-------------------------------------------------------
Load mell path: \\SDC01\Documents\mrosandich\Documents\WindowsPowerShell\Modules\Load-Mell\load-mell.psm1
Import-Module Load-Mell -DisableNameChecking
Import-Module \\tsclient\C\Users\mrosandich\Desktop\PSM1\Load-Mell\Load-Mell -DisableNameChecking
Write-Host " _____ .__ .__ .____ .___ .___._."
Write-Host " / \ ____ | | | | | | _________ __| _/____ __| _/| |"
Write-Host " / \ / \_/ __ \| | | | | | / _ \__ \ / __ |/ __ \ / __ | | |"
Write-Host "/ Y \ ___/| |_| |__ | |__( <_> ) __ \_/ /_/ \ ___// /_/ | \|"
Write-Host "\____|__ /\___ >____/____/ |_______ \____(____ /\____ |\___ >____ | __"
Write-Host " \/ \/ \/ \/ \/ \/ \/ \/"
Write-Host "---------------------------------------------------------------------------"
Write-Host "Commands:"
Write-Host "Add-WhiteListIP -client pleskname -service mysql -ip x.x.x.x"
Write-Host "Add-WhiteListIP -domain pleskname.com -service mssql -ip x.x.x.x"
Write-Host " "
Write-Host "Check-Ports -ip x.x.x.x -ports 25"
Write-Host "Check-Ports -ip x.x.x.x -ports common"
Write-Host "Check-Ports -ip x.x.x.x -ports `"25,51,80`""
Write-Host "Check-Ports -ip x.x.x.x -ports `"email,51,80`""
Write-Host " "
Write-Host "Check-RDPLogins -days 10"
Write-Host "Check-RDPLogins -hours 12"
Write-Host "Check-RDPLogins -hours 12 -failed"
Write-Host " "
Write-Host "Check-Spamhaus -ip 8.7.5.6"
Write-Host "Check-Spamhaus -ip ifaces"
Write-Host " "
Write-Host "Delete-SpamSmarterMail -action show|delete -pattern `"*v_i_a-g-r-a*`" -directory path -check eml|hdr"
Write-Host " "
Write-Host "Check-Spamhaus -ip 8.7.5.6"
Write-Host "Check-Spamhaus -ip ifaces"
Write-Host " "
Write-Host " ---------- End of Load-Mell commands ---------- "
########################################################################
#Check-Port
# Version 1.0
# Created by: Mell Rosandich
########################################################################
function Load-Mell {
<#
.SYNOPSIS
This loads all my Powershell modules
.DESCRIPTION
This loads all my Powershell modules: Load-Mell
Module Listed:
Add-WhiteListIP
Check-Ports
Delete-SpamSmarterMail
.EXAMPLE
Load-Mell
.NOTES
This loads Mell Stuff
#>
[CmdletBinding()]
param (
)
PROCESS{
Write-Host " _____ .__ .__ .____ .___ .___._."
Write-Host " / \ ____ | | | | | | _________ __| _/____ __| _/| |"
Write-Host " / \ / \_/ __ \| | | | | | / _ \__ \ / __ |/ __ \ / __ | | |"
Write-Host "/ Y \ ___/| |_| |__ | |__( <_> ) __ \_/ /_/ \ ___// /_/ | \|"
Write-Host "\____|__ /\___ >____/____/ |_______ \____(____ /\____ |\___ >____ | __"
Write-Host " \/ \/ \/ \/ \/ \/ \/ \/"
Write-Host "---------------------------------------------------------------------------"
Write-Host "Commands:"
Write-Host "Add-WhiteListIP -client pleskname -service mysql -ip x.x.x.x"
Write-Host "Add-WhiteListIP -domain pleskname.com -service mssql -ip x.x.x.x"
Write-Host " "
Write-Host "Check-Ports -ip x.x.x.x -ports 25"
Write-Host "Check-Ports -ip x.x.x.x -ports common"
Write-Host "Check-Ports -ip x.x.x.x -ports `"25,51,80`""
Write-Host "Check-Ports -ip x.x.x.x -ports `"email,51,80`""
Write-Host " "
Write-Host "Check-RDPLogins -days 10"
Write-Host "Check-RDPLogins -hours 12"
Write-Host "Check-RDPLogins -hours 12 -failed"
Write-Host " "
Write-Host "Check-Spamhaus -ip 8.7.5.6"
Write-Host "Check-Spamhaus -ip ifaces"
Write-Host " "
Write-Host "Delete-SpamSmarterMail -action show|delete -pattern `"*v_i_a-g-r-a*`" -directory path -check eml|hdr"
Write-Host " "
Write-Host "Check-Spamhaus -ip 8.7.5.6"
Write-Host "Check-Spamhaus -ip ifaces"
Write-Host " "
Write-Host " ---------- End of Load-Mell commands ---------- "
}#end process
}#end Check-Ports
#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Check-Ports
#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
function Check-Ports {
<#
.SYNOPSIS
Checks the port or ports of a local or remote host
.DESCRIPTION
This is used to check if a port is open on a local or remote host. You can specify 1 or many.
