IIS6 Request filtering and Banning

Does anyone know of a way to check the incoming requests, check for a certain file, and if said file is requested, ban the IP of the requster?

I get code-red and nimda propogation attemps constantly, and I realize some of em are probably hackers, with IP spoofers, but I don't really care. I believe a majority of them are due to web servers elsewhere trying to compromise my webserver.

/scripts/..%5c../winnt/system32/cmd.exe
/d/winnt/system32/cmd.exe
/c/winnt/system32/cmd.exe
/scripts/..Áœ../winnt/system32/cmd.exe
/scripts/..À¯../winnt/system32/cmd.exe
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/scripts/root.exe
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/scripts/winnt/system32/cmd.exe
/scripts/..%2f../winnt/system32/cmd.exe
/MSADC/root.exe

They're all listed as 404s, but I wanna keep them from even trying to access them. I don't know if IIS can do it, or I'd need some secondary program.. But the ideal solution would be something like this...


xxx.xxx.xxx.xxx tries to access /scripts/winnt/system32/cmd.exe
xxx.xxx.xxx.xxx gets added to a banlist

xxx.xxx.xxx.xxx tries to view the website
the IP is checked against a list
the IP is found in the list
/banned.html is the only thing that will be shown to the client


Anyone know of a way to do that?
LVL 1
LordSkitchAsked:
Who is Participating?
 
Timbo87Connect With a Mentor Commented:
1. Download and install Log Parser
http://www.microsoft.com/downloads/details.aspx?familyid=8cde4028-e247-45be-bab9-ac851fc166a4&displaylang=en

2. Open up Notepad, copy and paste this script in and save it as BlockNimda.vbs (make sure you save it as All Files so it doesn't append a .txt extension to it).

' SCRIPT STARTS HERE -------------------------------------------------------------------------

' This script parses the W3C log files for the default web site, finds the ip addresses
'  of all the clients sending NIMDA requests and adds these ip addresses to the list
'  of denied IP addresses for the web site.

DIM nSiteID     : nSiteID = 1

DIM IPs         : IPs = ARRAY(0)

DIM objLogQuery : SET objLogQuery = WScript.CreateObject("MSUtil.LogQuery")

DIM recordSet

DIM SelectStr


 
' Get the distinct IP addresses sending NIMDA requests and store them in an array

SelectStr = "SELECT DISTINCT c-ip FROM <" & nSiteID & "> WHERE "

SelectStr = SelectStr & "cs-uri-stem LIKE '%cmd.exe%' OR cs-uri-stem LIKE '%root.exe%'"

SET recordSet=objLogQuery.Execute(SelectStr)

DO WHILE NOT recordset.atEnd

      IF recordSet.GetRecord().isNull(0) = FALSE THEN

            REDIM PRESERVE IPs(UBOUND(IPs)+1)

            IPs(UBOUND(IPs)-1) = recordSet.GetRecord().getValue(0)

      END IF

      recordset.MoveNext

LOOP

recordSet.close




IF UBOUND(IPs) > 0 THEN

      'WScript.Echo("Blocking the following IP addresses:")

      FOR t=0 TO UBOUND(IPs)-1

            'WScript.Echo "IP: " & IPs(t)

      NEXT


      'Get the already blocked IP addresses

      DIM BlockedIPs : BlockedIPs = GetBlockedIPs

 

      'Block the non-blocked IP addresses

      FOR t=0 TO UBOUND(IPs)-1

        IF IsIn(IPs(t), BlockedIPs) = FALSE THEN

            REDIM PRESERVE BlockedIPs(UBOUND(BlockedIPs)+1)

            BlockedIPs(UBOUND(BlockedIPs))=IPs(t) & ", 255.255.255.255"
         
        END IF

      NEXT

      IF UBOUND(BlockedIPs) > 0 THEN

          BlockIPs(BlockedIPs)

      END IF

ELSE

      'WScript.Echo("No IP addresses to block")

END IF

WScript.Quit

 

' This function returns an array of all the IP addresses currently denied

FUNCTION GetBlockedIPs()

      DIM rootObj : SET rootObj = GetObject("IIS://localhost/W3SVC/" & nSiteID & "/Root")

      DIM ipSecObj : SET ipSecObj = rootObj.IPSecurity

      GetBlockedIPs = ipSecObj.IPDeny

END FUNCTION

 

' This function adds each IP address in the argument array to the list of IP addresses to deny access from

FUNCTION BlockIPs(IPAddresses)

      DIM rootObj : SET rootObj =  GetObject("IIS://localhost/W3SVC/1/Root")

      DIM ipSecObj : SET ipSecObj = rootObj.IPSecurity

      ipSecObj.GrantByDefault = TRUE

      ipSecObj.IPDeny = IPAddresses

      rootObj.IPSecurity = ipSecObj

      rootObj.SetInfo

END FUNCTION

 


' This function returns TRUE if the specified element is in the specified array

FUNCTION IsIn(element, arrayObj)

      if UBOUND(arrayObj) = -1 THEN

            IsIn = FALSE

      END IF

      FOR i=0 TO UBOUND(arrayObj)

            DIM IPs

            IPs = Split(arrayObj(i),",")

            IF IPs(0)=element THEN

                  IsIn = TRUE

                  EXIT FUNCTION

            END IF

      NEXT

      IsIn = FALSE

END FUNCTION

' SCRIPT ENDS HERE -------------------------------------------------------------------------

3. Double-click BlockNimda.vbs
0
 
Timbo87Commented:
BlockNimda.vbs does what you want. When it is run, it scans your server logs for any Nimda attempts and adds them to the banned IP list in IIS Manager, so when they visit they get 403 Forbidden errors on all pages. I've been using it since June and it's been working well. I created a scheduled task to run it everyday.

http://www.microsoft.com/technet/community/scriptcenter/logs/logparser/scripts/logpar04.mspx

As the site says, make sure you install the Log Parser first.
http://www.microsoft.com/downloads/details.aspx?familyid=8cde4028-e247-45be-bab9-ac851fc166a4&displaylang=en
0
 
LordSkitchAuthor Commented:
I must be an idiot or something, how the crap do you use all this?
0
 
LordSkitchAuthor Commented:
Man.. I must be a moron... I guess while trying to re-format the code to compile correctly, I deleted or added something where it shouldn't have been because I kept getting SQL errors..

I'll give you some extra points for dumbing it down for me lol
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.