Description: This script will *help* stop automated bruteforce attacks/vulnerability scans on your IIS web server.
Reason for this script: To help stop automated brute force attacks and vulnerability scans. Are you tired of seeing: www.yourdomain.com\\..\\..\\..\\cmd.exe etc... in your web server logs? Since IIS doesn't normally use .htaccess there is no easy way to automate the process of banning IP addresses via IIS.
How it works: This script uses a custom 404 page that logs the IP address and amount of times it has loaded the 404_error.pl .If someone loads the 404 page 3 times in succession their IP address is logged to the banned_ip_list.log file. Every 60 seconds build_deny_list.pl opens the banned_ip_list.log file and gets the IP address to block. It then generates some C# code, adds that banned IP to the C sharp code, compiles the C code into an executable binary. This C sharp program is actually what adds the IP to the IIS deny list. After the build_deny_list.pl generates and executes the binary, it deletes the original source and executable file.
Set up / Install: First off let's go over a few things that need to be in order before we begin the install process. First, make sure you have Active State Perl installed and properly configured with IIS. You should be able to run simple perl scripts via your website before attempting to set this up. Also, you will need administrative access to the server to set up this program. Once these things are ready you can place the 404_error.pl and log files into your cgi-bin directory...see below:
Now you need to set up the 404_error.pl to be your websites default 404 document. To do this open your IIS snap in and choose your website > right click > choose properties > then choose custom errors. Scroll down until you get to 404. Highlight it then choose edit. Then set the Perl script up as a URL...see below:
Now anytime someone loads a wrong page your perl 404 page will be the page displayed. If they only (accidentally) request it once or twice they will be fine. You can change the variable in the code to allow for more or less 404 requests (more about this at end of doc).
Ideally, you want to place the build_deny_list.pl program outside the web directory. Once you have it where you want it you can set up the program to run automatically and silently at each system boot. To run the build_deny_list.pl program as a service you will need to add the build_deny_list.pl file to your scheduled tasks. Make sure to choose "when my computer boots up". This way the script will be started even if you don't log in and there is no need for user interaction, see below:
*** You will also need the Microsofts.NET framework version 1.1.4322+ installed on your server.
*** All log files will have to have the usual read/write permissions.
*** You will have to change some variables within the code itself. In the 404_error.pl file you will see:
# The location of log files on webserver (must have read/write permissions)
my $dir="C:\\inetpub\\www.yoursite.com\\cgi-bin\\";
# how many times is visitor allowed to request 404 page
my $limit="3";
And in the build_deny_list.pl you will see:
# The location of the program log files (must have read/write permissions)
my $dir="C:\\inetpub\\www.yoursite.com\\cgi-bin\\";
# Your website IIS identifier number: default is 1
my $id="1";
The $dir variable should be the location of your log files. For instance, If I were filling this out I would put:
my $dir="G:\\web_pub\\d\\www.digi-dl.com\\cgi-bin\\";
The $id variable is your websites IIS identifier value...see below:
The default identifier is 1, if I were modifying the $id variable I would enter: 8452278