The goal here will be to put all these pieces together into a nice tidy package that is fully automated.

The policy you create in this tutorial will not be applied to the system until you “Assign” the policy in Step 6. As long as the policy is not assigned, you can safely edit, add, remove, etc. rules and sets to the policy without affecting the system. Note: double and triple check your sets to ensure you do not block legitimate traffic before assigning the policy.

To begin this tutorial, open the command prompt. If you don’t know how, you probably shouldn’t be doing this. All commands meant to be typed are in italics.

Step 1: Create IP Security Policy

netsh ipsec static add policy description=”This policy blocks all traffic to hosts/nets associated with it.”

Step 2: Create an IP Filter List

netsh ipsec static add filterlist description=”This filter list contains hosts and networks known to host malware, criminal activity, etc.”

Step 3: Create IP Filters and Associate them with the Filter List (Repeat this step until all hosts you wish to block have been entered)

Single IP (10.254.254.254/32)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.254 dstaddr=any description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Subnet (10.254.254.0/24)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.0 dstaddr=any srcmask=24 description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Network Range (10.254.254.2-10)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.2-10.254.254.15 dstaddr=any description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Step 4: Create a Filter Action

netsh ipsec static add filteraction description=”This action blocks all traffic.” action=block

Step 5: Create Policy Rule to apply Filter Action to Filter List

netsh ipsec static add rule policy=”Blocked Traffic” filterlist=”Bad Hosts” filteraction=”Block All Traffic” activate=yes

Step 6: Assigning (and un-assigning) the Policy

This step will apply all the settings you have created up to this point. Double and triple check that you did not enter a valid host or network or it will be blocked. If fact, if you have any doubts in your mind, do not do this step until another person (who knows what they are doing) looks over your work too! Note: This is one place MS will not give you a little “are you sure you want to do this” type of warning. As soon as you assign the policy, it is done.

Assign

netsh ipsec static set policy name=”Blocked Traffic” assign=yes

Un-assign

netsh ipsec static set policy assign=no

By following the steps below, you will be able to create a new policy and manage the filter lists and actions. In part three, I will explain how this can be done from the command line for all you CLI warriors. This tutorial should be accurate for: Windows XP, Vista, 7 and Server 2003, 2008, 2008R2 (possibly even 2000)

The policy you create in this tutorial will not be applied to the system until you “Assign” the policy in Step 6. As long as the policy is not assigned, you can safely edit, add, remove, etc. rules and sets to the policy without affecting the system. Note: double and triple check your sets to ensure you do not block legitimate traffic before assigning the policy.

To begin this tutorial, open the Local Security Policy by:

• Control Panel → Administrative Tools → Local Security Policy
• Start → Run → secpol.msc

Step 1: Create IP Security Policy

1. Right click “IP Security Policies on Local Computer”
2. Select “Create IP Security Policy…”
3. IP Security Policy Wizard
   • Welcome Screen → Next
   • IP Security Policy Name → Give a descriptive name and description → Next
   • Requests for Secure Communication → Do Not Check “Activate the default response rule” → Next
   • Wizard Completion → Do Not Check “Edit Properties” → Finish

Step 2: Create an IP Filter List

1. Double click your new policy (or, right click and select properties)
2. On the Rules Tab → Uncheck “Use Add Wizard” → Click “Add…”
3. Create an IP Filter List
   • On the “IP Filter List” Tab → Click “Add…”
   • In the “IP Filter List” Window → Enter a descriptive name and description → Uncheck “Use Add Wizard” → Click “Add…”

Step 3: Create IP Filters and Associate them with the Filter List (Repeat this step until all hosts you wish to block have been entered)

1. Address Tab
   • Change Source Address to → “A specific IP Address or Subnet”
   • Enter the IP Address and/or subnet in the text box (Use CIDR syntax for defining subnets (e.g. 10.10.10.0/24)
   • Check “Mirrored”
2. Protocol Tab → Ensure protocol type is set to “Any”
3. Description Tab → Enter a description. It is typically useful to identify the creator of the rule, why it was added and a date/time when the rule was created.
4. Click “OK”
5. Repeat step 3 until all the hosts/networks you wish to block are entered. Once completed, press “OK”.

Step 4: Create a Filter Action

1. On the “Filter Action” Tab → Uncheck “Use Add Wizard” → Click “Add…”
2. On the “Security Methods” Tab → Select the “Block” radio button (All other options on this tab will become greyed out)
3. On the “General” Tab → Enter a descriptive name and description → Press “OK”

Step 5: Create Policy Rule to apply Filter Action to Filter List

1. On the “Filter Action” Tab, ensure the new filter action you created is selected.
2. On the “IP Filter List” Tab, ensure the new filter list you created is selected.
3. Press “OK”
4. On the new policy properties window, ensure the new list and action are enabled.
5. Press “OK”

Step 6: Assigning (and un-assigning) the Policy

This step will apply all the settings you have created up to this point. Double and triple check that you did not enter a valid host or network or it will be blocked. If fact, if you have any doubts in your mind, do not do this step until another person (who knows what they are doing) looks over your work too! Note: This is one place MS will not give you a little “are you sure you want to do this” type of warning. As soon as you assign the policy, it is done.

1. Right click your new policy → Select “Assign” → Done (It really is that easy)
   • To un-assign, just do the same thing except select “Un-assign” instead.

In part 3, I will cover how to do all this directly from the command line.

