report found IPs and there occurence count in log about evlwatcher HOT 5 CLOSED

Just providing some information. I downloaded source, compiled and deployed. I see the extra reporting. Below is the output of an IP that is found by multiple configurations it seems, but is not in the temporary banned list in the console.

1/23/2021 13:05:32 - [Info]: BlockRDPBrutersByRdpCore131: found 89.248.165.20, trigger count is 1
1/23/2021 13:06:02 - [Info]: BlockRDPBrutersBySecurity4625: found 89.248.165.20, trigger count is 1
1/23/2021 13:06:02 - [Info]: BlockRDPBrutersBySecurity4625: found 89.248.165.20, trigger count is 2
1/23/2021 13:06:02 - [Info]: BlockRDPBrutersByRdpCore140: found 89.248.165.20, trigger count is 1
1/23/2021 13:06:02 - [Info]: BlockRDPBrutersByRdpCore140: found 89.248.165.20, trigger count is 2
1/23/2021 13:06:02 - [Info]: BlockRDPBrutersByRdpCore131: found 89.248.165.20, trigger count is 1
1/23/2021 13:06:02 - [Info]: BlockRDPBrutersByRdpCore131: found 89.248.165.20, trigger count is 2
1/23/2021 13:06:32 - [Info]: BlockRDPBrutersBySecurity4625: found 89.248.165.20, trigger count is 1
1/23/2021 13:06:32 - [Info]: BlockRDPBrutersByRdpCore140: found 89.248.165.20, trigger count is 1
1/23/2021 13:06:32 - [Info]: BlockRDPBrutersByRdpCore131: found 89.248.165.20, trigger count is 1
1/23/2021 13:07:02 - [Info]: BlockRDPBrutersBySecurity4625: found 89.248.165.20, trigger count is 1
1/23/2021 13:07:02 - [Info]: BlockRDPBrutersByRdpCore140: found 89.248.165.20, trigger count is 1
1/23/2021 13:07:02 - [Info]: BlockRDPBrutersByRdpCore140: found 89.248.165.20, trigger count is 2
1/23/2021 13:07:02 - [Info]: BlockRDPBrutersByRdpCore131: found 89.248.165.20, trigger count is 1
1/23/2021 13:07:02 - [Info]: BlockRDPBrutersByRdpCore131: found 89.248.165.20, trigger count is 2
1/23/2021 13:07:32 - [Info]: BlockRDPBrutersBySecurity4625: found 89.248.165.20, trigger count is 1
1/23/2021 13:07:32 - [Info]: BlockRDPBrutersBySecurity4625: found 89.248.165.20, trigger count is 2
1/23/2021 13:07:32 - [Info]: BlockRDPBrutersByRdpCore140: found 89.248.165.20, trigger count is 1
1/23/2021 13:07:32 - [Info]: BlockRDPBrutersByRdpCore140: found 89.248.165.20, trigger count is 2
1/23/2021 13:07:32 - [Info]: BlockRDPBrutersByRdpCore131: found 89.248.165.20, trigger count is 1
1/23/2021 13:07:32 - [Info]: BlockRDPBrutersByRdpCore131: found 89.248.165.20, trigger count is 2

I see a "trigger count is X" and also "this is strike X". What does these two mean exactly?

Is the below supposed to be the "perma ban" operation? My perma ban list is empty.

Banning 193.93.62.73, this is strike 3

Also looks like you're logging the type and not the value here:

Banned 3 (strike count was over System.Collections.Generic.Dictionary2[System.Net.IPAddress,System.Int32]

from evlwatcher.

about your question:
this is about how its meant to be:

trigger count : when the eventlog is scanned, there is a timeframe that is analysed (for instance, 2 minutes).
whenever someone generated more than <triggercount> logentry in these <timeframe> minutes, it comes to a ban.
that is when he says Banning 193.93.62.73, this is strike X and is a TEMPORARY ban (for 1 h)

strike:
so whenever someone is banned because he tried to often in a certain time, the service no only temporarily bans the attacker but it counts if he comes back. so after 1 hours, when the temporary ban is lifted, and he comes back and gets banned again, he will have strike 2, and so on. When enough is enough, he will be permanently banned
Banned 192.16... (strike count was over 3)

so:
trigger count : counting the log entries of the same ip in the analyzed time frame
strike: getting a temporary ban
perma ban: getting a permanent ban

with a normal setting, and a machine attacking your rdp, the ip will enter the permanent ban list after about 3h of brute forcing, while having the machine reachable for about 0-90 seconds.

00:00:00 attacker starts brute force
00:00:30 attacker will be temp banned around that time (strike 1)

• machine is unreachable 1h

02:00:30 - ban is lifted, machine comes back - attacker keeps trying
02:01:00 - attacker will be banned a second time about now (strike 2)

• machine is unreachable for 1 h

04:01:00 - ban is lifted, machine comes back - attacker STILL keeps trying
04:01:30 - attacker will be banned forever (strike 3)

as i wrote this, i also corrected the wrong output

i will look now if the attacker really is not added to the perma ban list, even though the system says he is.

from evlwatcher.

setting the permanent ban does not work because service checks for client privileges. fixing that

from evlwatcher.

@snblackout - thanks for your info, thanks to you we have fixed a bug that would prevent evlwatcher from permanently banning IPS.

just to make sure, do you have an message like "object reference not set to an instance" in your eventlog at the time the permanent ban would have beend set?

from evlwatcher.

Yes i was seeing that error in the event logs. There was no stack trace attached so it really didn't point me anywhere. Glad my info has helped!

from evlwatcher.