Bulk import IPs into your Windows Server 2008 R2 Firewall


Bulk import IPs into your Windows Server 2008 R2 Firewall

Posted on Feb 4, 2011 by Paul White

UPDATE 8/5/2012
I recently noticed that the IPDENY.com website was down, not sure if this is temporary, or not, but I went ahead and rewrote my script to use a different free IP to COUNTRY database. This article has been updated for the new script.

If you are like me you take server security very seriously. You lock down all your ports, and you even firewall IPs that try to use exploits. But eventually you determine that non of your clients do business in China or Russia, and its easier to just block those countries, rather than trying to block individual IPs. Well this brings another problem. Windows Server 2008 R2 has no user friendly way to do a bulk import of IPs. Luckily I found a VB script that you can run and it will automatically add the IP blocks you want to block.

Why block country IP blocks

Most of the world's comment spam and hacker attacks come from Russia, Ukraine, China, India. If your websites have no customers in those countries then there is no reason to let them in. IT specialists are very well aware of the growing Firewall between the western world and other countries. comment spam and hacker attacks don't usually originate from USA IPs because ISPs are usually very quick to shut them down. But when its in another country, things don't move as fast. This had lead to server administrators to block entire IP blocks right at the firewall.

Before I get started, I want to give credit to the original author
Steve on Alcoholiccustard.co.uk did an excellent job on the original script
I simply took what he did and expanded it just a little for my own purposes.

How do you we get Country IP Blocks?

Easy, there is a website called ipinfodb.com which lists out all the various countries and their IP blocks. What is great is they give you the option of listing them out by RAW text, IP Tables, or Apache HTACCESS ( Allow or Deny ). Using the IP Tables option I wrote a script to easily import them.

Modifications to the original Script

The original script was setup to block various remote IPs from all local IPs on Port 80 ( HTTP ) and Por 443 ( HTTPS ). I modified the script to also include the specified local IPs that need to be protected. I did this because when you have a serve with 50+ websites, and each website has its own IP, some of those websites might not want to block foreign countries. Also the original script blocked Japan, but I see Ukraine as more of a threat than Japan. The original script also is setup to only store 200 remote IPs into a single rule. I tried to up this to 500, but got errors on a few files, so I took it back to the 200 he recommended.

Important lines of code

Below there is a line of code the specifies the Local IPs this Firewall rule is supposed to affect.
serverIPs = "yourFirstIP,yourSecondIP,yourThirdIP"
just update this with the actual IPs you want to protect with a comma between each IP.
You can also use blocks( 123.123.123.123/8) and ranges (123.0.0.0-123.255.255.255)
Just be sure to add a comma between each IP / block / range

Just take the code below copy and paste it into a blank text document ( update the code to specify your IPs ), save it and then change the extension from .txt to .vbs Then double click on it. You will see a series of command prompt windows open and close this is normal. Each time is adding a new rule to your firewall. This script should work on both Windows 7 and Windows Server 2008 R2. This script will not work in Windows XP, Server 2003, Vista, or Server 2008

Bulk Import IPs into Windows 7 and Windows Server 2008 R2 Firewall Script

The following script is what I run on my server, be sure to change the IPs to match your server, and add / remove countries to the list. You might notice I don't enable this on all my IPs, as some of my clients do want to get traffic from China / India.

'########################################################################
' netsh advfirewall firewall - Details on the command here: http://technet.microsoft.com/en-us/library/dd734783(WS.10).aspx
' To be run on Windows Vista/7/Server 2008/2008R2 only
' IP data supplied by ipdeny.com
'########################################################################

Dim objShell
set objShell=CreateObject("Wscript.shell")

'########################################################################
' This URL has the IP lists
'########################################################################

objURLpre = "http://ipinfodb.com/country_query.php?country="
objURLpost = "&output=iptables&filename=blocklist.txt"

'########################################################################
'Firewall Rule
'########################################################################

rulename = "AllSites HTTP "

'########################################################################
'Local IPs to Protect
'list all IPs that you want to protect
' format them as either single IPs, 123.123.123.123
' IP blocks, 123.123.123.123/24
' IP ranges, 123.0.0.0-123.255.255.255
' with a comma separating them
'########################################################################

serverIPs = "199.119.176.70-199.119.176.126,199.119.177.2-199.119.177.11,199.119.177.13-199.119.177.28"