The port can be a list of ports or verbs. Below is a list of verbs and what ports will be used.
Verb Ports
common 21,22,23,25,53,80,110,115,143,443,1443,3306,3389,8172,8306,8443
all 21,22,23,25,26,43,53,67,80,110,115,123,135,137,143,161,443,445,465,993,995,1443,3306,3389,8172,8443
email 25,26,110,143,465,993,995
mail 25,26,110,143,465,993,995
db 3306,1443
vpn 1701,1723
.PARAMETER ip
This is optional. Not setting will use local host
.PARAMETER port
This is optional. Not setting will use the common ports for windows. you can speificy just 1 port or a list "25,90" or verb vpn
.EXAMPLE
check ports on a remote host for common ports
Check-Ports -ip 192.168.1.1 -port common
.EXAMPLE
Check ports 80 and 25
Check-Ports -ip 192.168.1.1 -port "25,80"
.EXAMPLE
Check ports 25 and vpn ports
Check-Ports -ip 192.168.1.1 -port "25,vpn"
.NOTES
Any list of ports must be in quotes "25,vpn"
#>
[CmdletBinding()]
param (
[parameter(Mandatory=$false,ValueFromPipeline=$true)]
[string[]]$ip,
[parameter(Mandatory=$false,ValueFromPipeline=$true)]
[string[]]$port
)
PROCESS{
if($ip){}else{Write-Host "IP not specified -ip: using localhost";$ip="localhost"}
if( $port){}else{Write-Host "Port not specified -port: using common";$port="common"}
#Add new ip ports from largest to smallest since we do a string replace: why cos 8080 and 80 colide
$global:aPortmaps = @{8443="Plesk";8306="PSA";8172="WebMatrix";3389="RDP";3306="MySQL";1443="MSSQL";1723="PPTP";1701="L2TP";995="POP3-Secure";993="IMAP-Secure";465="SMTP-Secure";445="ActiveDir";443="SSL";161="SNMP";110="POP";115="SFTP";123="NTP";135="RPC";137="NetBios";143="IMAP";21="FTP";22="SSH";23="TelNet";25="SMTP";43="WHOIS";53="DNS";67="DHCP";80="WEB";26="SMTP-ALT";}
function ChangeNamesToNumbers([string]$port)
{
#define some groups
$port = $port.Replace("common","21,22,23,25,53,80,110,115,143,443,1443,3306,3389,8172,8306,8443")
$port = $port.Replace("all","21,22,23,25,26,43,53,67,80,110,115,123,135,137,143,161,443,445,465,993,995,1443,3306,3389,8172,8443")
$port = $port.Replace("email","25,26,110,143,465,993,995")
$port = $port.Replace("mail","25,26,110,143,465,993,995")
$port = $port.Replace("db","3306,1443")
$port = $port.Replace("vpn","1701,1723")
foreach ($portnumber in @($global:aPortmaps.keys))
{
$port = $port.Replace($global:aPortmaps[$portnumber],$portnumber)
}
return $port
}
function NiceNames([string]$InPhrase){
$temp = $InPhrase
foreach ($portnumber in @($global:aPortmaps.keys))
{
if( $portnumber -eq $InPhrase){
$InPhrase = $global:aPortmaps[$portnumber]
}
}
if( $temp -ne $InPhrase){
return $InPhrase
}else{
return "---"
}
}
function TestIConnections([string]$srv,$port=135,$timeout=3000){
try{
$ErrorActionPreference = "SilentlyContinue"
$tcpclient = new-Object system.Net.Sockets.TcpClient
$iar = $tcpclient.BeginConnect($srv,$port,$null,$null)
$wait = $iar.AsyncWaitHandle.WaitOne($timeout,$false)
if(!$wait)
{
# Close the connection and report timeout
$tcpclient.Close()
Return $false
}
else
{
# Close the connection and report the error if there is one
$error.Clear()
$tcpclient.EndConnect($iar) | out-Null
if(!$?){$failed = $true}
$tcpclient.Close()
}
if($failed){return $false}else{return $true}
}
catch{
return $false;
}
}
[String]$port = $port;
$port = ChangeNamesToNumbers($port);
$aPorts = $port.ToString().Split(",")
Write-Host " "
Write-Host "Port `t Service Name `tStatus"
Write-Host "------------------------------------"
for($idex=0;$idex -lt $aPorts.length;$idex++){
if( $aPorts[$idex] -match "[0-9]" ){
$bPortValid = TestIConnections $ip $aPorts[$idex] 4000
