1
sky96111 2023-11-28 11:13:37 +08:00
PowerShell 脚本 New-NetFirewallRule
|
2
yuchenr 2023-11-28 11:20:45 +08:00
Set-NetFirewallAddressFilter 和 Set-NetFirewallAddressFilter
|
3
yuchenr 2023-11-28 11:21:54 +08:00
$startTime = Get-Date
$startTimeStr = $startTime.AddMinutes(-5).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.FFFZ") $failedAttemptsThreshold = 3 $Query = [xml]@" <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4625) and TimeCreated[@SystemTime>='$startTimeStr']]]</Select> </Query> </QueryList> "@ function Get-IPAddresses { param ( [xml]$query, [int]$maxEvents ) $events = Get-WinEvent -FilterXml $query -MaxEvents $maxEvents if (-not $events) { Write-Host "未获取到任何日志。脚本将退出。" return } $events | ForEach-Object { $_.Properties[19].Value } } $failedIPs = Get-IPAddresses -query $Query -maxEvents 100 | Group-Object | Where-Object { $_.Count -gt $failedAttemptsThreshold } | Select-Object -ExpandProperty Name -Unique $uniqueIPs = Get-IPAddresses -query $Query -maxEvents 100 | Select-Object -Unique $filteredFailedIPs = $failedIPs | Where-Object { $_ -notmatch '^192\.168\.' -and $_ -notmatch '^10\.' -and $_ -notmatch '^172\.(1[6-9]|2[0-9]|3[0-1])\.' } # 定义要过滤的特定 IP 地址列表 $specificIPs = @("192.168.1.100", "10.0.0.5") # 过滤掉特定 IP 地址 $filteredFailedIPs = $filteredFailedIPs | Where-Object { $_ -notin $specificIPs } $ruleName = "BlockIPs" $filteredFailedIPs = $filteredFailedIPs | Sort-Object # 获取现有的防火墙规则 $existingRule = Get-NetFirewallRule -DisplayName $ruleName if ($existingRule) { # 获取现有的远程地址过滤器 $existingAddressFilters = Get-NetFirewallAddressFilter -AssociatedNetFirewallRule $existingRule # 获取现有的远程地址 $existingRemoteAddresses = $existingAddressFilters | Select-Object -ExpandProperty RemoteAddress $existingRemoteAddresses = @($existingRemoteAddresses) $existingAddressFilters = @($existingAddressFilters) # 添加新的地址 $newRemoteAddresses = $existingRemoteAddresses + $filteredFailedIPs | Select-Object -Unique # 更新远程地址过滤器 $existingAddressFilters | Set-NetFirewallAddressFilter -RemoteAddress $newRemoteAddresses } else { Write-Host "规则 $ruleName 不存在。" New-NetFirewallRule -DisplayName $ruleName -Direction Inbound -Action Block -Protocol Any -RemoteAddress $filteredFailedIPs -RemoteAddressType "IP" } |
4
ShadowPower 2023-11-28 11:23:18 +08:00
|