In the Windows security log, a large number of events ID 4625;

Keywords: PHP network Windows

Recently, I found a large number of network login failure records (event ID is 4625) in the Windows security log (win10 ﹤ 64 bit), and a large number of Internet IP attempts to log in to my computer in the background. I feel that the company's network is no longer safe, so I can only try my best to protect my computer.

Try operation 1: disable the Server service. In network and sharing center, closing all shares is invalid.

Try operation 2: write a powershell script to prevent the incurable root of Internet IP.

$arrayT1=New-Object 'string[,]' 1,1;
$arrayList=New-Object System.Collections.ArrayList;
$arrayList.Clear();
$stream=Get-EventLog -LogName Security -InstanceID 4625 | Select-Object -Property * | Out-String -Stream
[regex]::matches($stream, '(\d+\.){3}\d+') | %{
    $count=$arrayList.Count;
    if ($count -ge 1) {
        $b=0;
        for ($i=0;$i -lt $count;$i++) {
            if ($arrayList[$i][0] -eq [string]$_.Value) {
                $arrayList[$i][1]+=1;
                break;
            }
            else {
                  $b=$i+1;
            }
        }
        if ($b -eq $count) {
            $arrayT1=($_.Value,1); 
            $arrayList.add($arrayT1);
        }
    }
    else {
        $arrayT1=($_.Value,1);
        $arrayList.add($arrayT1);
    }
} | Out-Null;
$count1=$arrayList.Count;
$array1=New-Object 'string[]' $count1;
for ($i=0;$i -lt $count1;$i++) {
    $int1=0;
    $int2=1;
    for ($j=0;$j -lt $arrayList.Count;$j++){
        if ($arrayList[$j][1] -gt $int2) {
            $int2=$arrayList[$j][1];
            $int1=$j;
        }
    }
    $str1="";
    $c=16 - [string]$arrayList[$int1][0].length;
    for ($k=0;$k -lt $c;$k++) {
        $str1=$str1 + " ";
    }
    $array1[$i]=$arrayList[$int1][0] + $str1 + "---> " + $arrayList[$int1][1];
    $str2="ForbiddenIP:" + $arrayList[$int1][0];
    New-NetFirewallRule -DisplayName $str2 -Direction Inbound -Action Block -RemoteAddress $arrayList[$int1][0] | Out-Null;
    $arrayList.Remove($arrayList[$int1]);
}
"Total:" + $count1;
$array1;

Try operation 3: disable port 3389445, 23 ----- > pro test is valid!

(however, there are still many events on the computer ID462446274672468847204724472647284729479747995379 generated. This is suspected to be an abnormal network problem in the domain environment, and it can't be removed from the domain. Let's forget...)

Posted by jana on Wed, 30 Oct 2019 21:42:00 -0700

Hot Keywords

©2024 Programmer Group