|
Untitled-1
Untitled-1
Untitled-1
|
|
 |
|
|
Untitled-1
 |
 |
|
Automatically banning an IP address in IIS FTP
|
|
|
 |
|
Location: Blogs Bean LabsProgramming (C#/.Net/etc) |
 |
| Posted by: frijoles |
3/5/2007 |
We've been having a horrible time with zombie attacks against our IIS FTP server for a long time now. Almost every Saturday night, like clockwork, they start their attack. They attempt to log in with names that systems may use: administrator, oracle, mysql, admin, etc. I don't care much since those accounts don't even exist. I just get annoyed with seeing them in my log files and filling up my event log. Up until today, I have been banning the IP addresses by hand. No more.
I had 100 megs in log files over the weekend. That was the last straw. After quite a bit of searching and messing around, I found a script to solve my problems. Below is a step-by-step walkthrough on how to set this script to run as a service.
The following is how I solved this problem on our Windows 2003 server (running the Web edition of Win2k3).
First off, you need to grab the script file from the aforementioned site (blog.netnerds.net) and stick it on your server. Mine is in c:\scripts. I named it BanIP.vbs before I realized there was a button on the site to download it as banftpips.vbs.
Next, you'll need two files from the MS resource kit, Srvany.exe and Instsrv.exe. You can get it from Microsoft. Download the executable and run it on your work computer or dev box. You just need the two files mentioned above, not the whole thing. Stick these two files in the same spot as the script to make it easier.
Open up a command prompt and change to the scripts directory. Enter the following command to register srvany as a service:
C:\Scripts\instsrv.exe BanIP C:\Scripts\Srvany.exe
This will create a registry setting. Use regedit to open up the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BanIP
Create a new key and call it Parameters
In the Parameters key, create a new String Value called Application. Set the value of Application to:
C:\Windows\System32\CScript.exe C:\Scripts\BanIP.vbs
Open up your services. You should see BanIP there. Click the start icon if it's not already going. Using a separate computer to test with, hit your ftp site and try to log in as administrator with a bad password. I can't stress enough, use a different computer than your primary box. The IP address will be banned for the entire site. You can see the ban under the routing tables by using 'route print' at the command prompt. You can delete the route with 'route delete <ip address>'. There is also a new entry in the FTP security settings.
It's a great script, and fairly easy to modify. For more help on the script itself, check out the site and read the comments. Lots of good stuff there. Special thanks to the author, Chrissy. This will surely slow down our zombie problems.
|
|
| Permalink |
Trackback |
Comments (17)
Add Comment
|
Re: Automatically banning an IP address in IIS FTP |
By Zaw Htwe on
4/26/2007 |
Hi,
I tried all the steps but I got an message when I started the BanIP service " The BanIP service on Local Computer started adn then stopped. Some services stop automatically if they have no work to do, for example, the perfornamce Logs and Alerts service". And the service stop. I installed it on Windows 2k3 Server. Is there any solution?
Thanks
Zaw |
|
|
Re: Automatically banning an IP address in IIS FTP |
By Frijoles on
4/26/2007 |
Interesting. I haven't seen that. What I'd suggest is trying to run the script outside of the service to start with and see if it continues to run or if it crashes out (you can see the process as wscript). If it runs there without any problems, it might be possible to run it using a different program that converts it to a service. The one I listed above from MS is one that we had used before, but I know there are others out there.
Anyway, try it outside of the service and see what happens there. |
|
|
Re: Automatically banning an IP address in IIS FTP |
By Zaw Htwe on
4/26/2007 |
Hi Frijoles,
Sorry I made a mistake when I created registry key. Now, it's solved, BTW, do you know how can I stop that script? Is it simply just disable 'BanIP' Service. Do you know how to remove banned IP?
Thanks again
Zaw |
|
|
Re: Automatically banning an IP address in IIS FTP |
By Frijoles on
4/26/2007 |
You can set the service to start manually (or disable it). That will stop it. To clean it up, you'll need to use the 'route' command to remove the entries it made, as well as cleaning up the IIS FTP security stuff (where it blocks the IP addresses). Make sure you move the log files somewhere else first, however, since the script will look at the log files and reban the IP address if it sees it again (this caused me some headaches originally since I didn't know it did that).
I've been running it now since I posted this article, and the attempts at breaking in are way down. The routes look like they reset eventually, either via an update we did, or something else, but the IIS settings are still there. Our log files are much smaller, and I don't have to constantly check the site to see if someone is breaking in. I set it up to run off of several keywords and haven't had any problems.
Glad to hear you got it working. |
|
|
Re: Automatically banning an IP address in IIS FTP |
By Zaw Htwe on
4/27/2007 |
| I found two places where we place "administrator" in the script. So if I want to ban with other names or keywords, need I have to put those keywords at those two locations in the script? |
|
|
Re: Automatically banning an IP address in IIS FTP |
By Frijoles on
4/27/2007 |
I _think_ this is how it's working... like I mentioned, the actual script isn't mine. But basically the first spot you see that, it triggers the code that scans the log files (according to the notes at the very top of the script). The second spot is where it is actually looking for the usernames to ban. I put admin and administrator in the first spot:
If InStr(LCase(objObject.TargetInstance.Message),"administrator") > 0 OR InStr(LCase(objObject.TargetInstance.Message),"admin") > 0 Then
And in the second spot I put the rest of the keywords:
If sUsername = "administrator" OR sUsername = "mysql" OR sUsername = "admin" Then
So basically, if they do admin/administrator, it will trigger the log scanning, which will also ban any attempts at 'mysql'. But mysql will not trigger the script. Since admin/administrator were the two largest failed attempts, I used those to set things off. If we had more, I'd probably throw them in to both places just to be safe. If you have a massive list, you may want to consider using an array or just a delimited string and using instr on it. Might be easier to maintain.
|
|
|
Remote Auto Installer |
By Eric Greer on
5/23/2007 |
| http://blog.integrii.net/?p=18 - I created a remote installer (including registry entries) using psexec. This automates your whole process with a little tuning! Email me for blog link exchange! eric@briworks.com |
|
|
Re: Automatically banning an IP address in IIS FTP |
By allan on
8/8/2007 |
I can not get this script to work. I followed the instructions, step by step and I get the error Zaw Htwe had when trying to start service.
When I ran C:\Scripts\instsrv.exe BanIP C:\Scripts\Srvany.exe
I got a "Service created sucessfully" .. something like that...
When I added the registry key, do I rename the file to banftpips.vbs ? or use this line...
C:\Windows\System32\CScript.exe C:\Scripts\BanIP.vbs |
|
|
Re: Automatically banning an IP address in IIS FTP |
By Frijoles on
8/8/2007 |
You should be using the second line in your question above. My Application registry setting is:
c:\windows\system32\cscript.exe c:\scripts\banip.vbs
The script itself is still called BanIP.vbs, located in that scripts directory. The "banftpips.vbs" is the original name of the script, so if you are using that, then the registry key will reference it instead of BanIP.vbs. So basically, "BanIP.vbs" is my naming for it since I didn't rename it. "BanFTPIPs.vbs" is the original name if you did a save-as to copy it from the original netnerds site. Does that clear it up? |
|
|
Re: Automatically banning an IP address in IIS FTP |
By allan on
9/3/2007 |
Still can not get the script to run as a service. I even uninstalled that service, and reinstalled it but still get that popup error...
|
|
|
Re: Automatically banning an IP address in IIS FTP |
By Frijoles on
9/4/2007 |
I just went through this again on my XP machine (had to make sure to get the XP resource kit and not the 2003), and didn't have any issues with it. I'd say to verify that CScript is where it should be and try to run it manually like that. If it works, then double check the parameter setting (it functions as a folder in regedit) and make sure the application string is set correctly.
You could also just try Eric's auto installer. I haven't tried it, but it might be easier to use:
http://blog.integrii.net/?p=18 |
|
|
You may want to update CSCRIPT to WSCRIPT |
By Pedro Rodriguez on
11/13/2007 |
| The script was updated in Crissy's site and your instructions still reflect the old name. |
|
|
Re: Automatically banning an IP address in IIS FTP |
By allan on
2/21/2008 |
| c:\windows\system32\cscript.exe c:\scripts\banip.vbs lol . |
|
|
Re: Automatically banning an IP address in IIS FTP |
By frijoles on
2/21/2008 |
| Looks like the original site has shuffled their links around as well. |
|
|
Re: Automatically banning an IP address in IIS FTP |
By frijoles on
2/21/2008 |
Since this blog entry won't let me update it, the original script can now be found at:
http://blog.netnerds.net/2006/07/iis-instantly-ban-ips-attempting-to-login-to-ms-ftp-as-administrator/ |
|
|
Banned IPs |
By pross on
5/6/2008 |
I've just run this script as suggested and it worked straight the way! Brilliant it stopped the attack dead but when I try to see the banned ip from the 'route print' there is nothing there except my own ips. Am I missing something or is that as it should be?
|
|
|
Strange Admin Login Issue |
By Evan on
5/19/2008 |
This is weird... I think the script is working, but when I try to log in as Administrator it keeps allowing me to log in (i.e. lists folders, files are accessable, etc). I removed all groups except ftpadmins and ftpusers from the root FTP dir and checked all the other directories for any admin access, but there is none! I even tried denying all permissions to the administrators account.
Even when I try accessing the folder via Explorer it tells me "Access Denied." Why is it letting me log in via FTP though?
I know this is a bit off topic, but the script isn't working because the failed login attempt log entry is never being generated. |
|
|
|
|
 |
|
 |
|
|
|
|
|
|
|
|