From 9fd7d8bfa221c284e74bfcf0c98a91856350e96e Mon Sep 17 00:00:00 2001 From: greatquux Date: Thu, 30 Mar 2017 13:48:19 -0400 Subject: [PATCH 01/18] remove extra arguments these extra arguments are not necessary and can cause unblocking to fail depending on blackholeip used --- ts_block.vbs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ts_block.vbs b/ts_block.vbs index 3f9b6cc..645d0af 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -229,7 +229,7 @@ Sub Unblock(IP) Dim strRunCommand If (TESTING <> 1) Then - If intBlackholeStyle = BLACKHOLE_ROUTE Then strRunCommand = "route delete " & IP & " mask 255.255.255.255 " & blackHoleIPAddress + If intBlackholeStyle = BLACKHOLE_ROUTE Then strRunCommand = "route delete " & IP If intBlackholeStyle = BLACKHOLE_FIREWALL Then strRunCommand = "netsh advfirewall firewall delete rule name=""Blackhole " & IP & """" If DEBUGGING Then WScript.Echo "Executing " & strRunCommand From aec5885d7acb93aa37e659a363f145eb843038ba Mon Sep 17 00:00:00 2001 From: greatquux Date: Thu, 30 Mar 2017 14:21:41 -0400 Subject: [PATCH 02/18] add hard-coded BlackholeIP of 0.0.0.0 I have tested using a blackhole IP of 0.0.0.0 on 2008/2008R2/2012/2012R2 and it works in each case to effectively deny network access to the offending IP. --- ts_block.vbs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ts_block.vbs b/ts_block.vbs index 645d0af..e591bb7 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -53,7 +53,7 @@ Const DEFAULT_BLOCK_TIMEOUT = 120 ' in X seconds Const REG_BLOCK_TIMEOUT = "BlockTimeout" ' Black hole IP address (if hard-specified) -Const REG_BLACKHOLE_IP = "BlackholeIP" +Const REG_BLACKHOLE_IP = "0.0.0.0" ' Usernames that attempted logons for result in immediate blocking Set dictBlockImmediatelyUsers = CreateObject("Scripting.Dictionary") From 0667e8cc9c122c4c78db6f2ec6b9fa375f8e33f6 Mon Sep 17 00:00:00 2001 From: Mike Russo Date: Thu, 30 Mar 2017 14:40:28 -0400 Subject: [PATCH 03/18] Add registry option for blocking style --- ts_block.vbs | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/ts_block.vbs b/ts_block.vbs index e591bb7..a04d4df 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -53,7 +53,10 @@ Const DEFAULT_BLOCK_TIMEOUT = 120 ' in X seconds Const REG_BLOCK_TIMEOUT = "BlockTimeout" ' Black hole IP address (if hard-specified) -Const REG_BLACKHOLE_IP = "0.0.0.0" +Const REG_BLACKHOLE_IP = "BlackholeIP" + +' Blocking style (may prefer to use routing if Windows Firewall is disabled) +Const REG_BLOCK_STYLE = "BlockStyle" ' Usernames that attempted logons for result in immediate blocking Set dictBlockImmediatelyUsers = CreateObject("Scripting.Dictionary") @@ -112,7 +115,6 @@ For Each intOSBuild in colOperatingSystem WScript.Quit EVENTLOG_ID_ERROR_WIN_XP End If - If DEBUGGING Then WScript.Echo "intBlackHoleStyle = " & intBlackHoleStyle Next ' intOSBuild ' Read configuration from the registry, if present, in a really simplsitic way @@ -129,9 +131,13 @@ If CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_TIMEOUT)) > 0 Then intBlock If objShell.RegRead(REG_CONFIG_PATH & REG_BLACKHOLE_IP) <> "" Then blackHoleIPAddress = regexpSanitizeIP.Replace(objShell.RegRead(REG_CONFIG_PATH & REG_BLACKHOLE_IP), "") Else - blackHoleIPAddress = "" + blackHoleIPAddress = "0.0.0.0" End If +' Override block style if set in registry +If CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_STYLE)) > 0 Then intBlockStyle = CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_STYLE)) +If DEBUGGING Then WScript.Echo "intBlackHoleStyle = " & intBlackHoleStyle + On Error Goto 0 ' Only obtain a blackhole adapter address on versions of