PowerShell 实现 RDP 远程桌面防火墙Fail2ban

每 60 秒检测 ID4625 日志攻击 IP ，超过 3 次失败，添加到系统防火墙中禁止访问。并实现白名单、控制台输出登录失败 IP 及登录成功 IP
# PowerShell 脚本 - 每分钟检查 RDP 登录失败，并将失败超过 3 次的 IP 阻止
Write-Host -ForegroundColor Green "========================================================================"
Write-Host -ForegroundColor Cyan "  RDP login failure monitoring script has been started"
"  This script checks for RDP login failures every minute and blocks IP that have failed more than 3 times."
Write-Host -ForegroundColor Green "========================================================================"

# 配置变量
$ErrorActionPreference = "SilentlyContinue"
$LogName = "Security"
$EventID = 4625,4624 # Windows 安全事件 ID
$TimeSleepSeconds = 60
$FailedAttempsLimit = 3
$WhiteListIPs = @("127.0.0.1", "172.16.0.110")
$FirewallRuleName = "BlockedRDPAttempt_IPs"
$newBlockIPs = @()
$FailedIPs = @{}
# 初始化首次查询间隔
$startTime = (Get-Date).Add(-(New-TimeSpan -Hours 1))
$endTime = Get-Date

# 创建一个无限循环，每分钟运行一次
while ($true) {
    # 计算时间间隔
    $TimeSpan = $endTime - $startTime
    $startTime = Get-Date

    $Events = Get-WinEvent -FilterHashtable @{
        LogName   = $LogName
        ID        = $EventID
        StartTime = (Get-Date).Add(-$TimeSpan)
    }
    
    # 解析失败的 IP 地址并计算每个 IP 的失败次数
    foreach ($event in $Events) {
        $IpAddress = $event.Properties[19].Value
        if ((![string]::IsNullOrEmpty($IpAddress)) -and ($IpAddress -ne "-") -and ($IpAddress -ne "0")) {
            $FailedIPs[$IpAddress] = $FailedIPs[$IpAddress] + 1
            Write-Host -ForegroundColor Yellow "$(Get-Date) Detected failed login from: $IpAddress at $($event.TimeCreated)"
        }
    }

    # 打印登录成功的 IP 地址
    foreach ($event in $Events) {
        $SuccessIpAddress = $event.Properties[18].Value
        if ((![string]::IsNullOrEmpty($SuccessIpAddress)) -and ($SuccessIpAddress -ne "-") -and ($SuccessIpAddress -ne "0") -and ($event.Properties[8].Value -eq 3)) {
            Write-Host -ForegroundColor Green "$(Get-Date) Detected successful login from: $SuccessIpAddress at $($event.TimeCreated)"
        }
    }
    

    # 过滤出失败次数达到限制的 IP 并进行处理
    $BlockedIPs = $FailedIPs.Keys | Where-Object { $FailedIPs[$_] -ge $FailedAttempsLimit }
    $BlockedIPs = $BlockedIPs | Where-Object { $_ -notin $WhiteListIPs }
    
    if (Compare-Object -ReferenceObject $BlockedIPs -DifferenceObject $newBlockIPs -PassThru) {
        foreach ($ip in $BlockedIPs) {
            # 检查防火墙规则是否存在
            $ruleExists = Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue
            
            # 如果规则不存在，则创建一个新规则
            if (-not $ruleExists) {
                New-NetFirewallRule -DisplayName $FirewallRuleName -Direction Inbound -Action Block -RemoteAddress $ip -Protocol TCP -LocalPort 3389
                Write-Host -ForegroundColor Blue "$(Get-Date) Created new Firewall rule for IP: $ip"
            } else {
                # 如果规则已存在，更新规则以添加新 IP
                $existingBlockIPs = (Get-NetFirewallRule -DisplayName $FirewallRuleName | Get-NetFirewallAddressFilter).RemoteAddress
                $newBlockIPs = @()
                $newBlockIPs += $existingBlockIPs
                if ($newBlockIPs -notcontains $ip) {
                    $newBlockIPs += $ip
                    Write-Host -ForegroundColor Red "$(Get-Date) Detected IP with multiple RDP failures: $ip"
                }
                Set-NetFirewallRule -DisplayName $FirewallRuleName -RemoteAddress $newBlockIPs
            }
        }
        if (![string]::IsNullOrEmpty($newBlockIPs)) {
            Write-Host -ForegroundColor Red "$(Get-Date) Updated Firewall rule to add IP: $newBlockIPs"
        }
    }
    # 等待 60 秒后继续下一轮循环
    Start-Sleep -Seconds $TimeSleepSeconds

    # 结束时间戳
    $endTime = Get-Date
}