āĻ¯ā§ āĻā§āĻ āĻā§āĻ˛āĻžāĻāĻĄā§ āĻāĻāĻāĻŋ āĻāĻžāĻ°ā§āĻā§āĻ¯āĻŧāĻžāĻ˛ āĻŽā§āĻļāĻŋāĻ¨ āĻāĻžāĻ˛āĻžāĻ¨ā§āĻ° āĻā§āĻˇā§āĻāĻž āĻāĻ°ā§āĻā§āĻ¨ āĻ¤āĻŋāĻ¨āĻŋ āĻāĻžāĻ˛ āĻāĻ°ā§āĻ āĻāĻžāĻ¨ā§āĻ¨ āĻ¯ā§ āĻāĻāĻāĻŋ āĻ¸ā§āĻā§āĻ¯āĻžāĻ¨ā§āĻĄāĻžāĻ°ā§āĻĄ RDP āĻĒā§āĻ°ā§āĻ, āĻ¯āĻĻāĻŋ āĻā§āĻ˛āĻž āĻ°āĻžāĻāĻž āĻšāĻ¯āĻŧ, āĻĒā§āĻ°āĻžāĻ¯āĻŧ āĻ
āĻŦāĻŋāĻ˛āĻŽā§āĻŦā§ āĻŦāĻŋāĻļā§āĻŦā§āĻ° āĻŦāĻŋāĻāĻŋāĻ¨ā§āĻ¨ āĻāĻāĻĒāĻŋ āĻ āĻŋāĻāĻžāĻ¨āĻž āĻĨā§āĻā§ āĻĒāĻžāĻ¸āĻāĻ¯āĻŧāĻžāĻ°ā§āĻĄ āĻŦā§āĻ°ā§āĻ āĻĢā§āĻ°ā§āĻ¸ āĻĒā§āĻ°āĻā§āĻˇā§āĻāĻžāĻ° āĻ¤āĻ°āĻā§āĻ āĻĻā§āĻŦāĻžāĻ°āĻž āĻāĻā§āĻ°āĻŽāĻŖ āĻāĻ°āĻž āĻšāĻŦā§āĨ¤
āĻāĻ āĻ¨āĻŋāĻŦāĻ¨ā§āĻ§ā§ āĻāĻŽāĻŋ āĻĻā§āĻāĻžāĻŦ āĻāĻŋāĻāĻžāĻŦā§
Quest InTrust-āĻ āĻāĻĒāĻ¨āĻŋ āĻ¯āĻāĻ¨ āĻāĻāĻāĻŋ āĻ¨āĻŋāĻ¯āĻŧāĻŽ āĻā§āĻ°āĻŋāĻāĻžāĻ° āĻāĻ°āĻž āĻšāĻ¯āĻŧ āĻ¤āĻāĻ¨ āĻĒā§āĻ°āĻ¤āĻŋāĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻā§āĻ°āĻŋāĻ¯āĻŧāĻžāĻā§āĻ˛āĻŋ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ° āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§āĻ¨ā§ˇ āĻ˛āĻ āĻ¸āĻāĻā§āĻ°āĻšāĻāĻžāĻ°ā§ āĻāĻā§āĻ¨ā§āĻ āĻĨā§āĻā§, InTrust āĻāĻāĻāĻŋ āĻāĻ¯āĻŧāĻžāĻ°ā§āĻāĻ¸ā§āĻā§āĻļāĻ¨ āĻŦāĻž āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§ āĻāĻāĻāĻŋ āĻ
āĻ¸āĻĢāĻ˛ āĻ
āĻ¨ā§āĻŽā§āĻĻāĻ¨ā§āĻ° āĻĒā§āĻ°āĻā§āĻˇā§āĻāĻž āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ āĻāĻāĻāĻŋ āĻŦāĻžāĻ°ā§āĻ¤āĻž āĻĒāĻžāĻ¯āĻŧā§ˇ āĻĢāĻžāĻ¯āĻŧāĻžāĻ°āĻāĻ¯āĻŧāĻžāĻ˛ā§ āĻ¨āĻ¤ā§āĻ¨ āĻāĻāĻĒāĻŋ āĻ āĻŋāĻāĻžāĻ¨āĻž āĻ¯ā§āĻ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ° āĻāĻ°āĻ¤ā§, āĻāĻĒāĻ¨āĻžāĻā§ āĻāĻāĻžāĻ§āĻŋāĻ āĻŦā§āĻ¯āĻ°ā§āĻĨ āĻ
āĻ¨ā§āĻŽā§āĻĻāĻ¨ āĻ¸āĻ¨āĻžāĻā§āĻ¤ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻāĻāĻŋ āĻŦāĻŋāĻĻā§āĻ¯āĻŽāĻžāĻ¨ āĻāĻžāĻ¸ā§āĻāĻŽ āĻ¨āĻŋāĻ¯āĻŧāĻŽ āĻ
āĻ¨ā§āĻ˛āĻŋāĻĒāĻŋ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§ āĻāĻŦāĻ āĻ¸āĻŽā§āĻĒāĻžāĻĻāĻ¨āĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻāĻŋāĻ° āĻāĻāĻāĻŋ āĻ
āĻ¨ā§āĻ˛āĻŋāĻĒāĻŋ āĻā§āĻ˛āĻ¤ā§ āĻšāĻŦā§:
āĻāĻāĻ¨ā§āĻĄā§āĻ āĻ˛āĻā§āĻ° āĻāĻā§āĻ¨ā§āĻāĻā§āĻ˛āĻŋ InsertionString āĻ¨āĻžāĻŽā§ āĻāĻŋāĻā§ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§āĨ¤
āĻāĻā§āĻ¨ā§āĻ 4625 āĻāĻ° āĻĒāĻžāĻ ā§āĻ¯āĻāĻŋ āĻāĻāĻ°āĻāĻŽ āĻĻā§āĻāĻžāĻā§āĻā§:
An account failed to log on.