Windows where it is required From 5205ba2165b7cd9938e4e5a6dbc20a2233d8370b Mon Sep 17 00:00:00 2001 From: Mike Russo Date: Thu, 30 Mar 2017 15:16:15 -0400 Subject: [PATCH 04/18] Use blackhole IP of 0.0.0.0 as default; tested on 2008R2-2012R2 and prevents communication with blacklisted IP --- ts_block.vbs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ts_block.vbs b/ts_block.vbs index a04d4df..707583d 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -53,6 +53,7 @@ Const DEFAULT_BLOCK_TIMEOUT = 120 ' in X seconds Const REG_BLOCK_TIMEOUT = "BlockTimeout" ' Black hole IP address (if hard-specified) +Const DEFAULT_BLACKHOLE_IP = "0.0.0.0" Const REG_BLACKHOLE_IP = "BlackholeIP" ' Blocking style (may prefer to use routing if Windows Firewall is disabled) @@ -128,14 +129,13 @@ If CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_ATTEMPTS)) > 0 Then intBloc intBlockTimeout = DEFAULT_BLOCK_TIMEOUT If CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_TIMEOUT)) > 0 Then intBlockTimeout = CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_TIMEOUT)) +blackHoleIPAddress = DEFAULT_BLACKHOLE_IP If objShell.RegRead(REG_CONFIG_PATH & REG_BLACKHOLE_IP) <> "" Then blackHoleIPAddress = regexpSanitizeIP.Replace(objShell.RegRead(REG_CONFIG_PATH & REG_BLACKHOLE_IP), "") -Else - blackHoleIPAddress = "0.0.0.0" End If ' Override block style if set in registry -If CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_STYLE)) > 0 Then intBlockStyle = CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_STYLE)) +If CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_STYLE)) > 0 Then intBlackHoleStyle = CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_STYLE)) If DEBUGGING Then WScript.Echo "intBlackHoleStyle = " & intBlackHoleStyle On Error Goto 0 From 5ee36529b8c125e7e2d5297b3f816442577e90a3 Mon Sep 17 00:00:00 2001 From: Mike Russo Date: Fri, 31 Mar 2017 11:33:25 -0400 Subject: [PATCH 05/18] Add whitelist registry entry feature --- ts_block.vbs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ts_block.vbs b/ts_block.vbs index 707583d..25d6993 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -20,6 +20,7 @@ Dim objShell, objWMIService, objEventSink, blackHoleIPAddress, regexpSanitizeEve Dim dictIPLastSeenTime, dictIPBadLogons, dictUnblockTime, dictBlockImmediatelyUsers Dim colOperatingSystem, intOSBuild, intBlackholeStyle Dim intBlockDuration, intBlockAttempts, intBlockTimeout +Dim strWhitelist ' =====================( Configuration )===================== @@ -59,6 +60,9 @@ Const REG_BLACKHOLE_IP = "BlackholeIP" ' Blocking style (may prefer to use routing if Windows Firewall is disabled) Const REG_BLOCK_STYLE = "BlockStyle" +' Whitelisted IP addresses +Const REG_WHITELIST = "Whitelist" + ' Usernames that attempted logons for result in immediate blocking Set dictBlockImmediatelyUsers = CreateObject("Scripting.Dictionary") dictBlockImmediatelyUsers.Add "administrator", 1 @@ -129,6 +133,9 @@ If CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_ATTEMPTS)) > 0 Then intBloc intBlockTimeout = DEFAULT_BLOCK_TIMEOUT If CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_TIMEOUT)) > 0 Then intBlockTimeout = CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_TIMEOUT)) +strWhitelist = "" +If objShell.RegRead(REG_CONFIG_PATH & REG_WHITELIST) <> "" Then strWhitelist = objShell.RegRead(REG_CONFIG_PATH & REG_WHITELIST) + blackHoleIPAddress = DEFAULT_BLACKHOLE_IP If objShell.RegRead(REG_CONFIG_PATH & REG_BLACKHOLE_IP) <> "" Then blackHoleIPAddress = regexpSanitizeIP.Replace(objShell.RegRead(REG_CONFIG_PATH & REG_BLACKHOLE_IP), "") @@ -210,8 +217,10 @@ Sub