远程桌面被不停的爆破 但是事件日志中没记录IP
我们可以打开：
应用程序与服务日志---Microsoft--Windows---RemoteDesktopServices-RdpCoreTS---Operational
中可以看到大量的登录错误记录：
来自 IP 地址为 185.123.53.90 的客户端计算机的连接失败，因为用户名或密码不正确。
事件ID为140
解决方法：
1、设置远程桌面客户端连接加密级别为高
gpedit组策略--计算机配置--管理模板--Windows组件--远程桌面服务--远程桌面会话主机--安全--设置客户端链接加密级别--修改为"已启用"--高级别
2、要求使用网络级别的身份验证对与 RD 会话主机服务器进行远程连接的用户进行身份验证
gpedit组策略--计算机配置--管理模板--Windows组件--远程桌面服务--远程桌面会话主机--安全--要求使用网络级别的身份验证对远程连接的用户进行身份验证--修改为"已启用"
3、windows server-注册表启动TLS 1.2和1.3，禁用TLS1.1和TLS1.0，禁用SSL 2.0和SSL 3.0
echo 禁用TLS 1.0和TLS 1.1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "Enabled" /t REG_DWORD /d "0" /f
echo 启用TLS 1.2和TLS 1.3
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v "DisabledByDefault" /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v "Enabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v "DisabledByDefault" /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v "Enabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "DisabledByDefault" /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "Enabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "DisabledByDefault" /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "Enabled" /t REG_DWORD /d "1" /f
echo 禁用SSL 2.0和SSL 3.0
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "Enabled" /t REG_DWORD /d "0" /f
4、2个自动任务脚本，将一下脚本保存为PS1文件加入到计划任务中执行，自动拉黑攻击IP

# 使用 Get-WinEvent 检索事件日志，找到日志ID，提取其中的远程IP地址,将这个地址写入到防火墙阻止规则内 # 设置控制台输出编码为 GB2312 或 GBK $OutputEncoding = [Console]::OutputEncoding = [System.Text.Encoding]::GetEncoding("GB2312") # 定义日志名称和事件ID $logName = "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational" # 安全日志=Security 应用程序日志=Application 对应<Channel>的值 $eventID = 139  # 事件ID 对应<EventID>的值 # 定义时间范围 $startTime = (Get-Date).AddDays(-1)  # 从一天前开始 $endTime = Get-Date                  # 到现在 # 检索指定时间范围内的事件日志条目 $filter = @{     LogName   = $logName     ID        = $eventID     StartTime = $startTime     EndTime   = $endTime } # 使用MaxEvents来设置最大日志读取条数,如果最后加-Oldest参数从最早到最新按事件写入的顺序输出 $events = Get-WinEvent -FilterHashtable $filter -MaxEvents 100 # 对事件按照时间戳从最新到最早进行排序 $sortedEvents = $events | Sort-Object -Property TimeCreated -Descending foreach ($event in $sortedEvents) {     $message = $event.Message     # 显示完全日志内容,用于调试     # Write-Output "完全日志内容:"     # Write-Output $message     # Write-Output "----------------------------------------"     # 使用正则匹配IP地址,这里由于Windows语言版本的不同,这样匹配成功率更高     if ($message -match "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?::(\d{1,5}))?") {         $sourceAddress = $matches[1] # 匹配到IP地址         if ($sourceAddress -eq "127.0.0.1" -or $sourceAddress -eq "0.0.0.0") {             # 如果是本地回环地址，则跳过后续操作             # 如果是安全的,你已知的IP也可以加到这个步骤内             Write-Output "IP Address is localhost (127.0.0.1). 跳过防火墙规则创建."             Write-Output "----------------------------------------"             continue         }         # 检查防火墙规则是否已存在         $existingRule = Get-NetFirewallRule -DisplayName "Block IP $sourceAddress" -ErrorAction SilentlyContinue         if ($existingRule) {             Write-Output "IP $sourceAddress 防火墙规则已存在,跳过创建."         } else {             # 创建防火墙规则禁止连接该IP地址             New-NetFirewallRule -DisplayName "Block IP $sourceAddress" -Direction Inbound -Action Block -RemoteAddress $sourceAddress             Write-Output "IP $sourceAddress 防火墙规则已新建"         }     } else {         $sourceAddress = "N/A"     }     Write-Output $sourceAddress } exit

