Solved

IIS6 Request filtering and Banning

Posted on 2004-10-02
4
1,401 Views
Last Modified: 2008-02-01
Does anyone know of a way to check the incoming requests, check for a certain file, and if said file is requested, ban the IP of the requster?

I get code-red and nimda propogation attemps constantly, and I realize some of em are probably hackers, with IP spoofers, but I don't really care. I believe a majority of them are due to web servers elsewhere trying to compromise my webserver.

/scripts/..%5c../winnt/system32/cmd.exe
/d/winnt/system32/cmd.exe
/c/winnt/system32/cmd.exe
/scripts/..Áœ../winnt/system32/cmd.exe
/scripts/..À¯../winnt/system32/cmd.exe
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/scripts/root.exe
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/scripts/winnt/system32/cmd.exe
/scripts/..%2f../winnt/system32/cmd.exe
/MSADC/root.exe

They're all listed as 404s, but I wanna keep them from even trying to access them. I don't know if IIS can do it, or I'd need some secondary program.. But the ideal solution would be something like this...


xxx.xxx.xxx.xxx tries to access /scripts/winnt/system32/cmd.exe
xxx.xxx.xxx.xxx gets added to a banlist

xxx.xxx.xxx.xxx tries to view the website
the IP is checked against a list
the IP is found in the list
/banned.html is the only thing that will be shown to the client


Anyone know of a way to do that?
0
Comment
Question by:LordSkitch
  • 2
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Timbo87
ID: 12209336
BlockNimda.vbs does what you want. When it is run, it scans your server logs for any Nimda attempts and adds them to the banned IP list in IIS Manager, so when they visit they get 403 Forbidden errors on all pages. I've been using it since June and it's been working well. I created a scheduled task to run it everyday.

http://www.microsoft.com/technet/community/scriptcenter/logs/logparser/scripts/logpar04.mspx

As the site says, make sure you install the Log Parser first.
http://www.microsoft.com/downloads/details.aspx?familyid=8cde4028-e247-45be-bab9-ac851fc166a4&displaylang=en
0
 
LVL 1

Author Comment

by:LordSkitch
ID: 12209865
I must be an idiot or something, how the crap do you use all this?
0
 
LVL 15

Accepted Solution

by:
Timbo87 earned 400 total points
ID: 12212885
1. Download and install Log Parser
http://www.microsoft.com/downloads/details.aspx?familyid=8cde4028-e247-45be-bab9-ac851fc166a4&displaylang=en

2. Open up Notepad, copy and paste this script in and save it as BlockNimda.vbs (make sure you save it as All Files so it doesn't append a .txt extension to it).

' SCRIPT STARTS HERE -------------------------------------------------------------------------

' This script parses the W3C log files for the default web site, finds the ip addresses
'  of all the clients sending NIMDA requests and adds these ip addresses to the list
'  of denied IP addresses for the web site.

DIM nSiteID     : nSiteID = 1

DIM IPs         : IPs = ARRAY(0)

DIM objLogQuery : SET objLogQuery = WScript.CreateObject("MSUtil.LogQuery")

DIM recordSet

DIM SelectStr


 
' Get the distinct IP addresses sending NIMDA requests and store them in an array

SelectStr = "SELECT DISTINCT c-ip FROM <" & nSiteID & "> WHERE "

SelectStr = SelectStr & "cs-uri-stem LIKE '%cmd.exe%' OR cs-uri-stem LIKE '%root.exe%'"

SET recordSet=objLogQuery.Execute(SelectStr)

DO WHILE NOT recordset.atEnd

      IF recordSet.GetRecord().isNull(0) = FALSE THEN

            REDIM PRESERVE IPs(UBOUND(IPs)+1)

            IPs(UBOUND(IPs)-1) = recordSet.GetRecord().getValue(0)

      END IF

      recordset.MoveNext

LOOP

recordSet.close




IF UBOUND(IPs) > 0 THEN

      'WScript.Echo("Blocking the following IP addresses:")

      FOR t=0 TO UBOUND(IPs)-1

            'WScript.Echo "IP: " & IPs(t)

      NEXT


      'Get the already blocked IP addresses

      DIM BlockedIPs : BlockedIPs = GetBlockedIPs

 

      'Block the non-blocked IP addresses

      FOR t=0 TO UBOUND(IPs)-1

        IF IsIn(IPs(t), BlockedIPs) = FALSE THEN

            REDIM PRESERVE BlockedIPs(UBOUND(BlockedIPs)+1)

            BlockedIPs(UBOUND(BlockedIPs))=IPs(t) & ", 255.255.255.255"
         
        END IF

      NEXT

      IF UBOUND(BlockedIPs) > 0 THEN

          BlockIPs(BlockedIPs)

      END IF

ELSE

      'WScript.Echo("No IP addresses to block")

END IF

WScript.Quit

 

' This function returns an array of all the IP addresses currently denied

FUNCTION GetBlockedIPs()

      DIM rootObj : SET rootObj = GetObject("IIS://localhost/W3SVC/" & nSiteID & "/Root")

      DIM ipSecObj : SET ipSecObj = rootObj.IPSecurity

      GetBlockedIPs = ipSecObj.IPDeny

END FUNCTION

 

' This function adds each IP address in the argument array to the list of IP addresses to deny access from

FUNCTION BlockIPs(IPAddresses)

      DIM rootObj : SET rootObj =  GetObject("IIS://localhost/W3SVC/1/Root")

      DIM ipSecObj : SET ipSecObj = rootObj.IPSecurity

      ipSecObj.GrantByDefault = TRUE

      ipSecObj.IPDeny = IPAddresses

      rootObj.IPSecurity = ipSecObj

      rootObj.SetInfo

END FUNCTION

 


' This function returns TRUE if the specified element is in the specified array

FUNCTION IsIn(element, arrayObj)

      if UBOUND(arrayObj) = -1 THEN

            IsIn = FALSE

      END IF

      FOR i=0 TO UBOUND(arrayObj)

            DIM IPs

            IPs = Split(arrayObj(i),",")

            IF IPs(0)=element THEN

                  IsIn = TRUE

                  EXIT FUNCTION

            END IF

      NEXT

      IsIn = FALSE

END FUNCTION

' SCRIPT ENDS HERE -------------------------------------------------------------------------

3. Double-click BlockNimda.vbs
0
 
LVL 1

Author Comment

by:LordSkitch
ID: 12213340
Man.. I must be a moron... I guess while trying to re-format the code to compile correctly, I deleted or added something where it shouldn't have been because I kept getting SQL errors..

I'll give you some extra points for dumbing it down for me lol
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS2011 - CSR Certificate 4 73
Sharepoint Home Page (companyweb) blank 3 95
Exchange Activesync 441 in logs 2 106
Hide http port number 5 42
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question