'########################################################################
'Remote IPs per Rule, Its recommended to keep this at 200
'You can try higher numbers, but the script might error on you
'########################################################################

percommand=200

'########################################################################
'Zone files to pull from
'If there are countries not listed here, visit ipdeny.com, to add them
'########################################################################

Dim arrayzone(22)
arrayzone(0) = "AF" 'Afghanistan
arrayzone(1) = "CN" 'China
arrayzone(2) = "DZ" 'Algeria
arrayzone(3) = "HK" 'Hong Kong
arrayzone(4) = "IN" 'India
arrayzone(5) = "IQ" 'Iraq
arrayzone(6) = "KZ" 'KAZAKHSTAN
arrayzone(7) = "NG" 'Nigeria
arrayzone(8) = "PA" 'Panama
arrayzone(9) = "RU" 'Russia
arrayzone(10) = "RO" 'Romania
arrayzone(11) = "UA" 'Ukraine
arrayzone(12) = "TW" 'Taiwain
arrayzone(13) = "ID" 'Indonesia
arrayzone(14) = "BG" 'Bulgaria
arrayzone(15) = "VN" 'Vietnam
arrayzone(16) = "SK" 'Slovakia
arrayzone(17) = "MD" 'Moldova
arrayzone(18) = "TR" 'Turkey
arrayzone(19) = "PH" 'Philippines
arrayzone(20) = "BR" 'Brazil
arrayzone(21) = "LV" 'Latvia

For each URL in arrayzone

'########################################################################
'Get IPs from the current zone
'########################################################################

Set objHTTP = CreateObject("Msxml2.XMLHTTP")
objHTTP.open "GET", objURLpre & url & objURLpost, False
objHTTP.send

HTTPstatus = objHTTP.Status

If HTTPstatus= "200" Then

GetHTML = objHTTP.responseText

'########################################################################
'Delete previous firewall rules with the same name
'########################################################################

netshCommand = "NETSH advfirewall firewall delete rule name=" & chr(34) & rulename & " " & url & " Block" & chr(34)
errorcode = objShell.Run(netshCommand, 1, true)

'########################################################################
'wscript.echo errorcode 0 = good / 1 = bad
'########################################################################

current = 0
iplist = ""

iparray=Split(GetHTML, chr(10))

For each ip in iparray

If current = 0 Then
iplist = ip
current = 1
Else
iplist = iplist & "," &ip
current = current + 1
End If

'########################################################################
'If we have reached our limit then push the rule to the firewall
'########################################################################

if current = percommand Then
netshCommand = "NETSH advfirewall firewall add rule name=" & chr(34) & rulename & " " & url & " Block" & chr(34) & " dir=In action=Block Enable=yes profile=public,private,domain localip=" & serverIPs & " remoteip=" & ipList & " protocol=tcp"
errorcode = objShell.Run(netshCommand, 1, true)
current = 0
iplist = ""
End If

Next

'########################################################################
'Add any left over IPs
'########################################################################

if current > 0 Then
netshCommand = "NETSH advfirewall firewall add rule name=" & chr(34) & rulename & " " & url & " Block" & chr(34) & " dir=In action=Block Enable=yes profile=public,private,domain localip=" & serverIPs & " remoteip=" & ipList & " protocol=tcp"
errorcode = objShell.Run(netshCommand, 1, true)
End if


Else
wscript.echo "ERROR GETTING TO URL: " & URL
End If

Next

wscript.echo "done"

I hope this helps everyone.

