最近因为疫情,大家都在家工作。为了远程连接,有些小的办公室没有使用虚拟专用网,而是直接在防火墙上进行了端口转发,直接跳转到服务器的3389端口上。而且由于各种原因,防火墙上也没有限制source IP,这样导致的结果就是互联网上任何人都可以进行访问。即使把外网端口改的特别大,但是对于扫描软件而已,也就是时间的问题,并不能提升太多的安全。
豆子今天就遇见了一起这样的问题。某诊所的服务器连续重启,登进去一看,发现安全日志里面都是各种失败的验证事件。而且这个服务器也没安装任何安全软件,完全在裸奔。
这样看起来不方便,写个简单的脚本查询一下
function get-hacker{
$eventcritea = @{logname='security';id=4625}
$Events =get-winevent -FilterHashtable $eventcritea -MaxEvents 1000
#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea
# Parse out the event message data
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
$events | select TimeCreated, TargetUserName, ipAddress
$result=get-hacker
结果如下,可以看见对方尝试了不同的用户名,但是没有显示IP地址
不用急,在对应的RemoteDesktopService-RdpCoreTS/Operation 日志里面,我们可以查看到真实的IP地址,如下所示,可以看见在看的同时,对方还在不断地扫描,尝试字典破解密码
稍微修改一下上面的脚本,重新扫描一下
function get-hacker{
$eventcritea = @{logname='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational';id=140}
$Events =get-winevent -FilterHashtable $eventcritea -MaxEvents 1000
#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea
# Parse out the event message data
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name IP -Value $eventXML.Event.EventData.Data.'#text'
$events
$result=get-hacker
$result | select timecreated, IP | group-object ip
可以看见对方的恶意扫描来自于这6个地址
这个诊所的路由器因为过于垃圾,无法配置防火墙策略,于是我干脆在Windows 的防火墙上新建了一条策略,对这几个IP地址进行了Block。
之后再扫描日志,没有发现新的报错信息,证明拦截有效。
然后在安装杀软,清理了一堆恶意文件出来。
过了一会,发现又有新的IP在扫描,于是稍微整理了一下脚本,让他可以自动添加IP到防火墙rule里面
function get-hacker{
Param
# Param1 help description
[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
[string]
$name,
# Param2 help description
[int]
$eventcritea = @{logname=$name;id=$id}
$Events =get-winevent -FilterHashtable $eventcritea -MaxEvents 1000
#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea
# Parse out the event message data
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
#For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name IP -Value $eventXML.Event.EventData.Data.'#text'
$events
$result=get-hacker -name 'Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational' -id 140
$ip=$result | select timecreated, ip | Group-Object ip |select -ExpandProperty Name
function Add-MvaNetFirewallRemoteAdressFilter {
.SYNOPSIS
This function adds one or more ipaddresses to the firewall remote address filter
.DESCRIPTION
With the default Set-NetFirewallAddressFilter you can set an address filter for a firewall rule. You can not use it to
add a ip address to an existing address filter. The existing address filter will be replaced by the new one.
The Add-MvaNetFirewallRemoteAdressFilter function will add the ip address. Which is very usefull when there are already
many ip addresses in de address filter.
.PARAMETER fwAddressFilter
This parameter conntains the AddressFilter that you want to change. It accepts pipeline output from the command
Get-NetFirewallAddressFilter
.PARAMETER IPaddresses
This parameter is mandatory and can contain one or more ip addresses. You can also use a subnet.
.EXAMPLE
Get-NetFirewallrule -DisplayName 'Test-Rule' | Get-NetFirewallAddressFilter | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses 192.168.5.5
Add a single IP address to the remote address filter of the firewall rule 'Test-Rule'
.EXAMPLE
Get-NetFirewallrule -DisplayName 'Test-Rule' | Get-NetFirewallAddressFilter | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses 192.168.5.5, 192.168.6.6, 192.168.7.0/24
Add multiple IP address to the remote address filter of the firewall rule 'Test-Rule'
.LINK
https://get-note.net/2018/12/31/edit-firewall-rule-scope-with-powershell/
.INPUTS
Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter
.OUTPUTS
.NOTES
You need to be Administator to manage the firewall.
[CmdletBinding()]
param(
[Parameter(ValueFromPipeline = $true,
Mandatory = $True)]
[psobject]$fwAddressFilter,
# Parameter help description
[Parameter(Position = 0,
Mandatory = $True,
HelpMessage = "Enter one or more IP Addresses.")]
[string[]]$IPAddresses
process {
try {
#Get the current list of remote addresses
[string[]]$remoteAddresses = $fwAddressFilter.RemoteAddress
Write-Verbose -Message "Current address filter contains: $remoteAddresses"
#Add new ip address to the current list
if ($remoteAddresses -in 'Any', 'LocalSubnet', 'LocalSubnet6', 'PlayToDevice') {
$remoteAddresses = $IPAddresses
else {
$remoteAddresses += $IPAddresses
#set new address filter
$fwAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress $remoteAddresses -ErrorAction Stop
Write-Verbose -Message "New remote address filter is set to: $remoteAddresses"
catch {
$PSCmdlet.ThrowTerminatingError($PSitem)
$current=Get-NetFirewallRule -DisplayName 'blacklist' | Get-NetFirewallAddressFilter
$lists=$current | select -ExpandProperty RemoteAddress
foreach($i in $ip){
if ($lists -contains $i){
Write-Host "$i is already in the scope of blacklist" -ForegroundColor Green
else{
$current | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses $i
这样一个临时的绷带疗法就搞定了,稍后需要配置一个新的路由器去替代对方的老古董