Subject:
Security ID: S-1-5-21-1135140816-2109348461-2107143693-500
Account Name: ALebovsky
Account Domain: LOGISTICS
Logon ID: 0x2a88a
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Paul
Account Domain: LOGISTICS
Failure Information:
Failure Reason: Account locked out.
Status: 0xc0000234
Sub Status: 0x0
Process Information:
Caller Process ID: 0x3f8
Caller Process Name: C:WindowsSystem32svchost.exe
Network Information:
Workstation Name: DCC1
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: seclogo
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
āĻāĻĒāĻ°āĻ¨ā§āĻ¤ā§, āĻāĻŽāĻ°āĻž āĻāĻā§āĻ¨ā§āĻ āĻā§āĻā§āĻ¸āĻā§ āĻ¸ā§āĻ°ā§āĻ¸ āĻ¨ā§āĻāĻāĻ¯āĻŧāĻžāĻ°ā§āĻ āĻ ā§āĻ¯āĻžāĻĄā§āĻ°ā§āĻ¸ āĻŽāĻžāĻ¨ āĻ¯ā§āĻ āĻāĻ°āĻŦāĨ¤
āĻ¤āĻžāĻ°āĻĒāĻ°ā§ āĻāĻĒāĻ¨āĻžāĻā§ āĻāĻāĻāĻŋ āĻ¸ā§āĻā§āĻ°āĻŋāĻĒā§āĻ āĻ¯ā§āĻ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§ āĻ¯āĻž āĻāĻāĻ¨ā§āĻĄā§āĻ āĻĢāĻžāĻ¯āĻŧāĻžāĻ°āĻāĻ¯āĻŧāĻžāĻ˛ā§ āĻāĻāĻĒāĻŋ āĻ āĻŋāĻāĻžāĻ¨āĻžāĻāĻŋ āĻŦā§āĻ˛āĻ āĻāĻ°āĻŦā§āĨ¤ āĻ¨ā§āĻā§ āĻāĻ āĻāĻ¨ā§āĻ¯ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻž āĻ¯ā§āĻ¤ā§ āĻĒāĻžāĻ°ā§ āĻ¯ā§ āĻāĻāĻāĻŋ āĻāĻĻāĻžāĻšāĻ°āĻŖ.
