We help IT Professionals succeed at work.
Get Started

Block IP After "x" Number of Failed FTP/HTTP Logon Attempts

5,040 Views
Last Modified: 2008-01-09
Environment:

Internet Connection: Bright House Cable Internet, Standard Cable Modem, Dynamic IP
Router/Firewall: D-Link DI-524 (External IP: DHCP on 192.168.0.x Network;  Internal IP: 192.168.1.1)
Web Server: Windows XP Professional running IIS (FTP and HTTP), IP address: 192.168.1.10, Norton Antivirus 2005


Physical Connection Looks Like This:

Internet ------ Motorola Cable Modem ----- D-Link DI-524 w/firewall enabled ----- Windows XP Pro w/IIS


Firewall Rules:

Deny     Block Bad IP        WAN,124.114.97.6 *,* TCP,*  
Deny     Block Bad IP        WAN,203.135.160.34 *,* TCP,*  
Deny     Block Bad IP        WAN,222.62.149.99 *,* TCP,*  
Allow    FTP                    WAN,* LAN,192.168.1.10 TCP,21  
Allow    HTTP                  WAN,* LAN,192.168.1.10 TCP,80  
Allow    Ping WAN port     WAN,* LAN,192.168.1.1 ICMP,8  
Deny     Default                *,* LAN,* *,*  
Allow    Default                LAN,* *,* *,*


The first three rules, I manually created and edit them to block an IP address of anyone that I find is currently trying to gain access using a brute force attack, which seems to be nightly.  The only traffic allowed through the firewall is either on port 80 (HTTP) or port 21 (FTP).  Nothing else is allowed through.


Desired Outcome:

Currently, if I notice that there is an excessive amount of network activity on the workstation (I monitor the activity lights on the router), I look in the IIS logs located in the subfolders under C:\Windows\System32\LogFiles.  I check to see what they are trying to access, which is usually FTP, and copy their IP address.  I then sign on to the DI-524 and go into the firewall rules and change the IP address in the "Block Bad IP" rule so that they are no longer allowed.  I accomplish my desired outcome because they are blocked, but I have to constantly monitor and manually edit the rules.

What I would like is for *Windows* to handle monitoring attempts to sign in and block their *IP Address* if it finds that there are too many failed attempts to authenticate as a specific user within a given amount of time.  In other words, if Windows (or IIS) sees that there are five failed attempts to sign in to FTP using the "Administrator" account from the same IP address within a five minute window, I want it to block the IP address for thirty minutes.  

I would prefer to accomplish this with minimal monetary investment -- preferably freeware.


Please refrain from posting flames about Windows, IIS, Norton, the router, and etc.  
Comment
Watch Question
Security Samurai
CERTIFIED EXPERT
Top Expert 2006
Commented:
This problem has been solved!
Unlock 1 Answer and 18 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE