Solved

IIS6 Request filtering and Banning

Posted on 2004-10-02
4
1,386 Views
Last Modified: 2008-02-01
Does anyone know of a way to check the incoming requests, check for a certain file, and if said file is requested, ban the IP of the requster?

I get code-red and nimda propogation attemps constantly, and I realize some of em are probably hackers, with IP spoofers, but I don't really care. I believe a majority of them are due to web servers elsewhere trying to compromise my webserver.

/scripts/..%5c../winnt/system32/cmd.exe
/d/winnt/system32/cmd.exe
/c/winnt/system32/cmd.exe
/scripts/..Áœ../winnt/system32/cmd.exe
/scripts/..À¯../winnt/system32/cmd.exe
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/scripts/root.exe
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/scripts/winnt/system32/cmd.exe
/scripts/..%2f../winnt/system32/cmd.exe
/MSADC/root.exe

They're all listed as 404s, but I wanna keep them from even trying to access them. I don't know if IIS can do it, or I'd need some secondary program.. But the ideal solution would be something like this...


xxx.xxx.xxx.xxx tries to access /scripts/winnt/system32/cmd.exe
xxx.xxx.xxx.xxx gets added to a banlist

xxx.xxx.xxx.xxx tries to view the website
the IP is checked against a list
the IP is found in the list
/banned.html is the only thing that will be shown to the client


Anyone know of a way to do that?
0
Comment
Question by:LordSkitch
  • 2
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Timbo87
ID: 12209336
BlockNimda.vbs does what you want. When it is run, it scans your server logs for any Nimda attempts and adds them to the banned IP list in IIS Manager, so when they visit they get 403 Forbidden errors on all pages. I've been using it since June and it's been working well. I created a scheduled task to run it everyday.

http://www.microsoft.com/technet/community/scriptcenter/logs/logparser/scripts/logpar04.mspx

As the site says, make sure you install the Log Parser first.
http://www.microsoft.com/downloads/details.aspx?familyid=8cde4028-e247-45be-bab9-ac851fc166a4&displaylang=en
0
 
LVL 1

Author Comment

by:LordSkitch
ID: 12209865
I must be an idiot or something, how the crap do you use all this?
0
 
LVL 15

Accepted Solution

by:
Timbo87 earned 400 total points
ID: 12212885
1. Download and install Log Parser
http://www.microsoft.com/downloads/details.aspx?familyid=8cde4028-e247-45be-bab9-ac851fc166a4&displaylang=en

2. Open up Notepad, copy and paste this script in and save it as BlockNimda.vbs (make sure you save it as All Files so it doesn't append a .txt extension to it).

' SCRIPT STARTS HERE -------------------------------------------------------------------------

' This script parses the W3C log files for the default web site, finds the ip addresses
'  of all the clients sending NIMDA requests and adds these ip addresses to the list
'  of denied IP addresses for the web site.

DIM nSiteID     : nSiteID = 1

DIM IPs         : IPs = ARRAY(0)

DIM objLogQuery : SET objLogQuery = WScript.CreateObject("MSUtil.LogQuery")

DIM recordSet

DIM SelectStr


 
' Get the distinct IP addresses sending NIMDA requests and store them in an array

SelectStr = "SELECT DISTINCT c-ip FROM <" & nSiteID & "> WHERE "

SelectStr = SelectStr & "cs-uri-stem LIKE '%cmd.exe%' OR cs-uri-stem LIKE '%root.exe%'"

SET recordSet=objLogQuery.Execute(SelectStr)

DO WHILE NOT recordset.atEnd

      IF recordSet.GetRecord().isNull(0) = FALSE THEN

            REDIM PRESERVE IPs(UBOUND(IPs)+1)

            IPs(UBOUND(IPs)-1) = recordSet.GetRecord().getValue(0)

      END IF

      recordset.MoveNext

LOOP

recordSet.close




IF UBOUND(IPs) > 0 THEN

      'WScript.Echo("Blocking the following IP addresses:")

      FOR t=0 TO UBOUND(IPs)-1

            'WScript.Echo "IP: " & IPs(t)

      NEXT


      'Get the already blocked IP addresses

      DIM BlockedIPs : BlockedIPs = GetBlockedIPs

 

      'Block the non-blocked IP addresses

      FOR t=0 TO UBOUND(IPs)-1

        IF IsIn(IPs(t), BlockedIPs) = FALSE THEN

            REDIM PRESERVE BlockedIPs(UBOUND(BlockedIPs)+1)

            BlockedIPs(UBOUND(BlockedIPs))=IPs(t) & ", 255.255.255.255"
         
        END IF

      NEXT

      IF UBOUND(BlockedIPs) > 0 THEN

          BlockIPs(BlockedIPs)

      END IF

ELSE

      'WScript.Echo("No IP addresses to block")

END IF

WScript.Quit

 

' This function returns an array of all the IP addresses currently denied

FUNCTION GetBlockedIPs()

      DIM rootObj : SET rootObj = GetObject("IIS://localhost/W3SVC/" & nSiteID & "/Root")

      DIM ipSecObj : SET ipSecObj = rootObj.IPSecurity

      GetBlockedIPs = ipSecObj.IPDeny

END FUNCTION

 

' This function adds each IP address in the argument array to the list of IP addresses to deny access from

FUNCTION BlockIPs(IPAddresses)

      DIM rootObj : SET rootObj =  GetObject("IIS://localhost/W3SVC/1/Root")

      DIM ipSecObj : SET ipSecObj = rootObj.IPSecurity

      ipSecObj.GrantByDefault = TRUE

      ipSecObj.IPDeny = IPAddresses

      rootObj.IPSecurity = ipSecObj

      rootObj.SetInfo

END FUNCTION

 


' This function returns TRUE if the specified element is in the specified array

FUNCTION IsIn(element, arrayObj)

      if UBOUND(arrayObj) = -1 THEN

            IsIn = FALSE

      END IF

      FOR i=0 TO UBOUND(arrayObj)

            DIM IPs

            IPs = Split(arrayObj(i),",")

            IF IPs(0)=element THEN

                  IsIn = TRUE

                  EXIT FUNCTION

            END IF

      NEXT

      IsIn = FALSE

END FUNCTION

' SCRIPT ENDS HERE -------------------------------------------------------------------------

3. Double-click BlockNimda.vbs
0
 
LVL 1

Author Comment

by:LordSkitch
ID: 12213340
Man.. I must be a moron... I guess while trying to re-format the code to compile correctly, I deleted or added something where it shouldn't have been because I kept getting SQL errors..

I'll give you some extra points for dumbing it down for me lol
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now