Block IP After "x" Number of Failed FTP/HTTP Logon Attempts

**Sangeetha** · 27-Feb-2007, 07:51 PM

Question: Environment:

Internet Connection: Bright House Cable Internet, Standard Cable Modem, Dynamic IP
Router/Firewall: D-Link DI-524 (External IP: DHCP on 192.168.0.x Network; Internal IP: 192.168.1.1)
Web Server.com :: Hosted Web Applications: Windows XP Professional running IIS (FTP and HTTP), IP address: 192.168.1.10, Norton Antivirus 2005

Physical Connection Looks Like This:

Internet ------ Motorola Cable Modem ----- D-Link DI-524 w/firewall enabled ----- Windows XP Pro w/IIS

Firewall Rules:

Deny Block Bad IP WAN,124.114.97.6 *,* TCP,*
Deny Block Bad IP WAN,203.135.160.34 *,* TCP,*
Deny Block Bad IP WAN,222.62.149.99 *,* TCP,*
Allow FTP WAN,* LAN,192.168.1.10 TCP,21
Allow HTTP WAN,* LAN,192.168.1.10 TCP,80
Allow Ping WAN port WAN,* LAN,192.168.1.1 ICMP,8
Deny Default *,* LAN,* *,*
Allow Default LAN,* *,* *,*

The first three rules, I manually created and edit them to block an IP address of anyone that I find is currently trying to gain access using a brute force attack, which seems to be nightly. The only traffic allowed through the firewall is either on port 80 (HTTP) or port 21 (FTP). Nothing else is allowed through.

Desired Outcome:

Currently, if I notice that there is an excessive amount of network activity on the workstation (I monitor the activity lights on the router), I look in the IIS logs located in the subfolders under C:\Windows\System32\LogFiles. I check to see what they are trying to access, which is usually FTP, and copy their IP address. I then sign on to the DI-524 and go into the firewall rules and change the IP address in the "Block Bad IP" rule so that they are no longer allowed. I accomplish my desired outcome because they are blocked, but I have to constantly monitor and manually edit the rules.

What I would like is for *Windows* to handle monitoring attempts to sign in and block their *IP Address* if it finds that there are too many failed attempts to authenticate as a specific user within a given amount of time. In other words, if Windows (or IIS) sees that there are five failed attempts to sign in to FTP using the "Administrator" account from the same IP address within a five minute window, I want it to block the IP address for thirty minutes.

I would prefer to accomplish this with minimal monetary investment -- preferably freeware.

Please refrain from posting flames about Windows, IIS, Norton, the router, and etc

**Sangeetha** · 27-Feb-2007, 07:51 PM

I can't find any workaround for IIS 5.1, Apache can do this, and it's more secure by default and also the most used web server on the net as well. Snort can be tough to get going for a lot of folks, here is a site dedicated to win32 snort WINSNORT.com :: Intrusion Detection and it will work with snortsam as he has ported ss to win32.
If you wanted a script that might do this, I'd open another question in the VBScripting TA here on EE for that. A script that parses the event logs, looking for X number of failed events from a single ip address, in X amount of time. If that condition is meet, issue the netsh commands to block that ip indefinitely. See if a whitelist can be used to allow certain ip's to never be firewalled. The script should back up the firewall's settings so that you can easily roll-back if you need to.
C:\>netsh firewall show config >c:\FW_back-up.txt (to write a backup file with the current firewall settings before the block is set)
C:\>netsh firewall set portopening ALL 21 DISABLE CUSTOM x.x.x.x (x.x.x.x is the ip of the offending "attacker")

Look at the netsh /? help commands for further examples, netsh firewall /? netsh firewall set /? etc...
-rich

27-Feb-2007, 07:51 PM	#1 (permalink)
Sangeetha Fixed Error! Posts: 141 Location: Chennai Join Date: Feb 2007 Rep Power: 2 IM:	Block IP After "x" Number of Failed FTP/HTTP Logon Attempts Question: Environment: Internet Connection: Bright House Cable Internet, Standard Cable Modem, Dynamic IP Router/Firewall: D-Link DI-524 (External IP: DHCP on 192.168.0.x Network; Internal IP: 192.168.1.1) Web Server.com :: Hosted Web Applications: Windows XP Professional running IIS (FTP and HTTP), IP address: 192.168.1.10, Norton Antivirus 2005 Physical Connection Looks Like This: Internet ------ Motorola Cable Modem ----- D-Link DI-524 w/firewall enabled ----- Windows XP Pro w/IIS Firewall Rules: Deny Block Bad IP WAN,124.114.97.6 , TCP,* Deny Block Bad IP WAN,203.135.160.34 , TCP,* Deny Block Bad IP WAN,222.62.149.99 , TCP,* Allow FTP WAN,* LAN,192.168.1.10 TCP,21 Allow HTTP WAN,* LAN,192.168.1.10 TCP,80 Allow Ping WAN port WAN,* LAN,192.168.1.1 ICMP,8 Deny Default , LAN,* , Allow Default LAN,* , , The first three rules, I manually created and edit them to block an IP address of anyone that I find is currently trying to gain access using a brute force attack, which seems to be nightly. The only traffic allowed through the firewall is either on port 80 (HTTP) or port 21 (FTP). Nothing else is allowed through. Desired Outcome: Currently, if I notice that there is an excessive amount of network activity on the workstation (I monitor the activity lights on the router), I look in the IIS logs located in the subfolders under C:\Windows\System32\LogFiles. I check to see what they are trying to access, which is usually FTP, and copy their IP address. I then sign on to the DI-524 and go into the firewall rules and change the IP address in the "Block Bad IP" rule so that they are no longer allowed. I accomplish my desired outcome because they are blocked, but I have to constantly monitor and manually edit the rules. What I would like is for Windows to handle monitoring attempts to sign in and block their IP Address if it finds that there are too many failed attempts to authenticate as a specific user within a given amount of time. In other words, if Windows (or IIS) sees that there are five failed attempts to sign in to FTP using the "Administrator" account from the same IP address within a five minute window, I want it to block the IP address for thirty minutes. I would prefer to accomplish this with minimal monetary investment -- preferably freeware. Please refrain from posting flames about Windows, IIS, Norton, the router, and etc

27-Feb-2007, 07:51 PM	#2 (permalink)
Sangeetha Fixed Error! Posts: 141 Location: Chennai Join Date: Feb 2007 Rep Power: 2 IM:	Re: Block IP After "x" Number of Failed FTP/HTTP Logon Attempts I can't find any workaround for IIS 5.1, Apache can do this, and it's more secure by default and also the most used web server on the net as well. Snort can be tough to get going for a lot of folks, here is a site dedicated to win32 snort WINSNORT.com :: Intrusion Detection and it will work with snortsam as he has ported ss to win32. If you wanted a script that might do this, I'd open another question in the VBScripting TA here on EE for that. A script that parses the event logs, looking for X number of failed events from a single ip address, in X amount of time. If that condition is meet, issue the netsh commands to block that ip indefinitely. See if a whitelist can be used to allow certain ip's to never be firewalled. The script should back up the firewall's settings so that you can easily roll-back if you need to. C:\>netsh firewall show config >c:\FW_back-up.txt (to write a backup file with the current firewall settings before the block is set) C:\>netsh firewall set portopening ALL 21 DISABLE CUSTOM x.x.x.x (x.x.x.x is the ip of the offending "attacker") Look at the netsh /? help commands for further examples, netsh firewall /? netsh firewall set /? etc... -rich

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)