Added PS script to block SQL hacker IP's

2023-04-17 21:41:53 -04:00 · 2023-04-17 21:41:53 -04:00 · 7d0877fb20
commit 7d0877fb20
parent 96e75c63b3
1 changed files with 47 additions and 0 deletions
--- a/BlockHacker.ps1
+++ b/BlockHacker.ps1
@ -0,0 +1,47 @@
+<#
+Use this script to scan the SQL error log for failed logins and 
+automatically add them to the Windows firewall.
+#>
+
+#Use REGEX to create the patternfor IP addresses
+$ipPattern = [Regex]::new("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}")
+
+#Create a variable to hold the IP addresses that we DO NOT want added to the firewall rule
+$own_IPs = [Regex]::new("(127\.0\.0\.1|198\.23\.255\.226|198\.23\.255\.227|198\.23\.255\.228|198\.23\.255\.229|73\.117\.147\.[0-9]{1,3})")
+
+#Search the SQL error log for entries with an IP address (IP's are logged when there is a login failure)
+$result = gc "C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG" | Select-String ${ipPattern} | Select-String -notmatch $own_IPs
+
+#Output all of the IP's found to a text file
+$result.Matches.value | Out-File ips.txt
+
+#Open the output text file, sort the list and get rid of duplicate IP's, saving the file list to a new file
+Get-Content ips.txt | Sort-Object | Get-Unique -AsString | Out-File unique_ips.txt
+
+#Loop through the list of unique IP's and update the firewall rulle
+$ips = @()
+foreach ($ip in Get-Content unique_ips.txt) {
+	Try
+	{
+		if ((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) {
+			# debug:
+			# Write-Host "IP ${ip} already blocked"
+			continue
+		}
+		else {
+			$ips += $ip
+		}
+	}
+	Catch
+	{
+		
+	}
+	Finally
+	{
+	}
+}
+
+if($ips.length -gt 0)
+{
+	Set-NetFirewallRule -DisplayName "IP Block SQL Server" -RemoteAddress $ips
+}