Block(IP) Dim strRunCommand Dim intRemoveBlockTime + ' don't block if IP is in whitelist (no need to log) + If InStr(strWhitelist,IP) > 0 Then Exit Sub ' Block an IP address (either by black-hole routing it or adding a firewall rule) - If (TESTING <> 1) Then + If (TESTING <> 1) Then If intBlackholeStyle = BLACKHOLE_ROUTE Then strRunCommand = "route add " & IP & " mask 255.255.255.255 " & blackHoleIPAddress If intBlackholeStyle = BLACKHOLE_FIREWALL Then strRunCommand = "netsh advfirewall firewall add rule name=""Blackhole " & IP & """ dir=in protocol=any action=block remoteip=" & IP From 4079af9acbb3b8c39b95f56a82ebf4cc2bf300ec Mon Sep 17 00:00:00 2001 From: Mike Russo Date: Fri, 31 Mar 2017 13:34:43 -0400 Subject: [PATCH 06/18] bug #19: special-case exemption for 0 and 255 --- ts_block.vbs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ts_block.vbs b/ts_block.vbs index 25d6993..568765a 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -217,8 +217,13 @@ Sub Block(IP) Dim strRunCommand Dim intRemoveBlockTime + ' don't block special IPs + If InStr("0.0.0.0",IP) > 0 Then Exit Sub + If InStr("255.255.255.255",IP) > 0 Then Exit Sub + ' don't block if IP is in whitelist (no need to log) If InStr(strWhitelist,IP) > 0 Then Exit Sub + ' Block an IP address (either by black-hole routing it or adding a firewall rule) If (TESTING <> 1) Then If intBlackholeStyle = BLACKHOLE_ROUTE Then strRunCommand = "route add " & IP & " mask 255.255.255.255 " & blackHoleIPAddress From 945c1e8602e9e294af0051b452f4ec68be7a577f Mon Sep 17 00:00:00 2001 From: Mike Russo Date: Thu, 14 Jun 2018 11:18:40 -0400 Subject: [PATCH 07/18] added 127.0.0.1 as a special case IP never to block after observing this occuring - can't be unblocked without a reboot --- ts_block.vbs | 1 + 1 file changed, 1 insertion(+) diff --git a/ts_block.vbs b/ts_block.vbs index 568765a..c9f10de 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -220,6 +220,7 @@ Sub Block(IP) ' don't block special IPs If InStr("0.0.0.0",IP) > 0 Then Exit Sub If InStr("255.255.255.255",IP) > 0 Then Exit Sub + If InStr("127.0.0.1",IP) > 0 Then Exit Sub ' don't block if IP is in whitelist (no need to log) If InStr(strWhitelist,IP) > 0 Then Exit Sub From fb23c2477ea227d5b35b43fe56a7d6f3be60a8ee Mon Sep 17 00:00:00 2001 From: greatquux Date: Wed, 18 Sep 2019 14:34:37 -0400 Subject: [PATCH 08/18] updates to whitelist and blocking - whitelist will now allow basic subnet matching (ie, including 1.2.3 in the whitelist will match IPs from 1.2.3.1-254) - don't block any of the IPs on the local network cards; I have also observed this can sometimes happen in practice and leads to very strange networking issues! --- ts_block.vbs | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/ts_block.vbs b/ts_block.vbs index c9f10de..873ee2b 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -5,6 +5,7 @@ Option Explicit ' ' Release 20110831 - Adapted from sshd_block release 20100120 ' Release 20120530 - No change from 20110831 code for ts_block script +' Release 20190918 - forked from Evan's version; wildcard whitelist, use black-hole routing by policy ' External executables required to be accessible from PATH: ' @@ -25,7 +26,7 @@ Dim strWhitelist ' =====================( Configuration )===================== ' Set to 0 to disable debugging output -Const DEBUGGING = 0 +Const DEBUGGING = 1 ' default to on (event log space is not a problem these days) ' Set to 0 to disable event log reporting of blocks / unblocks Const USE_EVENTLOG = 1 @@ -222,8 +223,28 @@ Sub Block(IP) If InStr("255.255.255.255",IP) > 0 Then Exit Sub If InStr("127.0.0.1",IP) > 0 Then Exit