$ServiceNamePort = NiceNames $aPorts[$idex]
if( $ServiceNamePort.length -le 5 ){
$ServiceNamePort = $ServiceNamePort + "`t"
}
if($bPortValid){
Write-Host $aPorts[$idex] "`t" $ServiceNamePort "`tGood!" -foregroundcolor Green
}else{
Write-Host $aPorts[$idex] "`t" $ServiceNamePort "`tBAD!" -foregroundcolor Yellow
}
}
else
{
Write-Host $aPorts[$idex] "is not recognized"
}
}
}#end process
}#end Check-Ports
#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Add-WhiteListIP
#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
function Add-WhiteListIP {
<#
.SYNOPSIS
Add a ip address to the whitelist and updates firewall
.DESCRIPTION
The Delete-SpamSmarterMail is used to search through file types .eml and .hdr and match against a regular expression. If the regular expression matches The 2 files for that message will be deleted if you are using the action delete. The only optional paramet is directory. When not set it will use what every directoryyou are in. This is recursive, so if you use it in the main spool directory it will search subdirectories as well.
Sample: Delete-SpamSmarterMail -pattern ".*me@me\.com.*" -check hdr -action delete
.PARAMETER ip
Required IP address to be added to the firewall
.PARAMETER service
Required Service name: MySQL MSSQL
.PARAMETER domain
Clients domain. Used to lookup the client ID
.PARAMETER client
Client user name. Used to look up the client ID
.EXAMPLE
Add the IP address 8.8.8.8 to the firewall for MySQL client id that owns test.com
Add-WhiteListIP -ip 8.8.8.8 -service MySQL -domain test.com
.EXAMPLE
Add the IP address 8.8.8.8 to the firewall for MSSQL client id that uses testpleskid
Add-WhiteListIP -ip 8.8.8.8 -service MSSQL -client testpleskid
.NOTES
This is recursive so make sure you use the correct directory
#>
[CmdletBinding()]
param (
[parameter(Mandatory=$true,ValueFromPipeline=$true)]
[string[]]$ip,
[parameter(Mandatory=$true,ValueFromPipeline=$true)]
[string[]]$service,
[parameter(Mandatory=$false,ValueFromPipeline=$true)]
[string[]]$client,
[parameter(Mandatory=$false,ValueFromPipeline=$true)]
[string[]]$domain
)#End param
PROCESS{
[string]$domain = $domain;
[string]$client = $client;
[string]$ip = $ip;
[string]$service = $service;
$global:ServiceName = $service.ToLower()
if( $global:ServiceName -ne "mysql" -and $global:ServiceName -ne "mssql"){Write-Host "-service must be MySQL or MSSQL. help for more information";return}
#Information Retrived about the User
[string]$global:cmdflag_domain = $domain
[string]$global:cmdflag_client = $client
[string]$global:ClientID = $null
[string]$global:ClientName = $null
[string]$global:ClientCName = $null
[string]$global:ClientEmail = $null
[array]$global:DomainsNames = $null
[array]$global:DomainsIDs = $null
#Internal Vars
$global:g_BinPath = $Env:plesk_bin + '\dbclient.exe'
#Get Client IDs and domains
function GetClientInfo()
{
if( $global:cmdflag_domain -ne $null -and $global:cmdflag_domain -ne "" )
{
Write-Host "Searching Domain" $global:cmdflag_domain
$oDomainsInfo = Invoke-Expression "& '$global:g_BinPath' --direct-sql --sql='select cl_id,name from domains where name=''$global:cmdflag_domain'';'"
foreach ($oTemp in $oDomainsInfo)
{
$sTemp = $oTemp.split()
if( $sTemp[1] -eq $global:cmdflag_domain ){ $global:ClientID = $sTemp[0].trim()}
}
if( $global:ClientID -eq $null )
{
Write-Host "Could Not Find Domain" -foregroundcolor Yellow
return $False
}
if( $global:ClientID -ne "" -and $global:ClientID -ne "" ){
#set client logon ID
