Block IP After "x" Number of Failed FTP/HTTP Logon Attempts
Posted on 2006-11-29
Internet Connection: Bright House Cable Internet, Standard Cable Modem, Dynamic IP
Router/Firewall: D-Link DI-524 (External IP: DHCP on 192.168.0.x Network; Internal IP: 192.168.1.1)
Web Server: Windows XP Professional running IIS (FTP and HTTP), IP address: 192.168.1.10, Norton Antivirus 2005
Physical Connection Looks Like This:
Internet ------ Motorola Cable Modem ----- D-Link DI-524 w/firewall enabled ----- Windows XP Pro w/IIS
Deny Block Bad IP WAN,188.8.131.52 *,* TCP,*
Deny Block Bad IP WAN,184.108.40.206 *,* TCP,*
Deny Block Bad IP WAN,220.127.116.11 *,* TCP,*
Allow FTP WAN,* LAN,192.168.1.10 TCP,21
Allow HTTP WAN,* LAN,192.168.1.10 TCP,80
Allow Ping WAN port WAN,* LAN,192.168.1.1 ICMP,8
Deny Default *,* LAN,* *,*
Allow Default LAN,* *,* *,*
The first three rules, I manually created and edit them to block an IP address of anyone that I find is currently trying to gain access using a brute force attack, which seems to be nightly. The only traffic allowed through the firewall is either on port 80 (HTTP) or port 21 (FTP). Nothing else is allowed through.
Currently, if I notice that there is an excessive amount of network activity on the workstation (I monitor the activity lights on the router), I look in the IIS logs located in the subfolders under C:\Windows\System32\LogFiles. I check to see what they are trying to access, which is usually FTP, and copy their IP address. I then sign on to the DI-524 and go into the firewall rules and change the IP address in the "Block Bad IP" rule so that they are no longer allowed. I accomplish my desired outcome because they are blocked, but I have to constantly monitor and manually edit the rules.
What I would like is for *Windows* to handle monitoring attempts to sign in and block their *IP Address* if it finds that there are too many failed attempts to authenticate as a specific user within a given amount of time. In other words, if Windows (or IIS) sees that there are five failed attempts to sign in to FTP using the "Administrator" account from the same IP address within a five minute window, I want it to block the IP address for thirty minutes.
I would prefer to accomplish this with minimal monetary investment -- preferably freeware.
Please refrain from posting flames about Windows, IIS, Norton, the router, and etc.