#!/bin/bash
shopt -s -o nounset
shopt -s extglob

declare APNIC="ftp://ftp.apnic.net/public/stats/apnic/delegated-apnic-latest"
declare AFRINIC="ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest"
declare LACNIC="ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest"
declare RIPENCC="ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest"
declare IP=unset
declare CACHE_MAX_AGE=30 #Number of days to rely on the cached list of networks
declare USE_CACHE=false  #Do not use cache by default

#Wipe out any existing iptables rules before proceeding
iptables -F

checkcache() {
if [ `find /tmp/ -maxdepth 1 -iname "cached_IP_addresses" -mtime +$CACHE_MAX_AGE` ]; then
        rm -f /tmp/cached_IP_addresses
elif [ -f /tmp/cached_IP_addresses ]; then
        USE_CACHE=true
fi
}

ipfeeder() {
if [ "$USE_CACHE" = "true" ]; then
        cat /tmp/cached_IP_addresses
else
        curl -s $APNIC $AFRINIC $LACNIC $RIPENCC |\
                awk -F'|' '{print $4}'|\
                fgrep ".0.0.0" |\
                sed -e 's:$:/8:g'
fi
}

checkcache

ipfeeder | tee /tmp/cached_IP_addresses | {
        while read IP; do
                #Drop inbound packets from $IP
                iptables -A INPUT -s $IP -j DROP 
                #Drop outbound packets to $IP
                iptables -A OUTPUT -d $IP -j DROP
        done
}       

#Rate limit some protocols

iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 1800 --hitcount 10 -j DROP

This is fairly self-explanatory. Basically, you’re telling iptables to drop any inbound and outbound packets to any of the networks listed in the ipfeeder() function, and just for good measure, we rate limit new incoming ssh connections to 10 every 30 minutes. (If you have port 22 opened to the outside world, have a look in /var/log/secure or /var/log/auth — there’s probably a shitload of break-in attempts that have been logged; grep for sshd and you’ll see what I mean.)

Remember, iptables rules don’t survive reboots! So make sure that this script runs on system startup (e.g., insert a call to the script in /etc/rc.local.)

For detailed lists of all networks in the apnic, afrinic, lacnic, and ripe-ncc registries, visit the following urls:

ftp://ftp.apnic.net/public/stats/apnic/delegated-apnic-latest
ftp://ftp.apnic.net/public/stats/afrinic/delegated-afrinic-latest
ftp://ftp.apnic.net/public/stats/lacnic/delegated-lacnic-latest
ftp://ftp.apnic.net/public/stats/ripe-ncc/delegated-ripencc-latest

At first glance, this seems as though the server ran out of TS CALS (Terminal Server Client Access Licenses). I was pretty sure that the server was configured to use the “Per User” licensing mode. However, a Windows Server 2003 Terminal Server operating in the “Per User” licensing mode can’t run out of licenses to the extent that it prevents the user from connecting (and instead, giving them the aforementioned error message). To the best of my knowledge, it can only do this when it is operating in “Per Device” mode. So this was the assumption that I ran with — that somehow, this server was never configured for “Per User” -or- it was, but the setting was either changed, reset, or corrupted somehow.

So, even though I wasn’t able to connect to TERMSVR01 via Remote Desktop, I was able to “Manage” it remotely by doing the following:

1. Open “Active Directory Users and Computers” on any Domain Controller
2. Expand the “Computers” node
3. Right-click TERMSVR01 and select ‘Manage’

Now we can do a few things (not many) on the server. One thing I wanted was to have a look at the Event Viewer. There were a few error messages like the following:

The more of these I saw, the more confident I was that my assumption was correct — the server was operating in “Per Device” mode and it had finally run out of licenses. I had the following options:

1. Wait for someone to go onsite and reconfigure the licensing mode (easy, but it would have to wait until tomorrow) or…
2. Attempt to reconfigure this setting and restart the service remotely (so that the setting takes takes effect) … all without having “Remote Desktop” access to the server.

Care to guess which option I chose?

Step #1: Override the licensing mode setting using group policy

1. Click ‘Start’
2. Click ‘Run’
3. Type the following command:
   gpedit.msc /gpcomputer:TERMSVR01
4. Click ‘OK’

Those four steps open the group policy (remotely) for TERMSVR01. Next we need to actually change the setting:

1. In the left-hand panel, expand “Administrative Templates”
2. Expand “Windows Components”
3. Click on “Terminal Services”
4. Locate the following setting in the right-hand panel:
   Set the Terminal Server licensing mode
5. Double-click the aforementioned setting
6. Change the option (directly below the heading) to “Enabled”
7. Select “Per User” from the drop-down box (below the heading: “Specify the licensing mode for the terminal server”.)
8. Click ‘OK’
9. Close the “Group Policy Object Editor” window

Great. The licensing mode has been changed but the setting won’t take effect until the service is restarted. We could open ’services.msc’ and connect to ‘TERMSVR01′ by using the ‘Connect to another computer …’ option in the ‘Action’ menu. This will allow us to administer almost all running services on TERMSVR01 … almost all. You’ll notice immediately that you cannot start/stop the ‘Terminal Services’ service from this management console, so we need to find another way to do it.

The easiest way I know to accomplish this task is to use the WMIC command from the command prompt.

Step #2: Restart a remote service using WMIC

1. Open a command prompt
2. Type the following command (then hit enter) to stop the service:
   wmic /node:TERMSVR01 service where “caption=’Terminal Services’” call StopService
3. Then, type the following command to start the service:
   wmic /node:TERMSVR01 service where “caption=’Terminal Services’” call StartService
4. Close the command prompt

If everything was successful (and my assumption about the nature of the problem was correct), then I should be able to connect to the server using the Remote Desktop client. I fired up the client and voilà! It worked perfectly.

Prints are also available from DeviantArt