Fail2Ban

0.0.6

Module/WindowsEvent-FailedLogon/Main.ps1

                                function Use-WEFL () {

    Param(

        $ConfigModule,

        $ConfigSystem

    )                  

    # ++++++++++++++++++++++++

    # Internal Function

    function Get-F2BMatch(){

        Param(

            [Parameter(Mandatory=$true)]

            [String]$Pattern,

            [Parameter(Mandatory=$true)]

            [String]$Data

        )

        $Content = $Data | Select-String -pattern $Pattern -AllMatches | select -ExpandProperty matches | select -ExpandProperty value

        if($content.Count -eq 2) {

            $Match = $content[1]

        } else {

            $Match =  $content

        }

        $Match = (($Match -split ":")[1]) -replace "\s+",""

        return $Match

    }

    # ++++++++++++++++++++++++

    # Get Windows Event

    $AfterDate = (Get-Date).AddSeconds("-$($ConfigModule.Wefl_MaxAttemptTime)")

    $events = Get-WinEvent -FilterHashtable @{ProviderName= "Microsoft-Windows-Security-Auditing"; LogName = "security"; Id = "4625"; StartTime = [datetime]$AfterDate}

    # ++++++++++++++++++++++++

    # Format Events

    $ReturnObj =@()

    Foreach($i in $events) {

        # LogonType

        $LogonID = Get-F2BMatch -Pattern "Logon Type:\s+\w+" -Data $i.message

        switch($LogonID) {

            2 { $logontype = "Interactive" }

            3 { $logontype = "Network" }

            7 { $logontype = "Computer Unlocked"}

        }

        $Obj = [PSCustomObject] @{

            Id = $i.RecordId

            Username = Get-F2BMatch -Pattern "account name:\s+\w+" -Data $i.message

            Date = $i.TimeCreated

            IP = Get-F2BMatch -Pattern "Source Network Address:\s+\d{1,3}(\.\d{1,3}){3}" -Data $i.message

            LogonType = $logontype

        }

        $ReturnObj += $Obj

    }

    # ++++++++++++++++++++++++

    # Blocking address

    $IpGroup = $ReturnObj | group IP

    Foreach($Group in $IpGroup) {

        if($Group.Count -ge $ConfigModule.Wefl_MaxAttemptCount){

            if((Test-F2BRegistryIP -IP $Group.Name -Type Black) -eq $false) {

                Add-F2BAddress -IP $Group.Name -Type Black | out-null

                Write-F2BConsole -Type Information -Message "+ Blocking address $($Group.Name)"

            }

        }

    }

    # ++++++++++++++++++++++++

    # Unblocking address

    $BlockedAddress = Get-F2BRegistryIP -Type Black

    foreach ($item in $BlockedAddress.GetEnumerator()) {

        if($item.Value -ne 'Unlimited') {

            if((([DateTime]$item.Value).AddSeconds($ConfigModule.Wefl_BanTime)) -le (get-date)) {

                Remove-F2BAddress -IP $item.Key -Type Black | out-null

                Write-F2BConsole -Type Information -Message "+ Unblocking address $($item.Key)"

            }

        }

    }

    # ++++++++++++++++++++++++

    # Stats

    #if($ConfigModule.Wefl_Stats -eq "1"){

    # 

    #}    

}