Sub - ' don't block if IP is in whitelist (no need to log) - If InStr(strWhitelist,IP) > 0 Then Exit Sub + ' split whitelist by spaces and check if each one is part of IP for wildcard matches + Wi = Split(strWhitelist) + For Each Wx in Wi + If InStr(IP,Wx) > 0 Then Exit Sub + Next + + ' get list of local IP addresses and don't block those either - can cause problems! + strQuery = "SELECT * FROM Win32_NetworkAdapterConfiguration WHERE MACAddress > ''" + + Set objWMIService = GetObject( "winmgmts://./root/CIMV2" ) + Set colItems = objWMIService.ExecQuery( strQuery, "WQL", 48 ) + + For Each objItem In colItems + If IsArray( objItem.IPAddress ) Then + If UBound( objItem.IPAddress ) = 0 Then + strLocalIP = objItem.IPAddress(0) + Else + strLocalIP = Join( objItem.IPAddress, " " ) + End If + End If + Next + If InStr(strLocalIP,IP) > 0 Then Exit Sub ' Block an IP address (either by black-hole routing it or adding a firewall rule) If (TESTING <> 1) Then From 012ca37663e4ea3fdaa0500f49385fafb9dcade0 Mon Sep 17 00:00:00 2001 From: greatquux Date: Wed, 18 Sep 2019 14:43:22 -0400 Subject: [PATCH 09/18] update readme to reflect some changes --- README.txt | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.txt b/README.txt index d6926a4..e13186b 100644 --- a/README.txt +++ b/README.txt @@ -3,6 +3,7 @@ Copyright 2011 Wellbury LLC - See LICENSE for license information Release 20110901 - Adapted from sshd_block release 20100120 Release 20120530 - Added MSI to distribution +Release 20190918 - forked from Evan's version; wildcard whitelist, use black-hole routing by policy For support, please contact Evan Anderson at Wellbury LLC EAnderson@wellbury.com, (866) 569-9799, ext 801 @@ -57,6 +58,11 @@ to create inbound firewall rules blocking traffic from the blocked host. On these operating systems no special configuration of the registry or network adapters is necessary. +NOTE: If you don't wish to use Advanced Firewall you can set the registry +entry BlockStyle to 1 to force the use of black-hole routing. I have determined +that (on Windows Server 2008 and above at least) using the special IP +0.0.0.0 will work and you can ignore the below advice. + Because Windows Server 2003 lacks sufficient features in its built-in firewall functionality a black-hole host route is used. Unfortunately, the "trick" commonly used on Linux to black-hole traffic with a route to @@ -120,6 +126,10 @@ address of a network interface with no default gateway specified will be used. This setting is not used in Windows Server 2008 and later versions of Windows. +Parameter: BlockStyle +Type: REG_SZ +Explanation: Forces the use of black-hole routing on Windows 2008 and above. + A Group Policy Administrative Template (ADM) file is included with this distribution that is capable of setting these values. Deploying a GPO near the top of the domain with the BlockAttempts, BlockDuration, and From 05e0276097585ab42a7234708cffa7c74109da08 Mon Sep 17 00:00:00 2001 From: greatquux Date: Tue, 24 Sep 2019 14:48:58 -0400 Subject: [PATCH 10/18] print whitelist at startup --- ts_block.vbs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ts_block.vbs b/ts_block.vbs index 873ee2b..8e505ff 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -161,7 +161,8 @@ If DEBUGGING Then LogEvent EVENTLOG_ID_STARTED, EVENTLOG_TYPE_INFORMATION, "Bloc If DEBUGGING Then LogEvent EVENTLOG_ID_STARTED, EVENTLOG_TYPE_INFORMATION, "Block Attempts: " & intBlockAttempts If DEBUGGING Then LogEvent EVENTLOG_ID_STARTED, EVENTLOG_TYPE_INFORMATION, "Block Timeout: " & intBlockTimeout If DEBUGGING Then LogEvent EVENTLOG_ID_STARTED, EVENTLOG_TYPE_INFORMATION, "Blackhole