Windows的IPBan无法获取VNC登录日志-美国VPS综合讨论-全球主机交流论坛 - 手机版 - Powered by Discuz!

[Windows VPS] Windows的IPBan无法获取VNC登录日志只看楼主

1^# nako
收藏 2021-3-18 16:26:42

本帖最后由 nako 于 2021-3-18 18:01 编辑

VNC版本6.3.2
Windows LTSC
https://github.com/DigitalRuby/IPBan

默认配置文件内容节选是：

<Group>
<Source>VNC</Source>
<Keywords>0x80000000000000</Keywords>
<Path>Application</Path>
<Expressions>
<Expression>
<XPath>//EventID</XPath>
<Regex>^257$</Regex>
</Expression>
<Expression>
<XPath>//Data</XPath>
<Regex>
<![CDATA[
Authentication\spassed\sby\s(?<ipaddress>.+)
]]>
</Regex>
</Expression>
</Expressions>
</Group>

默认配置不成功后我根据事件查看器更改了下ID和匹配内容

<Group>
<Source>VNC</Source>
<Keywords>0x80000000000000</Keywords>
<Path>Application</Path>
<Expressions>
<Expression>
<XPath>//EventID</XPath>
<Regex>^256$</Regex>
</Expression>
<Expression>
<XPath>//Data</XPath>
<Regex>
<![CDATA[
Connections
]]>
</Regex>
</Expression>
</Expressions>
</Group>

匹配内容还尝试过(Connections)或者Connections或者authenticated.*什么的，尝试连接VNC，IPBan日志还是没反应，求助大家，谢谢。

以下是Windows日志里的事件查看器内容：（下段xml复制粘贴后缩进有问题

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="VNC Server" />
<EventID Qualifiers="0">256</EventID>
<Level>4</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-03-18T08:17:26.387985300Z" />
<EventRecordID>36464</EventRecordID>
<Channel>Application</Channel>
<Computer>abcde</Computer>
<Security />
</System>
- <EventData>
<Data>Connections</Data>
<Data>authenticated: 192.168.2.25::12811, as (anonymous) (d permissions)</Data>
</EventData>
</Event>

2^# nako
2021-3-18 18:01:21

很少人用这个吗

3^# nako
2021-3-19 20:56:27

解决方案：调节VNC失败黑名单及黑名单超时时间