December 5, 2008 02:58am pst

1. meverest 485,381
2. tedbilly 310,488
3. Dave_Dietz 174,244
4. RubalJ 125,188
5. TechSoEasy 97,050
6. pcsmitpra 64,965
7. Abs_jaipur 62,223
8. tigermatt 60,375
9. cj_1969 59,832
10. Chris-Dent 54,465
11. hielo 52,885
12. Robbie_L... 52,574
13. Sembee 49,488
14. LeeDerby... 48,778
15. harperse 40,815
16. zephyr_hex 40,555
17. RobWill 38,547
18. brwwiggins 37,500
19. Paranorm... 32,975
20. servoadmin 32,340
21. kieran_b 29,759
22. Redwulf... 28,850
23. b0lsc0tt 28,550
24. pcfreaker 28,280
25. LegendZM 26,575

1. meverest 1,600,073
2. Dave_Dietz 1,575,622
3. tedbilly 399,056
4. humeniuk 244,493
5. Sembee 222,808
6. Chris-Dent 186,082
7. TechSoEasy 181,644
8. dnojcd 167,736
9. DireOrbAnt 155,014
10. harperse 150,983
11. alimu 147,067
12. AndresM 142,147
13. cj_1969 128,771
14. RubalJ 125,688
15. Silvers5 118,933
16. Wadski 102,970
17. fz2hqs 98,692
18. pcsmitpra 92,833
19. amit_g 86,791
20. Robbie_L... 81,824
21. Abs_jaipur 80,848
22. LeeDerby... 77,453
23. shambhus... 73,800
24. bigbillydot... 73,647
25. tigermatt 73,176

11.29.2006 at 12:38PM PST, ID: 22076911

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.2

Block IP After "x" Number of Failed FTP/HTTP Logon Attempts

Asked by btpringle in Microsoft IIS Web Server

Tags: block, ip, ftp

Environment:

Internet Connection: Bright House Cable Internet, Standard Cable Modem, Dynamic IP
Router/Firewall: D-Link DI-524 (External IP: DHCP on 192.168.0.x Network; Internal IP: 192.168.1.1)
Web Server: Windows XP Professional running IIS (FTP and HTTP), IP address: 192.168.1.10, Norton Antivirus 2005

Physical Connection Looks Like This:

Internet ------ Motorola Cable Modem ----- D-Link DI-524 w/firewall enabled ----- Windows XP Pro w/IIS

Firewall Rules:

Deny Block Bad IP WAN,124.114.97.6 *,* TCP,*
Deny Block Bad IP WAN,203.135.160.34 *,* TCP,*
Deny Block Bad IP WAN,222.62.149.99 *,* TCP,*
Allow FTP WAN,* LAN,192.168.1.10 TCP,21
Allow HTTP WAN,* LAN,192.168.1.10 TCP,80
Allow Ping WAN port WAN,* LAN,192.168.1.1 ICMP,8
Deny Default *,* LAN,* *,*
Allow Default LAN,* *,* *,*

The first three rules, I manually created and edit them to block an IP address of anyone that I find is currently trying to gain access using a brute force attack, which seems to be nightly. The only traffic allowed through the firewall is either on port 80 (HTTP) or port 21 (FTP). Nothing else is allowed through.

Desired Outcome:

Currently, if I notice that there is an excessive amount of network activity on the workstation (I monitor the activity lights on the router), I look in the IIS logs located in the subfolders under C:\Windows\System32\LogFiles. I check to see what they are trying to access, which is usually FTP, and copy their IP address. I then sign on to the DI-524 and go into the firewall rules and change the IP address in the "Block Bad IP" rule so that they are no longer allowed. I accomplish my desired outcome because they are blocked, but I have to constantly monitor and manually edit the rules.

What I would like is for *Windows* to handle monitoring attempts to sign in and block their *IP Address* if it finds that there are too many failed attempts to authenticate as a specific user within a given amount of time. In other words, if Windows (or IIS) sees that there are five failed attempts to sign in to FTP using the "Administrator" account from the same IP address within a five minute window, I want it to block the IP address for thirty minutes.

I would prefer to accomplish this with minimal monetary investment -- preferably freeware.

Please refrain from posting flames about Windows, IIS, Norton, the router, and etc. Start Free Trial

Keywords: Block IP After "x" Number of Failed F…

	Title
1	NTBACKUP Blank Logfiles
2	My SBS FTP site is being attacked - A…
3	HiJackThis Logfile
4	Flame War!
5	Best flame
6	logon failure

Loading Advertisement...

20081112-EE-VQP-43

Block IP After "x" Number of Failed FTP/HTTP Logon Attempts

Asked by btpringle in Microsoft IIS Web Server

Tags: block, ip, ftp

About this solution