$oClientInfo = Invoke-Expression "& '$global:g_BinPath' --direct-sql --sql='select login,id from clients where id=''$global:ClientID'';'"
foreach ($oTemp in $oClientInfo)
{
$sTemp = $oTemp.split()
if( $sTemp[1] -eq $global:ClientID )
{
$global:cmdflag_client = $sTemp[0].trim();
}
}
#set client name
$oClientInfo = Invoke-Expression "& '$global:g_BinPath' --direct-sql --sql='select id,pname from clients where id=''$global:ClientID'';'"
foreach ($oTemp in $oClientInfo)
{
$sTemp = $oTemp.split('',2)
if( $sTemp[0] -eq $global:ClientID )
{
$global:ClientName = $sTemp[1].trim();
}
}
#set company name
$oClientInfo = Invoke-Expression "& '$global:g_BinPath' --direct-sql --sql='select id,cname from clients where id=''$global:ClientID'';'"
foreach ($oTemp in $oClientInfo)
{
$sTemp = $oTemp.split('',2)
if( $sTemp[0] -eq $global:ClientID )
{
$global:ClientCName = $sTemp[1].trim();
}
}
#set email
$oClientInfo = Invoke-Expression "& '$global:g_BinPath' --direct-sql --sql='select id,email from clients where id=''$global:ClientID'';'"
foreach ($oTemp in $oClientInfo)
{
$sTemp = $oTemp.split('',2)
if( $sTemp[0] -eq $global:ClientID )
{
$global:ClientEmail = $sTemp[1].trim();
}
}
}
}
if( $global:cmdflag_client -ne $null )
{
Write-Host "Searching Client" $global:cmdflag_client
$oClientInfo = Invoke-Expression "& '$global:g_BinPath' --direct-sql --sql='select login,id from clients where login=''$global:cmdflag_client'';'"
foreach ($oTemp in $oClientInfo)
{
$sTemp = $oTemp.split()
if( $sTemp[0] -eq $global:cmdflag_client ){$global:ClientID = $sTemp[1].trim()}
}
if( $global:ClientID -eq $null )
{
Write-Host "Could Not Find Client" -foregroundcolor Yellow
return $False
}
else
{
Write-Host "Found Client ID:" $global:ClientID
}
#Lets get all the domains
$oDomainsInfo = Invoke-Expression "& '$global:g_BinPath' --direct-sql --sql='select name,id from domains where cl_id=''$global:ClientID'';'"
foreach ($oTemp in $oDomainsInfo)
{
$sTemp = $oTemp.split()
if( $sTemp[0] -ne "" -and $sTemp[0] -ne $null -and $sTemp[0] -ne "name")
{
$global:DomainsNames += $sTemp[0]
$global:DomainsIDs += $sTemp[1]
}
}
#set client name
$oClientInfo = Invoke-Expression "& '$global:g_BinPath' --direct-sql --sql='select id,pname from clients where id=''$global:ClientID'';'"
foreach ($oTemp in $oClientInfo)
{
$sTemp = $oTemp.split('',2)
if( $sTemp[0] -eq $global:ClientID )
{
$global:ClientName = $sTemp[1].trim();
}
}
#set company name
$oClientInfo = Invoke-Expression "& '$global:g_BinPath' --direct-sql --sql='select id,cname from clients where id=''$global:ClientID'';'"
foreach ($oTemp in $oClientInfo)
{
$sTemp = $oTemp.split('',2)
if( $sTemp[0] -eq $global:ClientID )
{
$global:ClientCName = $sTemp[1].trim();
}
}
#set email
$oClientInfo = Invoke-Expression "& '$global:g_BinPath' --direct-sql --sql='select id,email from clients where id=''$global:ClientID'';'"
foreach ($oTemp in $oClientInfo)
{
$sTemp = $oTemp.split('',2)
if( $sTemp[0] -eq $global:ClientID )
{
$global:ClientEmail = $sTemp[1].trim();
}
}
}
#Before we regex away lets make sure we got valid data
if( $global:ClientID -ne $null -and $global:ClientID -ne "" -and $global:ClientID -ne 0 )
{
return $TRUE
}
else
{
return $False
}
}
function CheckForPleskBin(){
$bValidBin = Test-Path $global:g_BinPath
$sTemptest = $null
if( !$plain ){
if( $bValidBin ){write-host "Found Plesk Bin"}
if($bValidBin -eq $false){write-host "Missing Plesk Bin: Can't continiue"}
}
return $bValidBin
}
#--------------------------------------------------------------------------------------------
