Windows-Server-2008
防止 Microsoft FTP 伺服器 (IIS6/7) 中的暴力攻擊
查看我的 ftp 伺服器日誌文件,我發現了很多暴力攻擊,其中相同的 IP 地址嘗試了 100 多個使用者名/密碼組合。
我能做些什麼來讓這些蠻力攻擊者的生活更加艱難嗎?如果有 y 次登錄嘗試失敗,像 IP 之類的東西會被鎖定 x 次?
伺服器是 Microsoft Windows Server 2008。
請參閱IIS 新聞組中的這篇文章以獲取一些解決問題的程式碼
'**************************************************************************** ' This script created by Chrissy LeMaire (clemaire@gmail.com) ' Website: http://netnerds.net/ ' ' NO WARRANTIES, etc. ' ' This script instantly bans IP addresses trying to login to FTP ' using the NT account "Administrator" ' ' Run this script on the FTP server. It sits in the back and waits for an ' event viewer "push" that lets it know someone failed FTP authentication. ' ' This script has only been tested on Windows Server 2003. It assumes, as it ' should, that there are no legitimate Administrator account FTP logins. ' ' "What it does" ' 1. Sets an Async Event Sink to notify the script when someone fails MS-FTP auth ' 2. When alerted, the script parses the last day's FTP logs for all FTP sites (this ' is because the Event Viewer doesn't tell you which FTP site, if you have more than ' one, is the one getting hit) ' 3. Compiles the list of IPs to be banned and then bans them using IIS /and/ ' IP level banning (thanks Spencer @ netortech.com for the idea) '***************************************************************************** ' Push Event Viewer Alert Set objWMIService = GetObject("winmgmts:{(security)}!root/cimv2") Set eventSink = wscript.CreateObject("WbemScripting.SWbemSink", "EVSINK_") strWQL = "Select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.SourceName = 'MSFTPSVC' and TargetInstance.EventCode = 100" objWMIService.ExecNotificationQueryAsync eventSink,strWQL ' Keep it going forever While (True) Wscript.Sleep(1000) Wend Sub EVSINK_OnObjectReady(objObject, objAsyncContext) If InStr(LCase(objObject.TargetInstance.Message),"administrator") > 0 Then Set objFTPSVC = GetObject("IIS://localhost/MSFTPSVC") Set WshShell = CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objLog = CreateObject("MSWC.IISLog") Set objDictionary = CreateObject("Scripting.Dictionary") Set objFTPIPSec = objFTPSVC.IPSecurity 'Get IP address of server so we can use it later to give the offending IP a bad route Set IPConfigSet = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE") for each IPConfig in IPConfigSet if Not IsNull(IPConfig.DefaultIPGateway) then serverIP = IPConfig.IPAddress(0) Next Set IPConfigSet = Nothing 'Iterate through each FTP site. See #2 up above. For Each objSITE in objFTPSVC If lcase(objSITE.class) = "iisftpserver" Then ftpLogFilePath = WshShell.ExpandEnvironmentStrings(objSITE.LogFileDirectory) & "\msftpsvc" & objSITE.Name Set objFolder = objFSO.GetFolder(ftpLogFilePath) Set objFiles = objFolder.Files For Each fileName In objFiles lastFile = fileName Next strLogFile = lastFile Set file = Nothing Set objFolder = Nothing 'Use the IIS log file parser provided by MSFT objLog.OpenLogFile strLogFile, 1, "MSFTPSVC", 1, 0 '(FileName,IOMode,ServiceName,ServiceInstance,OutputLogFileFormat) ' 0 = NotApplicable, 1 = ForReading While NOT objLog.AtEndOfLog objLog.ReadLogRecord If LCase(objLog.URIStem) = "administrator" Then ClientIP = objLog.ClientIP If objDictionary.Exists(ClientIP) = False Then 'Kill the route to the machine then add it to the array of banned IPs. Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "ROUTE ADD " & clientIP & " MASK 255.255.255.255 " & serverIP, 1, True Set WshShell = Nothing objDictionary.Add ClientIP, "255.255.255.255" '255 is just there for padding. End If End If Wend objLog.CloseLogFiles 1 End If Next 'Append the newly banned IPs to the currently banned IPs If objDictionary.Count > 0 And objFTPIPSec.GrantByDefault = True Then bannedIPArray = objFTPIPSec.IPDeny For i = 0 to ubound(bannedIPArray) clientIP = Left(bannedIPArray(i),InStr(bannedIPArray(i),",")-1) If objDictionary.Exists(ClientIP) = False Then objDictionary.Add bannedIPArray(i), "255.255.255.255" End If Next objFTPIPSec.IPDeny = objDictionary.Keys objFTPSVC.IPSecurity = objFTPIPSec objFTPSVC.SetInfo End If Set objFTPIPSec = Nothing Set objDictionary = Nothing Set objLog = Nothing Set objFSO = Nothing Set objFTPSVC = Nothing End If End Sub