IP: " & blackHoleIPAddress - +If DEBUGGING Then LogEvent EVENTLOG_ID_STARTED, EVENTLOG_TYPE_INFORMATION, "Whitelist: " & strWhitelist + ' Create event sink to catch security events Set objEventSink = WScript.CreateObject("WbemScripting.SWbemSink", "eventSink_") objWMIService.ExecNotificationQueryAsync objEventSink, "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Logfile = 'Security' AND TargetInstance.EventType = 5 AND (TargetInstance.EventIdentifier = 529 OR TargetInstance.EventIdentifier = 4625) AND (TargetInstance.SourceName = 'Security' OR TargetInstance.SourceName = 'Microsoft-Windows-Security-Auditing')" From 5470e24f8c99f8f0ab0208f259b00544dda93b65 Mon Sep 17 00:00:00 2001 From: greatquux Date: Tue, 24 Sep 2019 16:33:33 -0400 Subject: [PATCH 11/18] additional logging add logging when not blocking system, whitelisted, or NIC IPs --- ts_block.vbs | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/ts_block.vbs b/ts_block.vbs index 8e505ff..b8e350c 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -220,14 +220,26 @@ Sub Block(IP) Dim intRemoveBlockTime ' don't block special IPs - If InStr("0.0.0.0",IP) > 0 Then Exit Sub - If InStr("255.255.255.255",IP) > 0 Then Exit Sub - If InStr("127.0.0.1",IP) > 0 Then Exit Sub + If InStr("0.0.0.0",IP) > 0 Then + LogEvent 258, EVENTLOG_TYPE_INFORMATION, "Skipped " & IP & " because it is a special system IP." + Exit Sub + End If + If InStr("255.255.255.255",IP) > 0 Then + LogEvent 258, EVENTLOG_TYPE_INFORMATION, "Skipped " & IP & " because it is a special system IP." + Exit Sub + End If + If InStr("127.0.0.1",IP) > 0 Then + LogEvent 258, EVENTLOG_TYPE_INFORMATION, "Skipped " & IP & " because it is a special system IP." + Exit Sub + End If ' split whitelist by spaces and check if each one is part of IP for wildcard matches Wi = Split(strWhitelist) For Each Wx in Wi - If InStr(IP,Wx) > 0 Then Exit Sub + If InStr(IP,Wx) > 0 Then + LogEvent 258, EVENTLOG_TYPE_INFORMATION, "Skipped " & IP & " because it is whitelisted." + Exit Sub + End If Next ' get list of local IP addresses and don't block those either - can cause problems! @@ -245,7 +257,10 @@ Sub Block(IP) End If End If Next - If InStr(strLocalIP,IP) > 0 Then Exit Sub + If InStr(strLocalIP,IP) > 0 Then + LogEvent 258, EVENTLOG_TYPE_INFORMATION, "Skipped " & IP & " because it is configured on a network interface." + Exit Sub + End If ' Block an IP address (either by black-hole routing it or adding a firewall rule) If (TESTING <> 1) Then From 53566f5bef06834f96575ab3d18f909f699693db Mon Sep 17 00:00:00 2001 From: greatquux Date: Wed, 25 Sep 2019 08:33:56 -0400 Subject: [PATCH 12/18] update version string --- ts_block.vbs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ts_block.vbs b/ts_block.vbs index b8e350c..042d2af 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -72,7 +72,7 @@ dictBlockImmediatelyUsers.Add "guest", 1 ' ===================( End Configuration )=================== -Const TS_BLOCK_VERSION = "20110831" +Const TS_BLOCK_VERSION = "20190918" Const BLACKHOLE_ROUTE = 1 ' Blackhole packets via routing table Const BLACKHOLE_FIREWALL = 2 ' Blackhole packets via firewall From 5bcf093eb1f3950003b02b4453498ace44f54562 Mon Sep 17 00:00:00 2001 From: greatquux Date: Thu, 26 Sep 2019 16:27:40 -0400 Subject: [PATCH 13/18] fix undeclared variables in Block due to Option Explicit script wasn't actually working after yesterday's changes --- ts_block.vbs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ts_block.vbs b/ts_block.vbs index 042d2af..5cc4ba4 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -218,6 +218,8 @@ Sub Block(IP) ' Block