I'm regularly under brute force attacks on my Windows Server 2003 with Citrix installed. How can I automatically ban IP addresses that have several unsuccessful login attempts ?
This question has already a couple of answers that work on Windows 2008, and that I use successfully in my network (@MichaelKhalili's code). I also found sshd_block here, it applies also to Windows 2003 but is targeted on ssh. Unfortunately I don't have the expertise to adapt it for Terminal Server attempted logins.
Thanks for your help.
I don't have a good exact answer, but I didn't want to leave it as a comment.
You would have to periodically scan the event log and ban the IPs on the fly for Windows Server 2003. I don't see an easy way to do this without having an Event triggered task like in Windows 2008+. If you have a Windows Server 2008 AD box, you could use that to capture the invalid login attempt to the domain and execute a script that prevents a connection from that IP. But you might have to unban that IP after a certain amount of time. And doing that cleanup could be complicated. But you could do this with VBScript or your scripting language of choice.
How about banning all IP ranges from geographic areas outside your user base. Foreign countries for instance is a good place to start. It won't fix your problem, but might help quell some of the traffic. Some firewalls have this feature built in. Our Sonicwall does a pretty good job with their "Geo-IP" feature. It is far from perfect, but certainly helps...