 

# 使用 Get-WinEvent 检索事件日志，找到日志ID，提取其中的远程IP地址,将这个地址写入到防火墙阻止规则内 # 设置控制台输出编码为 GB2312 或 GBK $OutputEncoding = [Console]::OutputEncoding = [System.Text.Encoding]::GetEncoding("GB2312") # 定义日志名称和事件ID $logName = "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational" # 安全日志=Security 应用程序日志=Application 对应<Channel>的值 $eventID = 140  # 事件ID 对应<EventID>的值 # 定义时间范围 $startTime = (Get-Date).AddDays(-1)  # 从一天前开始 $endTime = Get-Date                  # 到现在 # 检索指定时间范围内的事件日志条目 $filter = @{     LogName   = $logName     ID        = $eventID     StartTime = $startTime     EndTime   = $endTime } # 使用MaxEvents来设置最大日志读取条数,如果最后加-Oldest参数从最早到最新按事件写入的顺序输出 $events = Get-WinEvent -FilterHashtable $filter -MaxEvents 100 # 对事件按照时间戳从最新到最早进行排序 $sortedEvents = $events | Sort-Object -Property TimeCreated -Descending foreach ($event in $sortedEvents) {     $message = $event.Message     # 显示完全日志内容,用于调试     # Write-Output "完全日志内容:"     # Write-Output $message     # Write-Output "----------------------------------------"     # 使用正则匹配IP地址,这里由于Windows语言版本的不同,这样匹配成功率更高     if ($message -match "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?::(\d{1,5}))?") {         $sourceAddress = $matches[1] # 匹配到IP地址         if ($sourceAddress -eq "127.0.0.1" -or $sourceAddress -eq "0.0.0.0") {             # 如果是本地回环地址，则跳过后续操作             # 如果是安全的,你已知的IP也可以加到这个步骤内             Write-Output "IP Address is localhost (127.0.0.1). 跳过防火墙规则创建."             Write-Output "----------------------------------------"             continue         }         # 检查防火墙规则是否已存在         $existingRule = Get-NetFirewallRule -DisplayName "Block IP $sourceAddress" -ErrorAction SilentlyContinue         if ($existingRule) {             Write-Output "IP $sourceAddress 防火墙规则已存在,跳过创建."         } else {             # 创建防火墙规则禁止连接该IP地址             New-NetFirewallRule -DisplayName "Block IP $sourceAddress" -Direction Inbound -Action Block -RemoteAddress $sourceAddress             Write-Output "IP $sourceAddress 防火墙规则已新建"         }     } else {         $sourceAddress = "N/A"     }     Write-Output $sourceAddress } # 清除相关事件日志,请先执行上面的脚本,因为这里清理了日志 wevtutil cl "Windows PowerShell" wevtutil cl "Microsoft-Windows-AppReadiness/Admin" wevtutil cl "Microsoft-Windows-AppReadiness/Operational" wevtutil cl "Microsoft-Windows-AppXDeployment/Operational" wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Operational" wevtutil cl "Microsoft-Windows-DeviceSetupManager/Admin" wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Operational" wevtutil cl "Microsoft-Windows-GroupPolicy/Operational" wevtutil cl "Microsoft-Windows-Hyper-V-Integration/Admin" wevtutil cl "Microsoft-Windows-Kernel-IO/Operational" wevtutil cl "Microsoft-Windows-Kernel-PnP/Device Management" wevtutil cl "Microsoft-Windows-Ntfs/Operational" wevtutil cl "Microsoft-Windows-PowerShell/Operational" wevtutil cl "Microsoft-Windows-PushNotifications-Platform/Operational" wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational" wevtutil cl "Microsoft-Windows-Shell-Core/AppDefaults" wevtutil cl "Microsoft-Windows-Shell-Core/Operational" wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" wevtutil cl "Microsoft-Windows-Winlogon/Operational" wevtutil cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" wevtutil cl "Microsoft-Windows-WMI-Activity/Operational" exit