PowerShell 实现 RDP 远程桌面防火墙

最近观察系统日志（事件查看器-Windows 日志-安全-事件 ID4625 ），在互联网默认 3389 端口下，每天暴力破解 RDP 账号的次数大约在 1200 次左右

虽然使用强密码，但是微软一直没有实现基于 IP 的自动封锁功能（ Windows 11 22H2 后微软启用“帐户锁定阈值”，登录失败 10 次后，封锁账号 10 分钟），仍有暴力破解的风险

通过 chatgpt 及优化后，写了个简单的 PowerShell 脚本，每 60 秒检测 ID4625 日志攻击 IP ，超过 3 次失败，添加到系统防火墙中禁止访问。并实现白名单、控制台输出登录失败 IP 及登录成功 IP

# PowerShell 脚本 - 每分钟检查 RDP 登录失败，并将失败超过 3 次的 IP 阻止 Write-Host -ForegroundColor Green "========================================================================" Write-Host -ForegroundColor Cyan " RDP login failure monitoring script has been started" " This script checks for RDP login failures every minute and blocks IP that have failed more than 3 times." Write-Host -ForegroundColor Green "========================================================================" # 配置变量 $ErrorActiOnPreference= "SilentlyContinue" $LogName = "Security" $EventID = 4625,4624 # Windows 安全事件 ID $TimeSleepSecOnds= 60 $FailedAttempsLimit = 3 $WhiteListIPs = @("127.0.0.1", "172.16.0.110") $FirewallRuleName = "BlockedRDPAttempt_IPs" $newBlockIPs = @() $FailedIPs = @{} # 初始化首次查询间隔 $startTime = (Get-Date).Add(-(New-TimeSpan -Hours 1)) $endTime = Get-Date # 创建一个无限循环，每分钟运行一次 while ($true) { # 计算时间间隔 $TimeSpan = $endTime - $startTime $startTime = Get-Date $Events = Get-WinEvent -FilterHashtable @{ LogName = $LogName ID = $EventID StartTime = (Get-Date).Add(-$TimeSpan) } # 解析失败的 IP 地址并计算每个 IP 的失败次数 foreach ($event in $Events) { $IpAddress = $event.Properties[19].Value if ((![string]::IsNullOrEmpty($IpAddress)) -and ($IpAddress -ne "-") -and ($IpAddress -ne "0")) { $FailedIPs[$IpAddress] = $FailedIPs[$IpAddress] + 1 Write-Host -ForegroundColor Yellow "$(Get-Date) Detected failed login from: $IpAddress at $($event.TimeCreated)" } } # 打印登录成功的 IP 地址 foreach ($event in $Events) { $SuccessIpAddress = $event.Properties[18].Value if ((![string]::IsNullOrEmpty($SuccessIpAddress)) -and ($SuccessIpAddress -ne "-") -and ($SuccessIpAddress -ne "0") -and ($event.Properties[8].Value -eq 3)) { Write-Host -ForegroundColor Green "$(Get-Date) Detected successful login from: $SuccessIpAddress at $($event.TimeCreated)" } } # 过滤出失败次数达到限制的 IP 并进行处理 $BlockedIPs = $FailedIPs.Keys | Where-Object { $FailedIPs[$_] -ge $FailedAttempsLimit } $BlockedIPs = $BlockedIPs | Where-Object { $_ -notin $WhiteListIPs } if (Compare-Object -ReferenceObject $BlockedIPs -DifferenceObject $newBlockIPs -PassThru) { foreach ($ip in $BlockedIPs) { # 检查防火墙规则是否存在 $ruleExists = Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue # 如果规则不存在，则创建一个新规则 if (-not $ruleExists) { New-NetFirewallRule -DisplayName $FirewallRuleName -Direction Inbound -Action Block -RemoteAddress $ip -Protocol TCP -LocalPort 3389 Write-Host -ForegroundColor Blue "$(Get-Date) Created new Firewall rule for IP: $ip" } else { # 如果规则已存在，更新规则以添加新 IP $existingBlockIPs = (Get-NetFirewallRule -DisplayName $FirewallRuleName | Get-NetFirewallAddressFilter).RemoteAddress $newBlockIPs = @() $newBlockIPs += $existingBlockIPs if ($newBlockIPs -notcontains $ip) { $newBlockIPs += $ip Write-Host -ForegroundColor Red "$(Get-Date) Detected IP with multiple RDP failures: $ip" } Set-NetFirewallRule -DisplayName $FirewallRuleName -RemoteAddress $newBlockIPs } } if (![string]::IsNullOrEmpty($newBlockIPs)) { Write-Host -ForegroundColor Red "$(Get-Date) Updated Firewall rule to add IP: $newBlockIPs" } } # 等待 60 秒后继续下一轮循环 Start-Sleep -Seconds $TimeSleepSeconds # 结束时间戳 $endTime = Get-Date } 

https://github.com/Qetesh/rdpFail2Ban

可从 GitHub 下载，或复制代码到 ps1 文件，使用管理员权限终端运行 ps1 程序

最后希望 RDP 永远不会中毒~