Защита rdp (3389) порта - [2] :: В помощь системному администратору

анализирую журнал системы, после заношу в firewall, скрипт запускается каждый час
(пока работает)

Option Explicit

Dim objWMIService
Dim wmiDateTime

Dim objEvent
Dim colEvents
Dim dtmEventTime
Dim strEventQuery

Dim strMsg

Dim strPos
Dim strLength

Dim arrIP(10,2)
Dim idx

Dim objRequest

Sub GetHTTP(objRequest,stURL)

    objRequest.open "GET", stURL, False

    objRequest.setRequestHeader "Authorization", "Basic ZZZZZZZZZZZZZ="
    objRequest.setRequestHeader "User-Agent", "XXXXXXXXXXXXXXXXXXXX"
    objRequest.setRequestHeader "Accept", "YYYYYYYYYYYYY"
    objRequest.setRequestHeader "Accept-Language", "ru-RU,ru;q=0.9,en;q=0.8"
    objRequest.setRequestHeader "Referer", "http://modem"
    objRequest.setRequestHeader "Cache-Control", "no-cache"
    objRequest.setRequestHeader "Connection", "Keep-Alive"
    objRequest.send

    'WScript.Echo objRequest.Status

End Sub

strMsg = ""

For idx = 1 to 10

arrIP(idx - 1,0) = ""
arrIP(idx - 1,1) = 0

Next

On Error Resume Next
Set objWMIService = GetObject("winmgmts://./root/cimv2")
If Err.Number Then
WScript.Quit
End If

Set wmiDateTime = CreateObject("WbemScripting.SWbemDateTime")
If Err.Number Then
WScript.Quit
End If
On Error Goto 0

// проверять последний час
dtmEventTime = DateAdd("h",-1, Now)

wmiDateTime.SetVarDate dtmEventTime, True

strEventQuery = "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND SourceName = 'Security' AND EventCode = '529' AND TimeGenerated > '" & wmiDateTime.Value & "'"

On Error Resume Next
Set colEvents = objWMIService.ExecQuery(strEventQuery)
For Each objEvent in colEvents
If Err.Number Then
WScript.Quit
End If
On Error Goto 0

        strMsg = objEvent.Message

        strPos = instr(strMsg,"Адрес сети источника:") + len("Адрес сети источника:")
        strLength = instr(strMsg,"Порт источника:") - strPos

        strMsg = Replace(Mid(strMsg,strPos,strLength),vbCrLf,"")
        strMsg = Trim(Replace(strMsg,vbTab,""))

        idx = 1
        For idx = 1 to 10

            if arrIP(idx - 1,0) = strMsg Then
                Exit For
            elseif    arrIP(idx - 1,0) = "" then
                arrIP(idx - 1,0) = strMsg
                Exit For
            End If

        Next

        if idx < 10 Then
            arrIP(idx - 1,1) = arrIP(idx - 1,1) + 1
        End If

Next
On Error Goto 0

Set objRequest = CreateObject("WinHttp.WinHttpRequest.5.1")

if objRequest is Nothing then
    WScript.Quit
end if

strPos = 0

For idx = 1 to 10

    if (arrIP(idx - 1,0) <> "") and (arrIP(idx - 1,0) <> "xxxx") and (arrIP(idx - 1,0) <> "yyyyy") and (arrIP(idx - 1,0) <> "jjjjjj") Then

    if arrIP(idx - 1,1) > 10 Then

        if strPos = 0 Then

            '//Auth
            call GetHTTP(objRequest,"http://modem")

        End If

        '//AddFilter
        call GetHTTP(objRequest,"http://modem/scipfilter.cmd?action=add&wanIf=ALL&fltName=0&IPFltAllow=0&protocol=0&srcAddr=" & arrIP(idx - 1,0) & "&srcMask=255.255.255.255")

        strPos = 1

    End If
    End If

Next

Set objRequest = Nothing

Модерирует : lynx, Crash_Master, dg, emx, ShriEkeR
Версия для печати • Подписаться • Добавить в закладки
Страницы: 1 2 3 4