Error - View Single Post - Block IP After "x" Number of Failed FTP/HTTP Logon Attempts

**Sangeetha** · 27-Feb-2007, 08:51 PM

I can't find any workaround for IIS 5.1, Apache can do this, and it's more secure by default and also the most used web server on the net as well. Snort can be tough to get going for a lot of folks, here is a site dedicated to win32 snort WINSNORT.com :: Intrusion Detection and it will work with snortsam as he has ported ss to win32.
If you wanted a script that might do this, I'd open another question in the VBScripting TA here on EE for that. A script that parses the event logs, looking for X number of failed events from a single ip address, in X amount of time. If that condition is meet, issue the netsh commands to block that ip indefinitely. See if a whitelist can be used to allow certain ip's to never be firewalled. The script should back up the firewall's settings so that you can easily roll-back if you need to.
C:\>netsh firewall show config >c:\FW_back-up.txt (to write a backup file with the current firewall settings before the block is set)
C:\>netsh firewall set portopening ALL 21 DISABLE CUSTOM x.x.x.x (x.x.x.x is the ip of the offending "attacker")

Look at the netsh /? help commands for further examples, netsh firewall /? netsh firewall set /? etc...
-rich

27-Feb-2007, 08:51 PM	#2 (permalink)
Sangeetha Fixed Error! Posts: 139 Location: Chennai Join Date: Feb 2007 Rep Power: 2 IM:	Re: Block IP After "x" Number of Failed FTP/HTTP Logon Attempts I can't find any workaround for IIS 5.1, Apache can do this, and it's more secure by default and also the most used web server on the net as well. Snort can be tough to get going for a lot of folks, here is a site dedicated to win32 snort WINSNORT.com :: Intrusion Detection and it will work with snortsam as he has ported ss to win32. If you wanted a script that might do this, I'd open another question in the VBScripting TA here on EE for that. A script that parses the event logs, looking for X number of failed events from a single ip address, in X amount of time. If that condition is meet, issue the netsh commands to block that ip indefinitely. See if a whitelist can be used to allow certain ip's to never be firewalled. The script should back up the firewall's settings so that you can easily roll-back if you need to. C:\>netsh firewall show config >c:\FW_back-up.txt (to write a backup file with the current firewall settings before the block is set) C:\>netsh firewall set portopening ALL 21 DISABLE CUSTOM x.x.x.x (x.x.x.x is the ip of the offending "attacker") Look at the netsh /? help commands for further examples, netsh firewall /? netsh firewall set /? etc... -rich