# RUN - TIME!
#--------------------------------------------------------------------------------------------
$FoundPleskBin = CheckForPleskBin
if( $FoundPleskBin ){
$FoundClientInfo = GetClientInfo #get the information about the client based on -domain or -client
if($FoundClientInfo)
{
if( $global:ClientCName -eq $null -or $global:ClientCName -eq "" ){ $global:ClientCName = "none";}
Write-Host "Search Domain used:" $global:cmdflag_domain
Write-Host "Search Client used:" $global:cmdflag_client
Write-Host "Found Client ID:" $global:ClientID
Write-Host "Found Client Name:" $global:ClientName
Write-Host "Found Company Name:" $global:ClientCName
Write-Host "Found EMail as :" $global:ClientEmail
Write-Host "-----------------------------------------------";
#[array]$global:DomainsNames = $null
#[array]$global:DomainsIDs = $null
Write-Host "performing add-hgclient"
$DidAdd = add-hgclient -id $global:ClientID -name $global:ClientName -email $global:ClientEmail -company $global:ClientCName
if( $DidAdd -eq "TRUE" ){write-host "Added client to Database";}else{Write-Host "client was alread in Database";}
$AddFirewall = Add-Whitelist -id $global:ClientID -servicename $global:ServiceName -ip $ip
Write-Host "Added firewall:" $AddFirewall
$PushFirewall = Push-Firewall
Write-Host "Pushing new firewall rules:" $PushFirewall
}
}
}#end process
}#end Add-WhiteListIP
#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Delete-SpamSmarterMail
#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
function Delete-SpamSmarterMail {
<#
.SYNOPSIS
Deletes emails from the smartermail spools that contain spam based on -pattern. This will delete both files of an email (.eml, .hdr)
.DESCRIPTION
The Delete-SpamSmarterMail is used to search through file types .eml and .hdr and match against a regular expression. If the regular expression matches The 2 files for that message will be deleted if you are using the action delete. The only optional paramet is directory. When not set it will use what every directoryyou are in. This is recursive, so if you use it in the main spool directory it will search subdirectories as well.
Sample: Delete-SpamSmarterMail -pattern ".*me@me\.com.*" -check hdr -action delete
.PARAMETER directory
This is optional. Not setting this will check the current working directory. Otherwise specify path to spools or spool sub folder
.PARAMETER check
This is either eml or hdr. This is what file part of the email will be checked against the pattern
an example of this: -check eml
.PARAMETER pattern
This is the regex that will be used to check a file for a match. This will be matched in the file type passed in check.
an example of this: -pattern ".*vigra.*"
.PARAMETER action
What to do with the emails that are found: show or delete. Show is none destructive and will list each file found as spam and stop after 20
This is basiaclly used to test you pattern
.EXAMPLE
Check email header for the address
Delete-SpamSmarterMail -pattern ".*me@me\.com.*" -check hdr -action delete
.EXAMPLE
Check email message for the word viagra and delete them.
Delete-SpamSmarterMail -pattern ".*vigra.*" -check eml -action delete -directory "c:\smartermail\spool"
.NOTES
This is recursive so make sure you use the correct directory
#>
[CmdletBinding()]
param (
[parameter(Mandatory=$false,ValueFromPipeline=$true)]
[AllowEmptyString()]
[string[]]$directory,
[parameter(Mandatory=$true,ValueFromPipeline=$true)]
[string[]]$pattern,
[parameter(Mandatory=$true,ValueFromPipeline=$true)]
[string[]]$check,
[parameter(Mandatory=$true,ValueFromPipeline=$true)]
[string[]]$action
)#End param
PROCESS{
#Give user feed back for switches and help
if( $pattern.ToString().length -lt 4){ Write-Host "-pattern is required and should be a regex. help for more information";return}
if( $check -ne "eml" -and $check -ne "hdr"){Write-Host "-check must be hdr or eml. help for more information";return}
if( $action -ne "show" -and $action -ne "delete"){Write-Host "-acion must be show or delete. help for more information";return}
#This function does 2 things
#returns 0|1 if found spam in file
#Deletes or shows files found
function Check-ForSpam($file){
if($file){
$RetVal = 0
$ShowCount = 0
$data = Get-Content $file
foreach( $line in $data )
{
if ($line -match $pattern)
{
$RetVal = 1
}
}
if( $RetVal -eq 1 ){
if( $check -eq "hdr" ){
$tempFile = $file -replace ".hdr$" , ".eml"
}
if( $check -eq "eml" ){
$tempFile = $file -replace ".eml$" , ".hdr"
}
if( $action -eq "delete" ){
#file may be missing .eml or .hdr or inuse ot missing at this time
#Try to delete them and move on.
try{
Remove-Item $file
}catch{}
try{
Remove-Item $tempFile
}catch{}
}
if( $action -eq "show" ){
Write-Host "Would Delete:" $file
Write-Host "Would Delete:" $tempFile
$ShowCount++
if( $ShowCount -gt 20 ){
exit
}
}
}
}
return $RetVal
}
if($directory){
$bValidBin = Test-Path $directory
if( $bValidBin ){
$directory = (Get-Item $directory);
write-host "Using -direcoty Path" $directory
}else{
Write-Host "Directory specified doesn't exsist";
Write-Host "You Entered: -diectory" $directory
Write-Host "Please Try again. You can cd into the spool directory then not specify -diretory"
return;
}
}
else
{
$wdirectory = (Get-Location);
$directory = (Get-Item $wdirectory);
write-host "Using CWD Path" $directory
}
$counter = 0
$NotSPam = 0
$IsSPam = 0
if( $check -eq "hdr" ){
[regex] $filter = ".*\.hdr"
}
if( $check -eq "eml" ){
[regex] $filter = ".*\.eml"
}
#This can take some time to load this object
$files = (Get-ChildItem -recurse $directory | where { !$_.PSIsContainer -and $_.FullName -match $filter })
#This stops the division by zero error for some cases
[int]$FileCount = $files.Count
if( $FileCount -lt 1 ){ $FileCount = 1 }
foreach ( $file in $files ) {
#Since $files might be giant
#We offer another soultion to exit the script
#it is still [control] c but we are not requiring the break on update for console
#this will exit more often then not when used vs not having it at all
if ([console]::KeyAvailable)
{
$key = [system.console]::readkey($true)
if (($key.modifiers -band [consolemodifiers]"control") -and (($key.key -eq "C") -or ($key.key -eq "c") ))
{
write-host "Terminating..."
return
}
}
#Just count what is spam and what isn't
#this will get the full path to the file we went to regex
$file = $file.FullName;
if( Check-ForSpam( $file) -eq 1 ){
$counter++
$isSpam++;
write-Progress -activity "$activity $file" -status "checking emails" -percentComplete ($counter / $FileCount)
}
else
{
$counter++
$NotSPam++
write-Progress -activity "Ignoring $file" -status "No Spam: " -percentComplete ($counter / $FileCount)
}
}
write-host "Total Not Spam: $NotSPam"
write-host "Total Is Spam: $isSpam"
write-host "--------------------------"
write-host "Total Items: $counter"
}#End process
}#End Function
#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Check-RDPLogins
#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
function Check-RDPLogins {
<#
.SYNOPSIS
List all RDP logins
.DESCRIPTION
This will generate a list of good logins that have recently RDPd into the server. no swtiches is 1 day back
.PARAMETER days
optional: How many days to go back from now default is 1 day
.PARAMETER hours
optional: How many hours to go back from now. no default.
.PARAMETER failed
optional: show only failed logins. Default is to show good logins
.EXAMPLE
Check-RDPLogins -days 30
.NOTES
Pretty output don't pipe
#>
[CmdletBinding()]
param (
[parameter(Mandatory=$false,ValueFromPipeline=$true)]
[int]$days,
[parameter(Mandatory=$false,ValueFromPipeline=$true)]
[switch]$failed,
[parameter(Mandatory=$false,ValueFromPipeline=$true)]
[int]$hours
)#End param
PROCESS{
[int]$intDays = 1;
if($days)
{
$intDays= [int]$days
Write-Host "Going back $intDays";
[Double]$NewDay = -1*$intDays;
$DT = [DateTime]::Now.AddDays($NewDay)
}
else
{
if($hours){
Write-Host "Going back $hours hours"
[Double]$NewHours = -1*$hours;
$DT = [DateTime]::Now.AddHours($NewHours)
}
else
{
Write-Host "Days not specified going back 1 day";
$intDays=1
[Double]$NewDay = -1*$intDays;
$DT = [DateTime]::Now.AddDays($NewDay)
}
}
$IPColmn = 18;
if($failed){
$IPColmn = 19;
Write-Host "Checking Failed Logins"
$evt = Get-WinEvent -FilterXpath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)] and EventData[Data[@Name='LogonType']='10']]" | Where-Object {$_.TimeCreated -ge $DT }
}
else
{
Write-Host "Checking Good Logins"
$evt = Get-WinEvent -FilterXpath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)] and EventData[Data[@Name='LogonType']='10']]" | Where-Object {$_.TimeCreated -ge $DT }
}
$groups = $evt | group {$_.properties[5].value}
Write-Host "Last login for users:"
$groups | Foreach {$_.group[0]} | select @{n="UserName";e={$_.properties[5].value}},@{n="LogOn";e={$_.TimeCreated}},@{n="IP Address";e={$_.properties[$IPColmn].value}}
#,@{n="IP Address3";e={$_.properties[3].value}},@{n="IP Address4";e={$_.properties[4].value}},@{n="IP Address5";e={$_.properties[5].value}},@{n="IP Address6";e={$_.properties[6].value}},@{n="IP Address7";e={$_.properties[7].value}},@{n="IP Address8";e={$_.properties[8].value}},@{n="IP Address9";e={$_.properties[9].value}},@{n="IP Address10";e={$_.properties[10].value}},@{n="IP Address11";e={$_.properties[11].value}},@{n="IP Address12";e={$_.properties[12].value}},@{n="IP Address13";e={$_.properties[13].value}},@{n="IP Address";e={$_.properties[13].value}},@{n="IP Address14";e={$_.properties[14].value}},@{n="IP Address15";e={$_.properties[15].value}},@{n="IP Address16";e={$_.properties[16].value}},@{n="IP Address17";e={$_.properties[17].value}},@{n="IP Address19";e={$_.properties[19].value}},@{n="IP Address20";e={$_.properties[20].value}},@{n="IP Address21";e={$_.properties[21].value}}
Write-Host " "
Write-Host "List of logins and times:"
"" | Foreach {$evt} | select @{n="UserName";e={$_.properties[5].value}},@{n="LogOn";e={$_.TimeCreated}},@{n="IP Address";e={$_.properties[$IPColmn].value}}
}#End Process
}#End Fucntion Check-RDPLogins
########################################################################
# Check-Spamhaus
# Version 1.0
# Created by: Mell Rosandich
########################################################################
function Check-Spamhaus {
<#
.SYNOPSIS
Checks an IP address against DNSBLS
.DESCRIPTION
This command will check an IP or all IPv4 Address against a list of DNSBLs
.PARAMETER ip
The ip address you want to check or use ifaces for all IPv4 ip addresses on server
.EXAMPLE
check an ip address
Check-Spamhaus -ip 8.8.8.8
.EXAMPLE
