My VBS interactive Windows Free Firewall
(Scripts for ipsec/windows 2003 server family and brute force intrusion detection)
USE AT YOUR OWN RISK!

*i am editing this post to make it a bit more simple

Hi

If you don't have money to a complete server firewall solution this can be usefull. It is better than nothing and i would say it is a good server solution as you
can see the source code and know exactly what is going on

PART I - configuring a firewall policies (open some ports deny all of the others)

i am supplying this template i use with helm control panel you can adjust it to other control panels it is called APS

It came by default as disabled so no need to be afraid of begin locked out of your box... also the scripts are there to avoid breaked lines, etc

download it from here http://www.multhost.com/firewall.zip

if you wanna backup yours and also learn more before double click in the firewall.reg (located inside of the firewall.zip)

try follow this http://www.analogx.com/contents/articles/ipsec.htm


Obviously you'll also have to know something about the ipsec policies (locate at the Administrative Tools - Local Security Settings)

For helm control panel i opened 8086 port, if you run webmail, awstats, mysql, sqlserver *under other port than 1433 you need to customize this to fit your needs, also changed telnet to deny, Windows Network to deny, etc...

browse thought their options and you will analise how it works before activating it (assign the policy)


Now Passive Tranfer improvement

You can now define a very especific port range to your server (the link bellow is working):

http://support.microsoft.com/kb/555022

following the url above use the command there to configure 5500 - 5700 ports to passive transfer only

the template i posted above will open this ports only to passive transfer


detail: the APS-ALL TCP TRAFFIC DENY FILTER works under Connection Type instead of using all Network Connections it uses Remote Access only, this way passive transfer works. Also realize that the filter action is to Deny.

check that OPT (open passive transfer it cames prepared to use 5500-5700 ports only )



PART II - final ipsec tweaks and brute force detection based on event log and msftp log files:

Located at the Administrative Tools - Local Security Settings double click at local policies and then again at audit policy

make sure to have Failure enabled in all of then (because we need to log attempts that are brute force intrusions)


Finally the scripts

Script A is a Event Log to watch each 5 minutes and imediatly deny in case of 5 wrong passwords (you can adjust to 10 minutes if you want) the X10 error means "remote desktop" terminal service wrong attempt so is really an issue

Script B is based on LogParser and it needs logparser 2.2 and works watching MSFTP Logs to each 5 minutes searching for 10 wrong attempts and imediatly deny the ips it will work even to anonymous connections that by default aren't logged at microsoft's event log

http://www.logparser.com

all the scripts A and B are now inside of the firewall.zip

After this if you feel confortable you can enable APS - Analog Public Server Policy and you are ready to go!

can be used together with SP2 WINDOWS FIREWALL wich is a good ideia to be another layer of protection

have fun : )

Claudio Szykman

This is a terrific post. Thanks!

i edited this to make it more simple and some users alerted me some urls were not available anymore...

please read it again from the begining...

tip. you can easily change script A to log 528 (sucessfull attempts instead of 529 wrong ones)
and comment the netsh instruction in order to not ban this ip this way you will receive each 5 minutes a email with any ip that logged into the remote desktop...



thanks

How to make passive ftp work with this? When I enable this firewall it blocks ftp
Thanks

hi in the local security policies under administration tools you should open internal conections all ports or all ports you limited using this http://support.microsoft.com/kb/555022

this templates i posted they already came with this ports ready

if you use this together with microsoft firewall then you can disable both *(microsoft firewall and ipsec police) to see if one of then is really in conflit with the ftp passive ports


there is this old http://forums.webhostautomation.com/archiv...hp?t-12381.html post

that has a small script to open the passive transfers ports and also some other explanations

fell free to PM if you need more help with this

claudio