While troubleshooting some issues on an OWA Front-End server, I went over to the security log to see if the authentication attempts were getting past this box. The problem I found was the log was so full of failed logon attempts it was difficult to filter out what I was looking for. In a twelve hour period, there were thousands of 529 events in the security log. Now, I know this is nothing new, but I found a few patterns. I manually exported the log to a CSV, parsed out all the source ip addresses and opened it up in Excel. What I found was that 98.7% of failed logon attempts were made by just four different ip addresses.  (I recommend using MaxMind’s GeoIP Address Locator for help in determining where the source addresses are located.)

The easy fix is to setup an IPSec policy to block all traffic coming from those addresses.  And I did just that.  There are many different methods to blocking bad hosts.  And, anybody who has dealt with this knows, they will come back.  Just from different addresses.

One other piece I was able to get from this is that there are several of our users whom have fat fingered their passwords within ActiveSync (or they just have it setup wrong).  And then there are those users who have forgotten their domain, e-mail address, username, etc.

This is step one in my project to automate the blocking of bad hosts.  My goal is to build an automated method for blocking hosts with a high percentage of bad logon attempts within n hours.  And, even if I can’t get it 100% automated, this first whack at it took my bad logon attempts from 800 per hour to 25 per hour; nearly a 97% improvement!  And, a lot less crap to sift through when troubleshooting real issues.

So, my first goal is to automate a method of extracting the data I want from the event log.  (The script can be found below.)  The most important piece of data is the source ip address.  However, the other pieces of data I decided to extract could be helpful in determining the legitimacy of the logon failure.

To get the data, simply download the script and run “cscript /nologo get-bad-hosts.vbs > bad-hosts.csv” (w/o the quotes).  You can then open the file in Excel, do a quick pivot-table and identify the source addresses with the most hits.  At that point, you can add the host (or address block) to an ipsec policy to block all traffic from that address.

In my next post, I’ll explain the details in setting up a quick ipsec policy to block the bad guys.  Cheers!

'==========================================================================
' VBScript Source File
' NAME: get-bad-hosts.vbs
' AUTHOR: Andrew J Healey
' WEB: http://halfloaded.com/
' DATE  : Dec 21 2009
' COMMENT: This script will return data in csv format for use in determining
'	hack, lockout or bad logon attempts
' PROCESS: 1) query event log for event id 529; 2) parse data to return
'	useful data; 3) output to screen
' USAGE: cscript /nologo get-bad-hosts.vbs c:\bad-hosts.csv
'==========================================================================
 
Option Explicit
On Error Resume Next
 
Dim strComputer, objWMIService, colLoggedEvents
Dim objEvent, objRegEx, colMatches, strMatch
Dim strUserName, strWorkstation, strIPAddress, strDomain
 
'Change to name of computer to query remote machine
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
 
'Event 529 in the security log are "Failure Audit" for a "Logon/Logoff"
Set colLoggedEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '529'")
 
'Write header to screen
wscript.echo chr(34) & "User Name" & chr(34) & "," & _
			 chr(34) & "Workstation" & chr(34) & "," & _
			 chr(34) & "Source IP" & chr(34) & "," & _
			 chr(34) & "Windows Domain" & chr(34) & "," & _
			 chr(34) & "Date/Time" & chr(34)
 
'Loop through all events matching criteria above: 529 in sec log
For Each objEvent in colLoggedEvents
	'Use regex to parse any ip addresses from event
	' if no address found, goto next record
	Set objRegEx = CreateObject("VBScript.RegExp")
	objRegEx.Global = True
	objRegEx.IgnoreCase = True
 
	'Will return the line of the user name that was used
	objRegEx.Pattern = "(\tUser Name:.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strUserName = strMatch.Value
	Next
 
	'Will return the line of the workstation name that was used
	objRegEx.Pattern = "(\tWorkstation Name:.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strWorkstation = strMatch.Value
	Next
 
	'Will return the line of the source ip address
	objRegEx.Pattern = "(\tSource Network Address:.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strIPAddress = strMatch.Value
	Next
 
	'Will return the line of the domain that was used
	objRegEx.Pattern = "\tDomain:(.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strDomain = strMatch.Value
	Next
 
	'Output clean csv line for easy reading in spreadsheet program
	wscript.echo chr(34) & GetCleanText(strUserName) & chr(34) & "," & _
				 chr(34) & GetCleanText(strWorkstation) & chr(34) & "," & _
				 chr(34) & GetCleanText(strIpAddress) & chr(34) & "," & _
				 chr(34) & GetCleanText(strDomain) & chr(34) & "," & _
				 chr(34) & WMIDateStringToDate(objEvent.TimeWritten) & chr(34)
Next
 
Private Function GetCleanText(byVal strText)
	'This will cleanup the text and return only necessary data
	' I'm sure there is a better way to do this :)
	dim tmp,txt
	tmp = Split(strText,":")
	txt = tmp(1)
	txt = Replace(txt,vbTab,"")
	txt = Replace(txt,vbCrLf,"")
	txt = Trim(txt)
	GetCleanText = txt
End Function
 
Private Function WMIDateStringToDate(byVal dtmEventDate)
	'Borrowed from the "Hey, Scripting Guy! BLOG"
	' --> Search: WMIDateStringToDate
    WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _
        Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _
            & " " & Mid (dtmEventDate, 9, 2) & ":" & _
                Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, _
                    13, 2))
End Function