Anyone who publishes Exchange servers and their web interfaces directly via port forward on the Internet may be familiar with the problem: Someone tries to guess the users and passwords or tries to access the mail accounts using brute force. Unfortunately, neither the Windows on-board tools nor Exchange Server offer the option of blocking the IP address after a few failed login attempts.
So here is another script from the Quick and Dirty section: Using the Windows event display, you can find out the IP address from which an incorrect login originated. The corresponding event is 4625:
I have therefore created 2 small scripts that have the following function:
The first script writes the IP address for each failed login to a file, the second script counts the login attempts from each IP address and configures a Windows Firewall rule if too many failed logins originate from one IP.
Unfortunately, it turned out that this method is not one hundred percent reliable, so if there are many incorrect login attempts, such as a brute force attack, not every login is registered, which means that the IP is not blocked after 10 attempts, but only after around 30 attempts. I have therefore invested little time in the scripts, as there are of course solutions that can implement such a function better.
If you still want to use the scripts, you must set them up as follows:
Creates a new task in task planning and defines event 4625 as the trigger
Als Aktion soll das Script „eventaction.ps1“ gestartet werden, das Script sammelt die 4625er Events und schreibt sie in eine Datei:
Danach legt eine zweite Aufgabe mit dem Trigger „Bei Systemstart“ an:
Als Aktion soll das Script „blacklist-host.ps1“ gestartet werden:
Das Script läuft kontinuierlich in einer Schleife und wertet die Datei „c:\IPban\ipban.txt“ aus. Es genügt vorher eine leere Datei mit dem Namen zu erzeugen, damit das Script nicht auf einen Fehler läuft. Die Pfade lassen sich innerhalb der Script Dateien anpassen.
Im Script „blacklist-host.ps1“ lässt sich außerdem festlegen, ab wann und für wie lange eine IP geblockt werden soll:
Das Script konfiguriert dann die Windows Firewall mit einer „Verweigern“-Regel, wenn eine IP erkannt wurde die zu viele fehlerhafte Logins produziert hat:
I have only tested the scripts briefly in my test environment, so you will need to do some work yourself and carry out extensive tests. Here are the scripts for download.
[wpdm_file id=11]
Maybe someone can use it 