an IP address and set the time for the block expiration Dim strRunCommand Dim intRemoveBlockTime + Dim Wi,Wx + Dim strQuery,objWMIService,colItems,objItem,strLocalIP ' don't block special IPs If InStr("0.0.0.0",IP) > 0 Then From 539ef46d1bdcee22cd1ba008ee2397c63b49556b Mon Sep 17 00:00:00 2001 From: greatquux Date: Thu, 26 Sep 2019 16:33:36 -0400 Subject: [PATCH 14/18] update version string --- ts_block.vbs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ts_block.vbs b/ts_block.vbs index 5cc4ba4..bb74340 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -5,7 +5,7 @@ Option Explicit ' ' Release 20110831 - Adapted from sshd_block release 20100120 ' Release 20120530 - No change from 20110831 code for ts_block script -' Release 20190918 - forked from Evan's version; wildcard whitelist, use black-hole routing by policy +' Release 20190926 - forked from Evan's version; wildcard whitelist, use black-hole routing by policy ' External executables required to be accessible from PATH: ' @@ -72,7 +72,7 @@ dictBlockImmediatelyUsers.Add "guest", 1 ' ===================( End Configuration )=================== -Const TS_BLOCK_VERSION = "20190918" +Const TS_BLOCK_VERSION = "20190926" Const BLACKHOLE_ROUTE = 1 ' Blackhole packets via routing table Const BLACKHOLE_FIREWALL = 2 ' Blackhole packets via firewall From b3e9e269c6ccccb62d38d7dac365d27513d184c2 Mon Sep 17 00:00:00 2001 From: greatquux Date: Thu, 26 Sep 2019 16:48:36 -0400 Subject: [PATCH 15/18] add options to group policy object add options for new settings --- ts_block.adm | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/ts_block.adm b/ts_block.adm index eb582f9..7ba2da7 100644 --- a/ts_block.adm +++ b/ts_block.adm @@ -35,7 +35,21 @@ CATEGORY "Wellbury LLC" PART "Black-hole IP address" EDITTEXT REQUIRED VALUENAME "BlackholeIP" END PART ; "Block timeout" - EXPLAIN "The IP address used for the black-hole route (for Windows Server 2003). If not specified the default algorithm of selecting the IP address of a network interface with no default gateway specified will be used. This setting is not used in Windows Server 2008 and later versions of Windows." + EXPLAIN "The IP address used for the black-hole route (for Windows Server 2003, or if specified as the BlockStyle. If not specified, the hardcoded value of 0.0.0.0 will be used (remove this to switch back to the default algorithm of selecting the IP address of a network interface with no default gateway specified will be used. This setting is not used in Windows Server 2008 and later versions of Windows UNLESS the BlockStyle is also set." + END POLICY + + POLICY "Block Style" + PART "Block Style" NUMERIC REQUIRED + VALUENAME "BlockStyle" + END PART + EXPLAIN "This setting allows you to manually choose to use black-hole routing on Windows Server 2008 and above, rather than the Windows Firewall (which must be enabled if you want to use it.) Set this value to 1 to use blackhole routing, or 2 to use the Windows Firewall (or simply leave it unset to use the routing method on Windows Server 2003 and the firewall method on Windows Server 2008 and above." + END POLICY + + POLICY "Whitelist" + PART "Whitelist" EDITTEXT REQUIRED + VALUENAME "Whitelist" + END PART + EXPLAIN "This setting allows you to specify a space-separated list of IPs or network prefixes which will never be blocked. For instance, the value '1.2.3.4 192.168.3. 