我整理了这个 powershell 函数,基本上从脚本运行的最后一点($date 变量)从 NPS 日志(特别是拒绝的身份验证尝试)中提取事件,整理出写入日志条目的 IP 和日期并将其添加到数组 ($array) 并将其导出到 CSV 日志。
然后我使用相同的数组 ($array) 对过去一小时的日志进行排序,查看是否存在 10 个或更多日志,并将符合条件的日志移动到新数组 ($getip)。(有点像 fail2ban 设置,但适用于 Windows)
一切正常,除了在函数末尾有一行我正在使用的排序和计数记录,我计数正常,但它实际上不会删除 1 小时后的记录。
有人能发现我遗漏了什么吗?我很感激任何帮助。
function Get-DeniedIP {
$denied = 'C:\bin\denied.csv' #CSV log of IP's that have been linked to denied auth attempts
$whitelist = Import-Csv 'C:\bin\whitelist.csv' #Location of whitelist csv
$datepath = 'C:\bin\cache' #If it does not exist that is fine
$bannedip = 'C:\bin\banned.csv' #CSV log of IP's that have reached the max failed auth and are banned
$check = [System.IO.File]::Exists($datepath)
if ($check -like '*False*') {
(get-date).ToString() | Out-File $datepath
$date = Get-Date
}
else {
$date = Get-Content $datepath
$date = Get-Date -Date $date
}
$log = Get-EventLog -LogName Security -Message "*Network Policy Server denied*" -After $date
$array = @()
foreach ($message in $log) {
$address = ($message.message | Select-String -Pattern "Calling Station Identifier:\s*\d{1,3}(\.\d{1,3}){3}" -AllMatches).Matches.Value
$address = ($address | Select-String -Pattern "\d{1,3}(\.\d{1,3}){3}" -AllMatches).Matches.Value
$object = New-Object -TypeName PSObject
$object | Add-Member -Name 'IP' -MemberType Noteproperty -Value $address
$object | Add-Member -Name 'Date' -MemberType NoteProperty -Value $message.TimeWritten
$array += $object
}
$final = $array | where {$whitelist.IP -notcontains $_.IP}
if ($final -eq $null) {}
else {$final | Export-Csv $denied -Append}
$final
$DT = [DateTime]::Now.AddHours(-1)
$getip = $array | group-object -property IP | where {$_.Count -gt 10 -and
$array.Date -ge $DT} | Select -Property Name | Export-Csv $bannedip -Append
}
答案1
$DT = [DateTime]::Now.AddHours(-1)包含完整的日期和时间,我建议删除除时间之外的所有内容,因为这可能会阻止脚本根据时间匹配日志。