check all ipv4 address on host
Check-Spamhaus -ip ifaces
.NOTES
Only works for IPv4
#>
[CmdletBinding()]
param (
[parameter(Mandatory=$false,ValueFromPipeline=$true)]
[string[]]$ip
)
PROCESS{
[String]$ip = $ip;
if( $ip.length -lt 3 ){Write-Host "IP not specified -ip: using localhost";$ip="localhost"}
function CheckDNSBL($ip) {
Write-Host "Checking IP:" $ip
$reverseIP = ($ip.split("."))[3..0]
[string[]]$newIP = [string]::join(".",$reverseIP)
[string[]]$dnsbl = @(
"b.barracudacentral.org";
"bl.deadbeef.com";
"bl.emailbasura.org";
"bl.spamcannibal.org";
"bl.spamcop.net";
"blackholes.five-ten-sg.com";
"blacklist.woody.ch";
"bogons.cymru.com";
"cbl.abuseat.org";
"cdl.anti-spam.org.cn";
"combined.abuse.ch";
"combined.rbl.msrbl.net";
"db.wpbl.info";
"dnsbl-1.uceprotect.net";
"dnsbl-2.uceprotect.net";
"dnsbl-3.uceprotect.net";
"dnsbl.ahbl.org";
"dnsbl.cyberlogic.net";
"dnsbl.inps.de";
"dnsbl.njabl.org";
"dnsbl.sorbs.net";
"drone.abuse.ch";
"drone.abuse.ch";
"duinv.aupads.org";
"dul.dnsbl.sorbs.net";
"dul.ru";
"dyna.spamrats.com";
"dynip.rothen.com";
"http.dnsbl.sorbs.net";
"images.rbl.msrbl.net";
"ips.backscatterer.org";
"ix.dnsbl.manitu.net";
"korea.services.net";
"misc.dnsbl.sorbs.net";
"noptr.spamrats.com";
"ohps.dnsbl.net.au";
"omrs.dnsbl.net.au";
"orvedb.aupads.org";
"osps.dnsbl.net.au";
"osrs.dnsbl.net.au";
"owfs.dnsbl.net.au";
"owps.dnsbl.net.au";
"pbl.spamhaus.org";
"phishing.rbl.msrbl.net";
"probes.dnsbl.net.au";
"proxy.bl.gweep.ca";
"proxy.block.transip.nl";
"psbl.surriel.com";
"rbl.interserver.net";
"rdts.dnsbl.net.au";
"relays.bl.gweep.ca";
"relays.bl.kundenserver.de";
"relays.nether.net";
"residential.block.transip.nl";
"ricn.dnsbl.net.au";
"rmst.dnsbl.net.au";
"sbl.spamhaus.org";
"short.rbl.jp";
"smtp.dnsbl.sorbs.net";
"socks.dnsbl.sorbs.net";
"spam.abuse.ch";
"spam.dnsbl.sorbs.net";
"spam.rbl.msrbl.net";
"spam.spamrats.com";
"spamlist.or.kr";
"spamrbl.imp.ch";
"t3direct.dnsbl.net.au";
"tor.ahbl.org";
"tor.dnsbl.sectoor.de";
"torserver.tor.dnsbl.sectoor.de";
"ubl.lashback.com";
"ubl.unsubscore.com";
"virbl.bit.nl";
"virus.rbl.jp";
"virus.rbl.msrbl.net";
"web.dnsbl.sorbs.net";
"wormrbl.imp.ch";
"xbl.spamhaus.org";
"zen.spamhaus.org";
"zombie.dnsbl.sorbs.net"
)
[string[]]$newDNSBL =@()
foreach ($hash in $dnsbl)
{
$newDNSBL += [string]$newIP+'.'+$hash
}
[String]$temp = @()
for ($i=1;$i -lt $newDNSBL.Count; $i++) {
try{
$temp = [System.Net.Dns]::GetHostAddresses($newDNSBL[$i]) | select-object IPAddressToString -expandproperty IPAddressToString
}
catch{
$temp = ''
}
switch($temp){
'127.0.0.10'{
Write-Host "IP $ip is listed in DNSBL " , ($newDNSBL[$i]).Replace("$newIP","") -foregroundcolor "Red"
}
''{
"IP $ip is NOT listed in DNSBL " + ($newDNSBL[$i]).Replace("$newIP","")
}
} # End Switch
} # End of For Loop
} # End of Function CheckDNSBL
if( $ip -ne 'ifaces' )
{
CheckDNSBL $ip
}
else
{
$colItems = Get-WmiObject Win32_NetworkAdapterConfiguration | where{$_.IPAddress -like '*.*.*.*'}
foreach($objItem in $colItems) {
$IPColl = $objItem.IPAddress
foreach($IpV4Addy in $IPColl){
if( $IpV4Addy.StartsWith("10.") ){
#ignore
}
else
{
if( $IpV4Addy -like '*.*.*.*'){
#Write-Host "IP Address:" $objItem.IPAddress[0]
CheckDNSBL $IpV4Addy
#CheckDNSBL $objItem.IPAddress[1]
}
}
}
}
}#end if
}#end process
}#end Check-Spamhaus