Windows-Server-2008

防止 Microsoft FTP 伺服器 (IIS6/7) 中的暴力攻擊

  • July 18, 2009

查看我的 ftp 伺服器日誌文件,我發現了很多暴力攻擊,其中相同的 IP 地址嘗試了 100 多個使用者名/密碼組合。

我能做些什麼來讓這些蠻力攻擊者的生活更加艱難嗎?如果有 y 次登錄嘗試失敗,像 IP 之類的東西會被鎖定 x 次?

伺服器是 Microsoft Windows Server 2008。

請參閱IIS 新聞組中的這篇文章以獲取一些解決問題的程式碼

下面還有Chrissy Lemaire 的劇本

'****************************************************************************
' This script created by Chrissy LeMaire (clemaire@gmail.com)
' Website: http://netnerds.net/
'
' NO WARRANTIES, etc.
'
' This script instantly bans IP addresses trying to login to FTP
' using the NT account "Administrator"
'
' Run this script on the FTP server. It sits in the back and waits for an 
' event viewer "push" that lets it know someone failed FTP authentication.
'
' This script has only been tested on Windows Server 2003. It assumes, as it 
' should, that there are no legitimate Administrator account FTP logins.
'
' "What it does"
' 1. Sets an Async Event Sink to notify the script when someone fails MS-FTP auth
' 2. When alerted, the script parses the last day's FTP logs for all FTP sites (this
'    is because the Event Viewer doesn't tell you which FTP site, if you have more than
'    one, is the one getting hit)
' 3. Compiles the list of IPs to be banned and then bans them using IIS /and/
'    IP level banning (thanks Spencer @ netortech.com for the idea)
'*****************************************************************************

' Push Event Viewer Alert
   Set objWMIService = GetObject("winmgmts:{(security)}!root/cimv2")
   Set eventSink = wscript.CreateObject("WbemScripting.SWbemSink", "EVSINK_")
   strWQL = "Select * from __InstanceCreationEvent where TargetInstance isa  'Win32_NTLogEvent' and TargetInstance.SourceName = 'MSFTPSVC' and TargetInstance.EventCode = 100"
   objWMIService.ExecNotificationQueryAsync eventSink,strWQL

' Keep it going forever
While (True)
   Wscript.Sleep(1000)
Wend

Sub EVSINK_OnObjectReady(objObject, objAsyncContext)
 If InStr(LCase(objObject.TargetInstance.Message),"administrator") > 0 Then 
   Set objFTPSVC = GetObject("IIS://localhost/MSFTPSVC")
   Set WshShell = CreateObject("WScript.Shell")
   Set objFSO = CreateObject("Scripting.FileSystemObject")
   Set objLog = CreateObject("MSWC.IISLog")
   Set objDictionary = CreateObject("Scripting.Dictionary")
   Set objFTPIPSec = objFTPSVC.IPSecurity

   'Get IP address of server so we can use it later to give the offending IP a bad route
   Set IPConfigSet = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE")
   for each IPConfig in IPConfigSet
     if Not IsNull(IPConfig.DefaultIPGateway) then serverIP =  IPConfig.IPAddress(0)
   Next
   Set IPConfigSet = Nothing

   'Iterate through each FTP site. See #2 up above.
     For Each objSITE in objFTPSVC
       If lcase(objSITE.class) = "iisftpserver" Then
         ftpLogFilePath =  WshShell.ExpandEnvironmentStrings(objSITE.LogFileDirectory) & "\msftpsvc" & objSITE.Name

         Set objFolder = objFSO.GetFolder(ftpLogFilePath)
           Set objFiles = objFolder.Files
             For Each fileName In objFiles
               lastFile = fileName
             Next
           strLogFile = lastFile
           Set file = Nothing
         Set objFolder = Nothing

         'Use the IIS log file parser provided by MSFT
         objLog.OpenLogFile strLogFile, 1, "MSFTPSVC", 1, 0 
           '(FileName,IOMode,ServiceName,ServiceInstance,OutputLogFileFormat) 
           ' 0 = NotApplicable, 1 = ForReading  
           While NOT objLog.AtEndOfLog
             objLog.ReadLogRecord
             If LCase(objLog.URIStem) = "administrator" Then
               ClientIP = objLog.ClientIP
                 If objDictionary.Exists(ClientIP) = False Then
                     'Kill the route to the machine then add it to the array of banned IPs.
                     Set WshShell = WScript.CreateObject("WScript.Shell")
                   WshShell.Run "ROUTE ADD " & clientIP & " MASK 255.255.255.255 " & serverIP, 1, True
                   Set WshShell = Nothing
                   objDictionary.Add ClientIP, "255.255.255.255" '255 is just there for padding.
                 End If 
             End If
           Wend  
         objLog.CloseLogFiles 1
       End If
     Next

     'Append the newly banned IPs to the currently banned IPs  
     If objDictionary.Count > 0 And objFTPIPSec.GrantByDefault = True Then 
       bannedIPArray = objFTPIPSec.IPDeny
         For i = 0 to ubound(bannedIPArray)
         clientIP = Left(bannedIPArray(i),InStr(bannedIPArray(i),",")-1)
           If objDictionary.Exists(ClientIP) = False Then
             objDictionary.Add bannedIPArray(i), "255.255.255.255"
           End If 
         Next

       objFTPIPSec.IPDeny = objDictionary.Keys
       objFTPSVC.IPSecurity = objFTPIPSec
       objFTPSVC.SetInfo
     End If

   Set objFTPIPSec = Nothing
   Set objDictionary = Nothing
   Set objLog = Nothing
   Set objFSO = Nothing
   Set objFTPSVC = Nothing
 End If
 End Sub

引用自:https://serverfault.com/questions/42396