Windows Server 2008 R2, and Windows 7 Firewall High Memory Usage

Before you go off an run this script a dozen times ( one for each website ) You need to be aware of one very important fact. The windows Firewall normally is pretty conservative on memory usage. However The more rules you add to your firewall the more memory your firewall will consume. When you run this script it will add about 100 rules to your firewall. If you customize it for each site, you now have 60 rules for each site on your server. After setting up this script with about 6 sites, I noticed some issues. The first was one of my svchost.exe processes had grown to about 800 MB. This svchost.exe was registered with BFE ( Base Filtering Engine ), DPS ( Diagnostic Policy Service ), and MpsSvc ( Windows Firewall ). I noticed a direct connection between the number of firewall rules and the memory usage of svchost.exe. So if you are going to use this script to add firewall rules, I recommend you only make one set of rules for all your sites. Turns out the Windows Firewall is not a very efficient Process. If you do make separate rules, when you reboot your server, you might noticed that your svchost.ext is eating up an entire thread of CPU, plus continually growing in size. Mine grew to 1.4 GB of memory usage, before the CPU finally stopped, and then the memory usage dropped to 800 MB.

Turns out the problem was some of the rules on my firewall got corrupt. If you run into this problem go into your firewall and delete all the rules you imported. Then reboot. After rebooting check your taskmgr and make sure you don't have a scvhost.exe process that is running out of control. If you don't then all is clear, and you can start reimporting your firewall rules. If you do see it, just wait til its done running. Eventually ( might be 10 - 20 minutes ) it will settle down and you can load your firewall control panel. Delete some more rules and reboot again.

Remember that with any request made to your server, every block rule will be evaluated. So if you have 1000 block rules, every rule will be checked, and this can slow your server down a little. Even though I didn't notice any slow downs on my server ( Dual 3.6 Ghz Xeon ), there is bound to be a slight performance hit

If you run this with just a single set of rules, the memory usage will stay under 40 MB. So this is just a warning to anyone that decides they are going to setup a custom set of rules for every website on their server.

I have attached my original VBS file in a zip. Feel free to download and use this. Also you use this script at your own risk, I am not liable for any damages. Feel free to share this with others who might benefit. And please link to this article to help get the word out.


Permalink
14133 Visitors
27707 Views

Categories associated with Bulk import IPs into your Windows Server 2008 R2 Firewall

Discussion

Ivan | May 9, 2011 4:14 AM
Hi! Thanks for the script. I have the problem with running the scripts.

Error:

Line: 80
Char:17
Error: The data area passed to a system call too small
Code: 8007007A
Source: (null)
Mick | May 21, 2011 6:07 PM
Yup same error when run, would be keen for this to work.
Paul | May 21, 2011 6:40 PM
Hey guys,
Thanks for the feedback, I am going to look into why its causing those errors.  I tried using it on my client's Windows Server 2003 VPS and it didn't work, I guess its only meant to work on Server 2008 variants.
I will update this article after I have made some improvements.
Mick | May 21, 2011 8:14 PM
Thanks Paul, by the way I was trying this on Server 2008 R2  enterprise. I have tried to diagnose it but just not coming up with a solution. The line I think that is in question is:

errorcode = objShell.Run(netshCommand, 1, true)

Cheers
Mick | May 21, 2011 8:45 PM
If you would like me test anything this end please email at (remove the leading 123)  123mick.bobing@gmail.com
Mick | May 21, 2011 9:07 PM

And here is an interesting note, it worked perfectly on a Win7 machine which is fine but it is Server 2008 I need.

paul | May 22, 2011 5:39 PM
Try to run the script as administrator
right click on the file - > run as Administrator

I know the script works on Windows 7 and Server 2008 R2 as that is what I am running.  I read online that vista seems to have permission issues, and considering that Server 2008 runs the same Kernel as Vista this could be the reason it errors.

As a side note I have started to work on a Windows Firewall generator tool, that will allow people to select what countries they want to block and auto generate the script.  It will take me a couple weeks to complete the tool, as I have other projects I have to focus on right now. 
Mick | May 27, 2011 7:25 PM
There was a mistake in my name by the way ... no g before @

Also there is no right click option to run as administrator on .vbs files it seems... not sure why.
Tamir | Jun 21, 2011 1:57 AM
Great  article Paul ,
Question , is there a way of blocking all protocols and ports and not just port 80 and 443 ?

Tamir
paul | Jun 21, 2011 11:05 AM
Tamir,
Yes, just remove the section from the script that specifies the Ports.  Then it will automatically block all ports.
Keith | Jun 30, 2011 3:11 AM
Excellent thanks for this article, I've implemented it on a WS2008R2 web server that was getting hammered by bots.

I'm now keen to get this onto another server I have which is running WS2003R2, will this script work? I know the netsh advfirewall would need to be changed to suit 2003, but not sure what else.

Thought I would ask in case someone else has already done this and can tell me which lines need changing. If not I will try play around and see what I can do.

Thanks
Paul | Jul 1, 2011 3:20 PM
Keith,
I know this doesn't work with server 2003, as I tried it, and got an error message. I have one client that gets bombed with crap from foreign IPs, and is on a server 2003 VPS.  If I figure out how to get it working I will post another blog entry for that specifically.

Also just a note.  On the 29th June I added some new firewall rules for one of my websites, I also ran defrag, and did windows updates ( 1 critical update, 2 optional ).  Then at 5AM on the morning of the 30th of June, my system ran windows Backup ( as it was scheduled ).  My backup drive was full, which normally shouldn't be a problem as the system should delete the oldest backup and then write the new one.  But instead it wrote an error to my system logs saying E Drive full.  By 6AM my server was deadlocked, and I had to have the datacenter reboot it.  After a reboot I could get in, but none of my websites would come up, and I noticed that I had a Svchost.exe file that was eating up 24% of my CPU ( 1 entire core ), and quickly growing in size.  After about 30 minutes, it had grown to 1.3 GB in size, but then it stopped eating up CPU and my websites were once again accessibly.  The memory usage dropped to about 800 MB, but still that is way high for this process.  I was able to determine that this process was directly tied to the firewall.  When I tried to kill the task and all underlying processes, I lost connecton with my server.  After about 15 minutes I was able to get back in again.

What I did to get things back to normal was uninstall the most three recent updates.  Next I manually with command line deleted most of my older system backups which helped to free up about 400 GB on my backup drive.  Then I deleted the latest firewall rules I had added the previous day.  After this everything seems to be back to normal, except that one process for the firewall is still taking up 800 MB.  I am tempted to reboot to see if it goes away, but I don't want to piss off my clients who already were down for a few hours this day.

So for anyone else that notices their Svchost.exe eating up CPU and high memory usage, just wait, eventually it will settled down and you should be able to get into your firewall and undo what you did.  I have to say this was a very scary day.  The last thing I wanted to do was have to reinstall my whole OS, and reconfigure everything off a system backup.  I was tempted to make a new blog post about this, but I felt since it was related to the firewall it would be better here.
Mick | Jul 1, 2011 6:58 PM
Paul, as I said the script worked fine on Win 7 but failed on 2008 R2. I notice that the firewalls on each OS are slightly different. For instance I can cut and paste rules on my Win 7 ADV but this function is not available in 2008. Likewise, I can select multiple rules and export those specific rules to a text file in Win 7 but that function doesn't exist in 2008. Also I am using 2008 as a Domain Controller, is that the function of your 2008 box ? I am wondering as to whether this has any bearing on the problem.
Paul | Jul 1, 2011 7:16 PM
Mike,
Something sounds very different about your install of Windows Server 2008 R2.  Here is how I have my servers setup
if you open the Server Manager you will see a few sub sections.  This is what I have under each
Roles
- Web Server IIS
Features
- Remote Server Administration Tools
 - -Role Administration Tools
- - - Web Server (IIS) Tools
Windows Process Activation Service
- Process model
- .NET Environment
- Configuration APIs
Windows Server Backup Features
- Windows Server Backup
.Net Framework 3.5.1 Features
- .Net Framework 3.5.1
- WCF Activation
- - HTTP Activation
- - Non-HTTP Activation

My Server is running IIS 7.5 to host websites
SmarterMail for SMTP and POP
MySQL for Database

All my clients have their domains registered on Godaddy and I keep the DNS management on Godaddy as well.

Are you sure you are running 2008 R2 and not just 2008?  2008 had the Vista Kernel, while R2 has the Windows 7 Kernel.
Keith | Jul 14, 2011 9:05 PM
Thanks Paul,

I just had an "of course this won't work" moment :-)
The WS2003 firewall works completely different and I don't think there is a way to block IPs or blocks of IPs anyway, you can really just allow exceptions.

So I went searching again and found this cool little tool:
http://www.hdgreetings.com/other/Block-IP-IIS/

I've ran it up on my test server and it seems to do the job rather nicely :-)
Will play around with it further and look at adding other country blocks and see how it goes, might look at running it soon on the prod box.

Anyway, hope this might help others looking to do this with WS2003 and will report back if I find any major issues with it.

Cheers
Keith
paul | Jul 18, 2011 1:54 PM
Guys,
I have updated my script to be a little easier to modify.  I also included the original source, so you don't have copy paste from my blog.  This still will only work on Server 2008 R2, and Windows 7.  Also please read about the memory usage issues with the Windows Firewall.  Seems that the more rules you add to your firewall, the bigger your svchost.exe will get.  Any questions let me know
Mick | Jul 18, 2011 4:04 PM
Paul, I have something to admit, you are right. I could have sworn I had R2, so convinced in fact that I didn't bother double checking. But now I have .... well I must eat humble pie ... alas no R2. What a silly sausage !
Thomas | Aug 5, 2011 3:37 PM
This script works great on 2008 R2.  I removed the references to local ip, protocol and local ports to block so the rules created a block rule for destination ip "any" destination port "any", and protocol "any" by removing the following two strings:
& " localport=" & serverPorts & " protocol=tcp"
localip=" & serverIPs & "

Thank you, this saved me so much time!

Pete | Sep 28, 2011 3:12 PM
Paul,  can you comment on what Thomas did as far as the modifications are concerned?  Will his modifications increase memory usage?  Thanks.
Paul | Sep 28, 2011 3:33 PM
@Pete,
Yes what Thomas did does help the memory usage issue.  I actually have done the same thing with my own server.  I am starting to think that the memory issue was not so much too many rules, but rather a couple of corrupt rules that caused the huge memory leak.  After I deleted all Deny Rules, and recreated them, the memory issue went away.  I am updating the article with the VBS file you can download and edit in notepad, then run on your server.  My memory usage is now under 30 MB for the firewall.


Pete | Sep 28, 2011 5:23 PM
His version removes specifying a protocol (He said any).  How does that translate into memory usage? Does it increase protection or is it not necessary?
Paul | Sep 28, 2011 6:13 PM
@Pete
The rules have various options, Local IPs, Ports, external IPs, ext.
Basically the more stuff you filter by, the more memory it will use.  Think of it like SQL queries.  The stuff you have in your WHERE statement, the more indexes you need for that query and thus more memory.

Unless you have a specific reason to allow / block certain protocols, just block everything by IP.  The way I look at it, if you don't want a IP to view your website, you probably don't want them to SSH, Telnet, RDP, SMTP, POP, or anything else.  It takes less memory to block all ports, than it does to block specific ports.

So to answer your question.  Yes not specifying ports or protocols will increase protection. 

Download the latest script ( I just updated it today ), and use that as your template.  Edit it as needed, then run it.  Hope this helps
Pete | Sep 28, 2011 6:47 PM
Thank you very much Paul.  This would help improve protection for my server. Cheers
Pete | Oct 1, 2011 10:43 PM
Paul, thanks for the script.  It's working out well.  I found this list of anonymous proxies
that I want to add to the firewall.  I have a text file with each ip address on its own line.  Are custom lists possible with this script?  Thanks.




