Solved

IIS6 Request filtering and Banning

Posted on 2004-10-02
4
1,393 Views
Last Modified: 2008-02-01
Does anyone know of a way to check the incoming requests, check for a certain file, and if said file is requested, ban the IP of the requster?

I get code-red and nimda propogation attemps constantly, and I realize some of em are probably hackers, with IP spoofers, but I don't really care. I believe a majority of them are due to web servers elsewhere trying to compromise my webserver.

/scripts/..%5c../winnt/system32/cmd.exe
/d/winnt/system32/cmd.exe
/c/winnt/system32/cmd.exe
/scripts/..Áœ../winnt/system32/cmd.exe
/scripts/..À¯../winnt/system32/cmd.exe
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/scripts/root.exe
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/scripts/winnt/system32/cmd.exe
/scripts/..%2f../winnt/system32/cmd.exe
/MSADC/root.exe

They're all listed as 404s, but I wanna keep them from even trying to access them. I don't know if IIS can do it, or I'd need some secondary program.. But the ideal solution would be something like this...


xxx.xxx.xxx.xxx tries to access /scripts/winnt/system32/cmd.exe
xxx.xxx.xxx.xxx gets added to a banlist

xxx.xxx.xxx.xxx tries to view the website
the IP is checked against a list
the IP is found in the list
/banned.html is the only thing that will be shown to the client


Anyone know of a way to do that?
0
Comment
Question by:LordSkitch
  • 2
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Timbo87
ID: 12209336
BlockNimda.vbs does what you want. When it is run, it scans your server logs for any Nimda attempts and adds them to the banned IP list in IIS Manager, so when they visit they get 403 Forbidden errors on all pages. I've been using it since June and it's been working well. I created a scheduled task to run it everyday.

http://www.microsoft.com/technet/community/scriptcenter/logs/logparser/scripts/logpar04.mspx

As the site says, make sure you install the Log Parser first.
http://www.microsoft.com/downloads/details.aspx?familyid=8cde4028-e247-45be-bab9-ac851fc166a4&displaylang=en
0
 
LVL 1

Author Comment

by:LordSkitch
ID: 12209865
I must be an idiot or something, how the crap do you use all this?
0
 
LVL 15

Accepted Solution

by:
Timbo87 earned 400 total points
ID: 12212885
1. Download and install Log Parser
http://www.microsoft.com/downloads/details.aspx?familyid=8cde4028-e247-45be-bab9-ac851fc166a4&displaylang=en

2. Open up Notepad, copy and paste this script in and save it as BlockNimda.vbs (make sure you save it as All Files so it doesn't append a .txt extension to it).

' SCRIPT STARTS HERE -------------------------------------------------------------------------

' This script parses the W3C log files for the default web site, finds the ip addresses
'  of all the clients sending NIMDA requests and adds these ip addresses to the list
'  of denied IP addresses for the web site.

DIM nSiteID     : nSiteID = 1

DIM IPs         : IPs = ARRAY(0)

DIM objLogQuery : SET objLogQuery = WScript.CreateObject("MSUtil.LogQuery")

DIM recordSet

DIM SelectStr


 
' Get the distinct IP addresses sending NIMDA requests and store them in an array

SelectStr = "SELECT DISTINCT c-ip FROM <" & nSiteID & "> WHERE "

SelectStr = SelectStr & "cs-uri-stem LIKE '%cmd.exe%' OR cs-uri-stem LIKE '%root.exe%'"

SET recordSet=objLogQuery.Execute(SelectStr)

DO WHILE NOT recordset.atEnd

      IF recordSet.GetRecord().isNull(0) = FALSE THEN

            REDIM PRESERVE IPs(UBOUND(IPs)+1)

            IPs(UBOUND(IPs)-1) = recordSet.GetRecord().getValue(0)

      END IF

      recordset.MoveNext

LOOP

recordSet.close




IF UBOUND(IPs) > 0 THEN

      'WScript.Echo("Blocking the following IP addresses:")

      FOR t=0 TO UBOUND(IPs)-1

            'WScript.Echo "IP: " & IPs(t)

      NEXT


      'Get the already blocked IP addresses

      DIM BlockedIPs : BlockedIPs = GetBlockedIPs

 

      'Block the non-blocked IP addresses

      FOR t=0 TO UBOUND(IPs)-1

        IF IsIn(IPs(t), BlockedIPs) = FALSE THEN

            REDIM PRESERVE BlockedIPs(UBOUND(BlockedIPs)+1)

            BlockedIPs(UBOUND(BlockedIPs))=IPs(t) & ", 255.255.255.255"
         
        END IF

      NEXT

      IF UBOUND(BlockedIPs) > 0 THEN

          BlockIPs(BlockedIPs)

      END IF

ELSE

      'WScript.Echo("No IP addresses to block")

END IF

WScript.Quit

 

' This function returns an array of all the IP addresses currently denied

FUNCTION GetBlockedIPs()

      DIM rootObj : SET rootObj = GetObject("IIS://localhost/W3SVC/" & nSiteID & "/Root")

      DIM ipSecObj : SET ipSecObj = rootObj.IPSecurity

      GetBlockedIPs = ipSecObj.IPDeny

END FUNCTION

 

' This function adds each IP address in the argument array to the list of IP addresses to deny access from

FUNCTION BlockIPs(IPAddresses)

      DIM rootObj : SET rootObj =  GetObject("IIS://localhost/W3SVC/1/Root")

      DIM ipSecObj : SET ipSecObj = rootObj.IPSecurity

      ipSecObj.GrantByDefault = TRUE

      ipSecObj.IPDeny = IPAddresses

      rootObj.IPSecurity = ipSecObj

      rootObj.SetInfo

END FUNCTION

 


' This function returns TRUE if the specified element is in the specified array

FUNCTION IsIn(element, arrayObj)

      if UBOUND(arrayObj) = -1 THEN

            IsIn = FALSE

      END IF

      FOR i=0 TO UBOUND(arrayObj)

            DIM IPs

            IPs = Split(arrayObj(i),",")

            IF IPs(0)=element THEN

                  IsIn = TRUE

                  EXIT FUNCTION

            END IF

      NEXT

      IsIn = FALSE

END FUNCTION

' SCRIPT ENDS HERE -------------------------------------------------------------------------

3. Double-click BlockNimda.vbs
0
 
LVL 1

Author Comment

by:LordSkitch
ID: 12213340
Man.. I must be a moron... I guess while trying to re-format the code to compile correctly, I deleted or added something where it shouldn't have been because I kept getting SQL errors..

I'll give you some extra points for dumbing it down for me lol
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SMTP Question 3 69
How to run mscorfcfg.msc 7 46
PDF Embed pdfobject.js local path problem regular ASP 2 117
Redirect rewrite back to same address 3 60
Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
This is a video describing the growing solar energy use in Utah. This is a topic that greatly interests me and so I decided to produce a video about it.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now