1

I have a new install of Windows Server 2012 on a VM and I intend to use Wail2ban (https://github.com/glasnt/wail2ban) to try and block people attacking the server.

I have successfully added Wail2ban and I have this working now, but it certainly was not straight forward. There we are few settings I needed to change in gpedit.msc in order to get the IP of the attacking host to actually show up in the Event Viewer. Originally no source address was shown in the event.

By changing about three settings I now have this working, but I am now unable to access the shared files on the server.

One setting I had to change is gpedit.msc->Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options->Network Security: restrict NTLM: Incoming NTLM traffic I have set this to "Deny All Accounts" and I do get the attacker ip in Event viewer but I cannot access shared files. With the other settings "Allow All"/"Deny all Domains" I do not get the IP in the Event viewer but I can access shared files.

Does anyone have any ideas how I can get both working or is this just a no go?

The Humble Rat
  • 233
  • 1
  • 5
  • 20
  • I am working on same task now. I found this answer http://serverfault.com/questions/683837/event-id-4625-without-source-ip/814632#814632. There exists Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational Event with IP Address. But without username. My program can not read logs directly form EventLog and I need trasfer it to SNMP/SysLog/text file but Windows seems can not do this. – moteus Dec 23 '16 at 10:20
  • @moteus great info, this helps move me forward a bit further. I have added a question here http://stackoverflow.com/questions/41302016/register-wmievent-applications-and-services-logs-wail2ban and you may want to check out https://www.daniweb.com/programming/software-development/threads/461221/accessing-extended-event-logs – The Humble Rat Dec 23 '16 at 13:04
  • I think I will user nxlog to redirect `RemoteDesktopServices-RdpCoreTS` events to my application. Its just lame that Windows does not add IP address to 4625 and does not allow forward RdpCoreTS evevts to SNMP. I use SNMP forward event 529 on Win2k3. – moteus Dec 23 '16 at 13:16

2 Answers2

3

I now have this working with a few alterations.

I have changed the NTLM settings back to default, this is not necessary to do unless you have followed other articles and changed these settings.

A commenter pointed me in the direction of Event ID 4625 Without Source IP. It seems in the extended logs the IP is logged, just not in event 4625.

I followed the following article Accessing Extended Logs and added the registry key for Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational

I then changed one line in the wail2ban.ps1 file to allow these logs to be used

$EventTypes = "Application,Security,System,Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"     #Event logs we allow to be processed

I also had to change the wail2ban_config to add the log file also and reference the event type id

# Wail2ban Configuration
[Events]
#[Security]
#4625=RDP Logins
#[Application]
#18456=MSSQL Logins
[Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational]
140=RDP Logins
[Whitelist]
# Add your whitelist here, in the format `IP = Comment`
# Supports plain IPs , e.g. `12.34.56.78  = My Machine` 
# Also, ranges, e.g. `11.22.33.0/24 = My Company Range`

Adding the [Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational] section being the important thing here.

Once I had rebooted so the registry changes could take effect wail2ban started to work as expected.

I found wbemtest (put in run) to be useful here as you are able to query the logs and check to see if Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational is part of Win32_NTLogEvent

Whilst I do now have this working, I will be looking at the solution proposed by @moteus as this looks like an interesting solution, that would be easily moved and installed.

Community
  • 1
The Humble Rat
  • 233
  • 1
  • 5
  • 20
1

I do not think it possible use Wail2Ban without source change. This is how I solve this problem with nxlog and my SpyLog service. 1. I redirect from Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational event 140. This event has IP address. I found this event in this answer

<Input eventlog>
    Module       im_msvistalog
    SavePos      TRUE
    ReadFromLast TRUE
    Channel      "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational">
                <Select Path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational">*[System[(EventID=140)]]</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

<Output spylog>
    Module      om_udp
    Host        127.0.0.1
    Port        614
    Exec        $raw_event = "EventID: " + $EventID + "; " + $Message;
</Output>

<Route 1>
    Path        eventlog => spylog
</Route>
  1. In SpyLog I add new filter like
FILTER{ "nxlog-rdp";
  enabled = true;
  source = "net:udp://127.0.0.1:614";
  exclude = WHITE_IP;
  hint = "EventID: 140";
  failregex = {
    "^EventID: 140; A connection from the client computer with an IP address of ([%d%.:]+)";
    -- UTF8
    "^EventID: 140; Не удалось подключить клиентский компьютер с IP%-адресом ([%d%.:]+)";
  };
};
Community
  • 1
moteus
  • 111
  • 3