FTP autoban script for IIS

Scriptorlog

Tuesday, January 2. 2007

Posted by iRobx in VBscript

Comments (6)
Trackback (1)

I host an FTP server using IIS on my home network. One thing that I found extremely annoying was constant probing by internet hackers trying to break into my ftp server by guessing passwords. It was bad enough that they were trying to break in in the first place, but the sheer number of attempts was filling up both my ftp logs as well as my server eventlogs. It got so bad that I decided to do something about it. I looked on the internet and found some code that waited for an event to be written to the system log, then if someone tried logging onto the administrator account it banned the ip address. It was a nice piece of code but not exactly what I was looking for. The hackers didn't always attack the administrator account - in fact most of the time they tried other accounts: test, admin, joe, user, guest, etc. What I wanted was a script that checked for a certain number of failed logins in a time period and when it exceeded say 5 bad passwords in a 10 second interval to ban the ip address. I couldn't find that exact code on the net so I decided to modify the code that was there to do what I wanted.

Here is a link to the original script:

http://blog.netnerds.net/2006/07/iis-instantly-ban-ips-attempting-to-login-to-ms-ftp-as-administrator/

The original script looks at the eventlogs and that is a neat way to do it, since you can hook into the eventlog and execute an action based on an event. In my case, however I wanted to look for a specific case of password denied error status repeated 5 times in 10 seconds. To do this I needed to look directly at the FTP log files. I parse each line in the logfile looking for bad password attempts by grepping out lines containing the string "PASS - - 530". I maintain a running count of bad password attempts per ip address using a Scripting Dictionary Object, a type of array that allows you to use arbitrary strings as a key index. In this case, I used the IP address as the index of counts. When I am done counting I cycle through the collection of IP address and look for any counts greater than 5 and ban them.

The nice thing about creating the script this way is that I can point it at old logfiles in my log directory and it will ban all IP's from failed attacks in the past. The bad thing is that it forces the script to digest the entire logfile with each iteration. Since I plan to run this script every 30 seconds, this can be a lot of extra cpu cycles wasted. To help mitigate this effect I decided to make the process more efficient by only running my script against changes in the most recent logfile since last time the script was run. To do this I created a batch file to execute my vbs script.

###---autobanftp.bat---###



 

:TOP

if exist diff.txt del diff.txt

for /f %%f in ('dir /od C:\WINDOWS\system32\LogFiles\MSFTPSVC1 /b/s') do @set t11=%%f

if exist current.log fc %t11% current.log > diff.txt

findstr /c:"PASS - - 530" diff.txt 

if not errorlevel 1 call autobanftp.vbs diff.txt >> autoban.log

copy %t11% current.log /y



sleep 10

goto :TOP

###---autobanftp.vbs---###





Const ForReading = 1

Dim ips

Set counts = CreateObject("Scripting.Dictionary")

Set objFSOstats = CreateObject("Scripting.FileSystemObject")

Set objFTPSVC = GetObject("IIS://localhost/MSFTPSVC")

Set objFTPIPSec = objFTPSVC.IPSecurity



If Wscript.Arguments.Count > 0 Then

	strFlag = Wscript.arguments.Item(0)

End If



If IsEmpty(strFlag) Then                'No arguments have been received

	wscript.echo "Must supply an filename"

	wscript.quit

End If



Set objTextFile = objFSOstats.OpenTextFile(strflag, ForReading)



'Read each line and count the number for badpass login attempts per IP

i=0

Do Until objTextFile.AtEndOfStream

    i=i+1

    logline = objTextFile.Readline

    If InStr(logline,"PASS - - 530") Then 

    	parsevar=split(logline)

    	If not counts.exists(parsevar(2)) Then 

    		counts.add parsevar(2),1 

    		wscript.echo "*****"

    		wscript.echo "New IP: " & parsevar(2)

    	Else 

    		counts(parsevar(2))=counts(parsevar(2))+1

   	End If

     End If

Loop



For each ip in Counts.keys

	tempd=date()

	tempt=Time()

	wscript.echo tempd,tempt

	wscript.echo "Counteed " &  counts(ip) & " failed logons on IP: " & ip

	If counts(ip) > 5 Then 

		'Kill the route to the machine then add it to the array of banned IPs.

		wscript.echo "Killing route for ip: " & ip 

		Set WshShell = WScript.CreateObject("WScript.Shell")

		WshShell.Run "ROUTE ADD " & ip & " MASK 255.255.255.255 192.168.1.2", 1, True

		Set WshShell = Nothing

		ftpban(ip)

	End If

Next





Sub ftpban(ipaddress)

	'Append the newly banned IPs to the currently banned IPs  

	

	nogo=0 ' Dont do the ban if the address is already in the deny list

	bannedIPArray = objFTPIPSec.IPDeny

	  Dim newiparray()

	  ReDim newiparray(ubound(bannedIPArray)+1)

	  'wscript.echo newiparray(ubound(bannedIPArray)+1)

	  For i = 0 to ubound(bannedIPArray)

		newiparray(i)=bannedIPArray(i)

	  	'wscript.echo i,newiparray(i)

	  	clientIP = Left(bannedIPArray(i),InStr(bannedIPArray(i),",")-1)

	  	If ipaddress = ClientIP Then nogo=1

	  Next

	

	If not nogo=1 Then 

	

		newiparray(ubound(bannedIPArray)+1)= ipaddress & ",255.255.255.255"

		wscript.echo "Banned: " &ipaddress & ",255.255.255.255"

		

		objFTPIPSec.IPDeny = newiparray

		objFTPSVC.IPSecurity = objFTPIPSec

		objFTPSVC.SetInfo    

	End If	

End Sub

Trackbacks

Trackback specific URI for this entry

How to prevent IIS FTP from attacks?
From time to time, many users asked about how to configure IIS FTP to prevent brute force or dictionary

Weblog: Server: Microsoft-IIS/7.0\r\n
Tracked: May 27, 01:46

Comments

Display comments as (Linear | Threaded)

I would like to use it on W2K Server. Do I need to make any changes/customizations it either the vbs or bat files. Does it matter where on the C drive I will put the two files?