10.' will never block requests from IP 1.2.3.4, or and IPs where the first digits match 192.168.3., or any IPs that start with 10." END POLICY END CATEGORY ; "ts_block" From ef98232a6d2ec962305542f3c2c391a239bb74b7 Mon Sep 17 00:00:00 2001 From: greatquux Date: Thu, 26 Sep 2019 16:51:03 -0400 Subject: [PATCH 16/18] update readme --- README.txt | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.txt b/README.txt index e13186b..d19f86c 100644 --- a/README.txt +++ b/README.txt @@ -3,7 +3,7 @@ Copyright 2011 Wellbury LLC - See LICENSE for license information Release 20110901 - Adapted from sshd_block release 20100120 Release 20120530 - Added MSI to distribution -Release 20190918 - forked from Evan's version; wildcard whitelist, use black-hole routing by policy +Release 20190926 - forked from Evan's version; wildcard whitelist, use black-hole routing by policy For support, please contact Evan Anderson at Wellbury LLC EAnderson@wellbury.com, (866) 569-9799, ext 801 @@ -130,6 +130,12 @@ Parameter: BlockStyle Type: REG_SZ Explanation: Forces the use of black-hole routing on Windows 2008 and above. +Parameter: Whitelist +Type: REG_SZ +Explanation: A space-separated list of IPs or networks that will not be blocked. +For example, a value of '192.168.3. 172.16.55.4' will not block any IPs that +start with 192.168.3. or the specific IP 172.16.55.4. + A Group Policy Administrative Template (ADM) file is included with this distribution that is capable of setting these values. Deploying a GPO near the top of the domain with the BlockAttempts, BlockDuration, and From a3a6a3e1f65c6da69e346baca8b0345cbc7d99fc Mon Sep 17 00:00:00 2001 From: greatquux Date: Wed, 24 Nov 2021 08:50:17 -0500 Subject: [PATCH 17/18] Update ts_block.vbs Add Trim() when reading the whitelist, if there is trailing whitespace it will cause all IPs to get whitelisted! --- ts_block.vbs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ts_block.vbs b/ts_block.vbs index bb74340..3aed1ee 100644 --- a/ts_block.vbs +++ b/ts_block.vbs @@ -6,6 +6,7 @@ Option Explicit ' Release 20110831 - Adapted from sshd_block release 20100120 ' Release 20120530 - No change from 20110831 code for ts_block script ' Release 20190926 - forked from Evan's version; wildcard whitelist, use black-hole routing by policy +' Release 20211124 - bugfix: always Trim() whitelist from registry as trailing space screws it up ' External executables required to be accessible from PATH: ' @@ -135,7 +136,7 @@ intBlockTimeout = DEFAULT_BLOCK_TIMEOUT If CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_TIMEOUT)) > 0 Then intBlockTimeout = CInt(objShell.RegRead(REG_CONFIG_PATH & REG_BLOCK_TIMEOUT)) strWhitelist = "" -If objShell.RegRead(REG_CONFIG_PATH & REG_WHITELIST) <> "" Then strWhitelist = objShell.RegRead(REG_CONFIG_PATH & REG_WHITELIST) +If objShell.RegRead(REG_CONFIG_PATH & REG_WHITELIST) <> "" Then strWhitelist = Trim(objShell.RegRead(REG_CONFIG_PATH & REG_WHITELIST)) blackHoleIPAddress = DEFAULT_BLACKHOLE_IP If objShell.RegRead(REG_CONFIG_PATH & REG_BLACKHOLE_IP) <> "" Then From 560136521e4c70f08ad3e8d29e4e9d51e01a126c Mon Sep 17 00:00:00 2001 From: greatquux Date: Wed, 24 Nov 2021 08:51:55 -0500 Subject: [PATCH 18/18] Update README.txt --- README.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/README.txt b/README.txt index d19f86c..024fe1f 100644 --- a/README.txt +++ b/README.txt @@ -4,6 +4,7 @@ Copyright 2011 Wellbury LLC - See LICENSE for license information Release 20110901 - Adapted from sshd_block release 20100120 Release 20120530 - Added MSI to distribution Release 20190926 - forked from Evan's version; wildcard whitelist, use black-hole routing by policy +Release 20211124 - bugfix: always Trim() whitelist from registry as trailing space screws it up For support, please contact Evan Anderson at Wellbury LLC EAnderson@wellbury.com, (866) 569-9799, ext 801