Paul | Oct 2, 2011 1:12 AM
@Pete
yes custom lists are possible, you just have to put your list on a server, then change the URL that the script pulls its data from to be from your list instead.
Pete | Oct 3, 2011 9:33 PM
Hi Paul.  I was able to import the custom lists just fine.  One question though.  Although I have Russia in my list, I saw this IP in my logs.  46.8.158.117  Did I do anything incorrect?  Thanks.
Paul | Oct 3, 2011 9:40 PM
You did everything right, it looks like IPdeny doesn't have that IP block added to their russian IP list yet.  Hopefully they add it soon. 
Pete | Oct 3, 2011 10:10 PM
Thanks for the quick reply.  I looked at some other sites that offer lists (IPdeny, countryipblocks)has and I found one provided by ip2location and find-ip-address that included the aforementioned IP block.  I just thought I'd share. Is there a particular reason was for picking ipdeny.com?  Please don't get offended.  I was just wondering.
Paul | Oct 3, 2011 10:23 PM
@ Pete
The original script used ipdeny, so I just stuck with it.  I check out the links, and find-ip-address and ip2location don't have a direct URL that pulls the raw data.  The idea behind the script is so you can run it, and it will automatically update your rules with the latest data from IPdeny.  Plus IPdeny is free.  I am very open minded to customizing the script to pull data from other sources its just a matter of finding a data source that is free.
Pete | Oct 3, 2011 11:51 PM
Thanks for the info Paul.  That question was more out of curiosity.  I was able to get custom lists to work so any source uploaded to a personal site should work with the script.  I just thought I'd let you know of the missed IP block so you can add that to your firewall rules.  Thanks again.
Pete | Oct 21, 2011 8:48 PM
Hi Paul.  It's me again.  The script is working well although I was just thinking.  I've been constantly adding more and more countries. Since most of the people that visit the site are from the United States and Canada,  how would a block all except these two countries perform?  Could you give me some tips on how to modify the script correctly?  Thanks.
Paul | Oct 21, 2011 9:07 PM
Its not 100% but the easiest way is to block them by Registry
Checkout the IANA IPv4 address registry

then create rules to block connections from AfriNIC, RIPE, APNIC, LACNIC.
You basically will have a bunch of rules for various /8 blocks.
I used to use this setup, but recently I got more focused on blocking only certain countries rather than entire continents.
Doug Wulff | May 8, 2012 8:52 PM
If you are an enterprise and want to block the over 80% of fraud and DDoS attacks that originate from foreign countries they make an in-line appliance to block countries by IP address . I agree it only makes sense that if you don't do business in foreign countries, why be open to attack?
Rick E | Aug 6, 2012 10:06 AM
This Rocks, I actually needed it for a block ips for a open terminal server.  Thanks for the awesome script.
Ran around 10mins @50%CPU on a QuadCore Xeon 3.6Ghz VMWare Server 2008R2
Justin | Aug 18, 2012 8:00 AM
I am getting an error that the system cannot locate the resource specified. Source is msxml3.dll
Patrick | Aug 21, 2012 12:26 PM
Paul, what a life changer this script is. I am using this to block ports 25 and 587 on our client facing mail server. I cannot not see any difference, on the server load, with the additional rules (it's a fairly beefy server). 

I am using the same countries, you have listed in your example, with no local IP and the script executed in less than a minute (Server 2008 R2 Ent with 2 x E5620 Xeon and 16GB of RAM). 

Adding these, to our managed firewall, would have added unnecessary strain on the device. Immediately after running the script, all failed authentication connections stopped (hack attempts).

Thanks for posting this!! 
Paul | Aug 21, 2012 12:35 PM
@ Patrick
Glad the script helped.
My original Source for the IPs was IPDeny.com  which went off line temporarily.  They are back up now, and their list is a more updated IP list.  I will update this page soon to include both scripts.
Patrick | Aug 22, 2012 10:12 AM
@Paul - That would be fantastic. I noticed today, when reviewing the logs, that the list from IPInfoDB is not that complete. 

For example, I am seeing connections from 125.44.215.240, which is clearly China. However, this IP is not in the China ranges from IPInfoDB. 
Guido | Oct 15, 2012 5:19 AM
Hello,
first : nice script!
i want to use this script to add the same rules in the firewall OUT.
So if the server or pc has a virus and want a connection to China it will be blocked.
(I this needed anyway?)

I changed the script but it add's just 1 ip block to the firewall OUT.
here the thinks i changed:


       '########################################################################
       'If we have reached our limit then push the IN rule to the firewall
       '########################################################################

       if current = percommand Then
        netshCommand = "NETSH advfirewall firewall add rule name=" & chr(34) & rulename & " " & url & " Block" & chr(34) & " dir=In  action=Block Enable=yes profile=public,private,domain remoteip=" & ipList & ""
                errorcode = objShell.Run(netshCommand, 1, true)
        current = 0
        iplist = ""
       End If
   
   
       '########################################################################
       'If we have reached our limit then push the OUT rule to the firewall
       '########################################################################

       if current = percommand Then
        netshCommand = "NETSH advfirewall firewall add rule name=" & chr(34) & rulename & " " & url & " Block" & chr(34) & " dir=OUT  action=Block Enable=yes profile=public,private,domain remoteip=" & ipList & ""
                errorcode = objShell.Run(netshCommand, 1, true)
        current = 0
        iplist = ""
       End If