āĻāĻāĻāĻŋ āĻĢāĻžāĻ¯āĻŧāĻžāĻ°āĻāĻ¯āĻŧāĻžāĻ˛ āĻ¸ā§āĻ āĻāĻĒ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻ¸ā§āĻā§āĻ°āĻŋāĻĒā§āĻ
param(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string]
$SourceAddress
)
$SourceAddress = $SourceAddress.Trim()
$ErrorActionPreference = 'Stop'
$ruleName = 'Quest-InTrust-Block-Failed-Logons'
$ruleDisplayName = 'Quest InTrust: Blocks IP addresses from failed logons'
function Get-BlockedIps {
(Get-NetFirewallRule -Name $ruleName -ErrorAction SilentlyContinue | get-netfirewalladdressfilter).RemoteAddress
}
$blockedIps = Get-BlockedIps
$allIps = [array]$SourceAddress + [array]$blockedIps | Select-Object -Unique | Sort-Object
if (Get-NetFirewallRule -Name $ruleName -ErrorAction SilentlyContinue) {
Set-NetFirewallRule -Name $ruleName -RemoteAddress $allIps
} else {
New-NetFirewallRule -Name $ruleName -DisplayName $ruleDisplayName -Direction Inbound -Action Block -RemoteAddress $allIps
}
āĻāĻāĻ¨ āĻāĻĒāĻ¨āĻŋ āĻĒāĻ°ā§ āĻŦāĻŋāĻā§āĻ°āĻžāĻ¨ā§āĻ¤āĻŋ āĻāĻĄāĻŧāĻžāĻ¤ā§ āĻ¨āĻŋāĻ¯āĻŧāĻŽā§āĻ° āĻ¨āĻžāĻŽ āĻāĻŦāĻ āĻŦāĻŋāĻŦāĻ°āĻŖ āĻĒāĻ°āĻŋāĻŦāĻ°ā§āĻ¤āĻ¨ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§āĻ¨āĨ¤
āĻāĻāĻ¨ āĻāĻĒāĻ¨āĻžāĻā§ āĻāĻ āĻ¸ā§āĻā§āĻ°āĻŋāĻĒā§āĻāĻāĻŋāĻā§ āĻ¨āĻŋāĻ¯āĻŧāĻŽā§āĻ° āĻĒā§āĻ°āĻ¤āĻŋāĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻšāĻŋāĻ¸āĻžāĻŦā§ āĻ¯ā§āĻā§āĻ¤ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§, āĻ¨āĻŋāĻ¯āĻŧāĻŽāĻāĻŋ āĻ¸āĻā§āĻˇāĻŽ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§ āĻāĻŦāĻ āĻ¨āĻŋāĻļā§āĻāĻŋāĻ¤ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§ āĻ¯ā§ āĻ¸āĻāĻļā§āĻ˛āĻŋāĻˇā§āĻ āĻ¨āĻŋāĻ¯āĻŧāĻŽāĻāĻŋ āĻ°āĻŋāĻ¯āĻŧā§āĻ˛-āĻāĻžāĻāĻŽ āĻĒāĻ°ā§āĻ¯āĻŦā§āĻā§āĻˇāĻŖ āĻ¨ā§āĻ¤āĻŋāĻ¤ā§ āĻ¸āĻā§āĻˇāĻŽ āĻšāĻ¯āĻŧā§āĻā§ā§ˇ āĻāĻā§āĻ¨ā§āĻāĻā§ āĻ
āĻŦāĻļā§āĻ¯āĻ āĻāĻāĻāĻŋ āĻĒā§āĻ°āĻ¤āĻŋāĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻ¸ā§āĻā§āĻ°āĻŋāĻĒā§āĻ āĻāĻžāĻ˛āĻžāĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻ¸āĻā§āĻˇāĻŽ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§ āĻāĻŦāĻ āĻ¸āĻ āĻŋāĻ āĻĒā§āĻ¯āĻžāĻ°āĻžāĻŽāĻŋāĻāĻžāĻ° āĻ¨āĻŋāĻ°ā§āĻĻāĻŋāĻˇā§āĻ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§āĨ¤
āĻ¸ā§āĻāĻŋāĻāĻ¸ āĻ¸āĻŽā§āĻĒā§āĻ°ā§āĻŖ āĻšāĻāĻ¯āĻŧāĻžāĻ° āĻĒāĻ°ā§, āĻ
āĻ¸āĻĢāĻ˛ āĻ
āĻ¨ā§āĻŽā§āĻĻāĻ¨ā§āĻ° āĻ¸āĻāĻā§āĻ¯āĻž 80% āĻāĻŽā§ āĻā§āĻā§āĨ¤ āĻ˛āĻžāĻ? āĻāĻŋ āĻĻāĻžāĻ°ā§āĻŖ āĻāĻ!
