[Windows Vista/7 Firewall] PowerShell script to block addresses and network ranges

Discussion in 'other firewalls' started by m00nbl00d, Nov 23, 2011.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    For those allergic to .Net Framework... take a walk... :D

    Everyone else, I just came across an interesting PowerShell script, from SANS Institute.

    -http://www.sans.org/windows-security/2011/10/25/windows-firewall-script-block-addresses-network-ranges

    I still haven't tried, but will tomorrow noon.
     
  2. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Maybe I will give this a try. Thanks m00n. :D
     
  3. wat0114

    wat0114 Guest

    Awesome so far! Thanks m00nbl00d :) BTW, you probably know already but just in case, scripts are blocked by default in Win7, so you need to execute "set-executionpolicy remotesigned" at least to apply the sample blocklist.txt file.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I still haven't looked at that one, but it applies to all PowerShell scripts; it's a security measure. No PowerShell script can execute by default, and if you try to start it, it should open with Notepad instead (for example, if you'd be tricked to open a powershell script to delete your entire hard disk, it would fail. :D).

    Anyway, for those interested, there are 4 execution policies:

    Restricted - no scripts will run;
    RemoteSigned - scripts downloaded from the Internet require a digital signature; local scripts do not;
    Unrestricted - all scripts are allowed execution; NEVER set this policy! It will be doom.
    AllSigned - All scripts must be digitally signed (remote and local ones)

    Always pick either RemoteSigned or AllSigned for production systems. AllSigned would be better.

    This is what I do to enable PowerShell scripts. I create a batch file that will automatically set the policy I want; it will run the script; once the scripts finishes it will reset the policy to default value - Restricted.

    Example:

    Code:
    "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {Set-ExecutionPolicy Remotesigned}"
    "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -File "full script path" <script parameter>
    
    (repeat the second line for each parameter)
    
    "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {Set-ExecutionPolicy Default}"
    
    -edit-

    You may not need a new line for each new parameter. I just like it that way. It makes it easier to manage the batch file. Just see what works best with you.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I think I'll keep a balance between Windows Firewall and PeerBlock...

    By the way, which lists are you using... besides the ones mentioned in the article? I've been using a few (in PeerBlock), which are not in PeerBlock format by default... One has more than 15000 entries. :D
     
  6. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    LOL. Way too many there... :D
     
  7. wat0114

    wat0114 Guest

    @m00nbl00d,

    I knew you'd show off your technical abilities :D :p

    Only just got into it last night before sleeping, but so far I imported one from the Russian Federation plus the default Chinese list. Later this evening I'll play some more and no doubt add some others.

    @chaotic,

    there are lots of entries, although the CDIR notation helps.
     
  8. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,230
    Location:
    Romania
    Such a list is hard to maintain. Also, the protection it provides is rather a teoretical idea than an actual solution.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What is hard to maintain?
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,230
    Location:
    Romania
    The list with more than 15000 entreis.
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I disagree 100%. It takes less than a few seconds to get it done and loaded and running. It's all automatic.

    It doesn't really matter if it's more than 15000 entries. You'd be saying the same thing, that the protection it provides is rather a teoretical idea than an actual solution., if it were only 100 entries or just 1 entry.

    IP blacklists/domain blacklists are never a solution, rather a layer. The same way a well configured browser is never a solution, but rather one more layer. Etc.
     
  12. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    I agree m00n. :thumb:
     
  13. wat0114

    wat0114 Guest

    m00nbl00d,

    can you recommend countries to block? Hopefully Canada isn't one of them :D
     
  14. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    LOL wat. :D As far as I'm concerned Canadians rock :p :thumb:
     
  15. wat0114

    wat0114 Guest

    Ha-ha, someof us do at least :D
     
  16. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Well the ones I have met have been :D
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Tough question... Whenever I see any mentions to the most problematic ones, I always hear China and Russia. So, I always block those two.

    You could block most/all of the "unknown" countries, that you'll find at Country IP Blocks (-https://www.countryipblocks.net/), and you probably won't be seeing any problems when loading your usual websites.

    The issue is probably blocking the well known countries. Will you, at some point, happen to visit a good website hosted in a server in one of those countries? Some Kaspersky content is/used to be hosted in Russian servers. Makes sense, they're Russian. :D This is not an issue to me, and if it ever happened, I could temporarily allow the connection to the IP.

    You'll have to do a bit of trial and error, I'm afraid. What works for me, won't work for you. When we block IPs, it's never white or black. :D

    I've been running those two lists (China and Russia) for quite some time, without issues. From time to time, I do download some Kaspersky removal tools, but so far the servers seem to be outside of Russia.
     
  18. wat0114

    wat0114 Guest

    Good advice m00nbl00d, thanks! I've already blocked the two you mentioned :)
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    -edit-

    It seems the Country IP Blocks lists aren't available. They're having issues.

    -http://www.countryipblocks.net/information/temporary-suspension-of-some-services/

    I used to be familiar with another service, that also provided all countries. I don't recall which is one, though.
     
  20. wat0114

    wat0114 Guest

    They still load for me when I select the "Choose Country" button, then I copy paste the ip addresses into notepad.
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm also using other lists, not country specific. You could give a look at the SpyEye and Zeus tracker.

    -https://zeustracker.abuse.ch/blocklist.php
    -https://spyeyetracker.abuse.ch/blocklist.php

    There's also another one, by the same author, which includes Palevo C&C blocking:

    -http://amada.abuse.ch/blocklist.php

    -edit-

    Take a look at Emerging Threats, as well -http://rules.emergingthreats.net/fwrules/ (Emerging Threats includes lists from different sources, such as ShadowServer).
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Ah... OK!! :thumb:
     
  23. wat0114

    wat0114 Guest

    Thanks again!
     
Loading...
Thread Status:
Not open for further replies.