    NEXT
   
   
    '########################################################################
    'Add any left over IPs IN RULE
    '########################################################################

    if current > 0 Then
        netshCommand = "NETSH advfirewall firewall add rule name=" & chr(34) & rulename & " " & url & " Block" & chr(34) & " dir=In  action=Block Enable=yes profile=public,private,domain remoteip=" & ipList & ""
                errorcode = objShell.Run(netshCommand, 1, true)   
    End If

    '########################################################################
    'Add any left over IPs OUT RULE
    '########################################################################

    if current > 0 Then
        netshCommand = "NETSH advfirewall firewall add rule name=" & chr(34) & rulename & " " & url & " Block" & chr(34) & " dir=OUT  action=Block Enable=yes profile=public,private,domain remoteip=" & ipList & ""
                errorcode = objShell.Run(netshCommand, 1, true)
    End if



Dave | Dec 6, 2012 11:47 AM
Yesterday I tweaked the script to block China and ran it on my W7 Laptop and it worked no problem. I then ran it on our server and seems we have the Windows Server 2008 standard so it did not work.

No problem I exported the rules from my laptop to a text file. I Isolated the IP ranges and created a simple text file with the netsh advfirewall command to enter the rules on the server. This created the rule and everything looked good.

Today I noticed a RDP hacking attempt. I traced the IP and it said Beijing China. Well I just blocked all of china yesterday. So I looked on my firewall rules and sure enough that range is missing.  

I think that both IPdeny.com and ipinfodb.com need to update their databases.

http://www.ipaddresslocation.org/ip_ranges/get_ranges.php is listing way more IP Addresses for China than either one of those two are.

ipinfodb.com is closer to correct but is still off.

Thank you still for the script it did pointed me in the right direction.

Dave
WebShopDesigners | Apr 25, 2015 3:11 PM

Prevent your server with Windows Firewall to block Semalt, Fraud countries, hackers, spam and more...
I have a Windows server with serveral webshops and is focused on the European and US/Canadian market.
Every day my server is attacked by hackers and spammers mostly from fraud countries.
Now you can easily protect your Windows server with this very simple script against it.
You can block a country and/or countries/continents with it.
Most fraud countries are on the list and you can add more or remove them.
You can use this script for Windows 7, 8 and 8.1 systems.
Download the RAR file (protect_your_server.rar) from:
http://stackoverflow.com/questions/29865928/windows-firewall-to-block-semalt-fraud-countries-spam-and-more
Insert here also your comments and/or new ideas, please
I hope that I can make a lot of people happy with this script!

Paul | Apr 26, 2015 12:21 PM

WebShopDesigners

You might want to make a video tutorial on how to install the script, and monitor what it is blocking, as the setup is a little more involved that most people are used to.  I also would want to see some performance metrics compared to traditional firewall rules.  I am very wary of trusting any DLL that I don't know whats on the inside. For all I know that DLL is also doing other malicious things.  That fact that your email had a .NL at the end makes me not trust you by default, as All Traffic I have ever received from that country has been malicious in intent.

Paul B | Apr 20, 2016 12:37 PM

I have to apologize and I am just a user.

When I run this script as administrator on a Windows 8.1 OS, I get the "error getting to URL: XX" dialog.

Is this something I can resolve?

Thanks 

Paul | Apr 20, 2016 9:30 PM

Hey Paul

The script only works in Windows 7 and Windows server 2008 R2.  I had to modify it to work with windows server 2012 r2 ( windows 8.1 ).  I will email you a copy of the updated script. I haven't had time to add it to my blog.

David M | Nov 11, 2016 6:59 AM

I too getting message "ERROR GETTING TO URL: XX" but using Windows 2008 R2. Would it be possible to get an updated script?

name
Email Needed to confirm comment, but not made public.
Website
 
Type Code
Security Check
 
When you Post your Comment, you'll be sent a confirmation link. Once you click this link your thoughts will be made public.. Posts that are considered spam will be deleted, Please keep your thoughts and links relavent to this Article