āĻāĻāĻ¨āĻ āĻāĻāĻ¨āĻ āĻāĻāĻāĻŋ āĻā§āĻ āĻŦā§āĻĻā§āĻ§āĻŋ āĻāĻŦāĻžāĻ° āĻāĻā§, āĻāĻŋāĻ¨ā§āĻ¤ā§ āĻāĻāĻŋ āĻāĻā§āĻ°āĻŽāĻŖā§āĻ° āĻ¨āĻ¤ā§āĻ¨ āĻāĻ¤ā§āĻ¸ā§āĻ° āĻāĻ¤ā§āĻĨāĻžāĻ¨ā§āĻ° āĻāĻžāĻ°āĻŖā§ āĻšāĻ¯āĻŧāĨ¤ āĻ¤āĻžāĻ°āĻĒāĻ° āĻ¸āĻŦāĻāĻŋāĻā§ āĻāĻŦāĻžāĻ° āĻāĻŽāĻ¤ā§ āĻļā§āĻ°ā§ āĻāĻ°ā§āĨ¤
āĻāĻžāĻā§āĻ° āĻāĻ āĻ¸āĻĒā§āĻ¤āĻžāĻšā§āĻ° āĻŽāĻ§ā§āĻ¯ā§, āĻĢāĻžāĻ¯āĻŧāĻžāĻ°āĻāĻ¯āĻŧāĻžāĻ˛ āĻ¨āĻŋāĻ¯āĻŧāĻŽā§ 66āĻāĻŋ āĻāĻāĻĒāĻŋ āĻ āĻŋāĻāĻžāĻ¨āĻž āĻ¯ā§āĻ āĻāĻ°āĻž āĻšāĻ¯āĻŧā§āĻā§āĨ¤
āĻ¨ā§āĻā§ 10āĻāĻŋ āĻ¸āĻžāĻ§āĻžāĻ°āĻŖ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ°āĻāĻžāĻ°ā§āĻ° āĻ¨āĻžāĻŽ āĻ¸āĻš āĻāĻāĻāĻŋ āĻā§āĻŦāĻŋāĻ˛ āĻ°āĻ¯āĻŧā§āĻā§ āĻ¯āĻž āĻ
āĻ¨ā§āĻŽā§āĻĻāĻ¨ā§āĻ° āĻĒā§āĻ°āĻā§āĻˇā§āĻāĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻŦā§āĻ¯āĻŦāĻšā§āĻ¤ āĻšāĻ¯āĻŧā§āĻāĻŋāĻ˛ā§ˇ
āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ°āĻāĻžāĻ°ā§āĻ° āĻ¨āĻžāĻŽ
āĻ¸āĻāĻā§āĻ¯āĻž
āĻļāĻ¤āĻžāĻāĻļā§
āĻĒā§āĻ°āĻļāĻžāĻ¸āĻ
1220235
40.78
āĻ ā§āĻ¯āĻžāĻĄāĻŽāĻŋāĻ¨
672109
22.46
āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ°āĻāĻžāĻ°ā§
219870
7.35
contoso
126088
4.21
contoso.com
73048
2.44
āĻĒā§āĻ°āĻļāĻžāĻ¸āĻ
55319
1.85
āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°
39403
1.32
sgazlabdc01.contoso.com
32177
1.08
āĻĒā§āĻ°āĻļāĻžāĻ¸āĻ
32377
1.08
sgazlabdc01
31259
1.04
āĻāĻĒāĻ¨āĻŋ āĻ¤āĻĨā§āĻ¯ āĻ¨āĻŋāĻ°āĻžāĻĒāĻ¤ā§āĻ¤āĻž āĻšā§āĻŽāĻāĻŋāĻ° āĻĒā§āĻ°āĻ¤āĻŋāĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻāĻŋāĻāĻžāĻŦā§ āĻŽāĻ¨ā§āĻ¤āĻŦā§āĻ¯ āĻāĻŽāĻžāĻĻā§āĻ° āĻŦāĻ˛ā§āĻ¨. āĻāĻĒāĻ¨āĻŋ āĻā§āĻ¨ āĻ¸āĻŋāĻ¸ā§āĻā§āĻŽ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§āĻ¨ āĻāĻŦāĻ āĻāĻāĻŋ āĻāĻ¤āĻāĻž āĻ¸ā§āĻŦāĻŋāĻ§āĻžāĻāĻ¨āĻ?
āĻāĻĒāĻ¨āĻŋ āĻ¯āĻĻāĻŋ āĻāĻ¨āĻā§āĻ°āĻžāĻ¸ā§āĻāĻā§ āĻ
ā§āĻ¯āĻžāĻāĻļāĻ¨ā§ āĻĻā§āĻāĻ¤ā§ āĻāĻā§āĻ°āĻšā§ āĻšāĻ¨,
āĻ¤āĻĨā§āĻ¯ āĻ¨āĻŋāĻ°āĻžāĻĒāĻ¤ā§āĻ¤āĻž āĻ¸āĻŽā§āĻĒāĻ°ā§āĻāĻŋāĻ¤ āĻāĻŽāĻžāĻĻā§āĻ° āĻ āĻ¨ā§āĻ¯āĻžāĻ¨ā§āĻ¯ āĻ¨āĻŋāĻŦāĻ¨ā§āĻ§ āĻĒāĻĄāĻŧā§āĻ¨:
āĻāĻ¤ā§āĻ¸: www.habr.com