Thx,
Katrin

#1 Anonymous on 2008-02-25 14:05 (Reply)

You can place the scripts anywhere you like, as long as they are both in the same directory. Please note, I am assuming you are using the the first default FTP site and have not changed the default logfile location.

#1.1 Rob on 2008-04-21 09:02 (Reply)

I copied these scripts and when I execute the .vbs script it tells me I must supply a filename, what does this mean? How can this be fixed? I'm new to scripting so I don't use it that much.

#1.1.1 Jeff on 2008-07-02 11:20 (Reply)

The vbs is run with an IIS logfile as a parameter. I should probably have a more descriptive error message. There is a batch file I use for feeding the latest log entries to the vbs script, but you can also run it against old logfiles to pull out and ban bad addresses from the past.

#1.1.1.1 Rob (Homepage) on 2008-07-02 16:20 (Reply)

I cannot get this to work on our Win2k3 server. It enters the route line and adds the IP address to IP Security as denied but people can still ftp to the box (I'm testing from an outsite IP address)... Help!!

#2 Geoff on 2008-12-11 21:29 (Reply)

I just found another script that directly modifies the directory security tab on the properties of the ftp server. If you're configured to allow access to all, then deny the listed addresses, this script will probably suit you. I think it speaks for itself. I added an event create so that a message gets logged to the Application log so that Nagios/Netiq/SCOM can filter and notify (yeah I know you can blat directly from the script too...just trying to maximize our enterprise monitoring software investment)

Anyway here it is - you'll recognize the first half - don't ask what everything does..I just know after a little trial and error I got it to work:

Const ForReading = 1
Dim ips
dim objIpServer
dim objIPSec
dim arHostsRead
dim nCounter
dim IpToaddStr
dim tmpStr
Set counts = CreateObject("Scripting.Dictionary")
Set objFSOstats = CreateObject("Scripting.FileSystemObject")
Set objFTPSVC = GetObject("IIS://localhost/MSFTPSVC")
Set objFTPIPSec = objFTPSVC.IPSecurity

If Wscript.Arguments.Count > 0 Then
strFlag = Wscript.arguments.Item(0)
End If

If IsEmpty(strFlag) Then 'No arguments have been received
wscript.echo "Must supply an filename"
wscript.quit
End If

Set objTextFile = objFSOstats.OpenTextFile(strflag, ForReading)

'Read each line and count the number for badpass login attempts per IP
i=0
Do Until objTextFile.AtEndOfStream
i=i+1
logline = objTextFile.Readline
If InStr(logline,"PASS - 530") Then
parsevar=split(logline)
If not counts.exists(parsevar(1)) Then
counts.add parsevar(1),1
wscript.echo "*****"
wscript.echo "New IP: " & parsevar(1)
Else
counts(parsevar(1))=counts(parsevar(1))+1
End If
End If
Loop
wscript.echo ip
For each ip in Counts.keys
tempd=date()
tempt=Time()
wscript.echo tempd,tempt
wscript.echo "Counted " & counts(ip) & " failed logons on IP: " & ip
If counts(ip) > 5 Then
'Kill the route to the machine then add it to the array of banned IPs.
wscript.echo "Killing route for ip: " & ip
Set WshShell = WScript.CreateObject("WScript.Shell")
'WshShell.Run "ROUTE ADD " & ip & " MASK 255.255.255.255 192.168.1.2", 1, True
'Set WshShell = Nothing

IpToaddStr=ip & "," & " 255.255.255.0"
wscript.echo "setting" & IpToaddStr
WshShell.Run "C:\WINDOWS\system32\eventcreate.exe /L Application /ID 198 /T INFORMATION /D ""User from " & IpToaddStr & " has triggered a hack warning and has been blocked. If you wish to unblock connections from this IP address, please log on to the IIS Manager for this ftp server, right click on the server under the FTP sites, and from the properties menu, select the Directory Security Tab and remove the ip from the list"""
set objIpServer=GetObject("IIS://localhost/MSFTPSVC/1/root")
objIpServer.getinfo
wscript.echo "Got the IP list object"
SET objIPSec = objIpServer.get("IPSecurity")
wscript.echo "Got IP List"
arHostsRead=objIPSec.IPDeny
for nCounter=0 to ubound(arHostsRead)
tmpStr = arHostsRead(nCounter)
wscript.echo tmpStr
if tmpStr=IpToAddStr then
wscript.echo "The new record is already in the IP list"
wscript.echo "No need to add"
wscript.echo "Program exits"
wscript.quit
return
end if
next
redim preserve arHostsRead (UBound(arHostsRead)+1)
arHostsRead (UBound(arHostsRead)) = IpToAddStr
objIPSec.ipDeny=arHostsRead
objIPSec.grantbydefault=true
objIpServer.put "IPSecurity" ,objIPSec
wscript.echo "Setting info"
objIpServer.setinfo
wscript.echo "Done"
End If
Next

#2.1 Jim on 2009-07-14 14:43 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry