The other day I checked out the FTP logs on my server and found that there had been thousands of hits on random usernames like “Administrator”, “Anonymous” and “Guest”. I figured surely there was something built into Windows Server 2003’s IIS that supported brute force prevention, but sadly I came up with nothing.
However, I did discover someone has made some custom code that goes through the IIS FTP logs and determines who brute-force hackers are, and subsequently adds them to the the block list.You can find the code here: https://groups.google.com/group/microsoft.public.inetserver.iis.security/msg/a300c839bc5ba61d?hl=en
I have compiled this code into a re-distributable application with a couple minor modifications (see download link at bottom of article). The executable accepts a few parameters, like so:
IISBlockFTP.exe <host_address> <username> <password>
I recommend running it with localhost and Administrator, as that is the most likely success scenario. I haven’t tested it out on any other user accounts, but I doubt other user accounts have access to the files used by IIS.
A couple requirements to run the EXE are:
- Remote Registry service is running
- IIS (W3SVC) is stopped
After you have run it once successfully, you could set it up as a scheduled task like I did. The tricky thing here though, is that (at least on Windows Server 2003) you can’t use the Task Scheduler user interface, you have to use the AT command from the command line. Further-more, the IIS service needs to be stopped prior to running and when doing so, you probably want to have it wait a couple seconds to finish shutting down IIS in case your IIS process takes a while to stop. So, I have compiled a small batch script (which is packaged in with the download archive):
sc stop w3svc
timeout 5
IISBlockFTP.exe localhost Administrator MyAdministratorPassword123
sc start w3svc
This batch script stops IIS, waits for 5 seconds to make sure IIS is stopped, runs the IISBlockFTP executable with the Administrator rights, and then starts IIS again. You can schedule the batch script to run at 2AM every day using the following command:
sc \\YOURSERVERNAME cmd /c "C:\IISBlockFTP.bat"
Download the package HERE