查看我的ftp-server日志文件,我发现了很多暴力攻击,其中相同的IP地址尝试100个用户名/密码组合.
我能做些什么来让这些蛮力攻击者的生活更加艰难吗?如果登录尝试失败,那么类似IP的东西会被锁定x次?
服务器是Microsoft Windows Server 2008.
有关解决此问题的代码,请参阅此
post from the IIS newsgroup
'**************************************************************************** ' This script created by Chrissy LeMaire (clemaire@gmail.com) ' Website: http://netnerds.net/ ' ' NO WARRANTIES,etc. ' ' This script instantly bans IP addresses trying to login to FTP ' using the NT account "Administrator" ' ' Run this script on the FTP server. It sits in the back and waits for an ' event viewer "push" that lets it know someone Failed FTP authentication. ' ' This script has only been tested on Windows Server 2003. It assumes,as it ' should,that there are no legitimate Administrator account FTP logins. ' ' "What it does" ' 1. Sets an Async Event Sink to notify the script when someone fails MS-FTP auth ' 2. When alerted,the script parses the last day's FTP logs for all FTP sites (this ' is because the Event Viewer doesn't tell you which FTP site,if you have more than ' one,is the one getting hit) ' 3. Compiles the list of IPs to be banned and then bans them using IIS /and/ ' IP level banning (thanks Spencer @ netortech.com for the idea) '***************************************************************************** ' Push Event Viewer Alert Set objWMIService = GetObject("winmgmts:{(security)}!root/cimv2") Set eventSink = wscript.CreateObject("WbemScripting.SWbemSink","EVSINK_") strWQL = "Select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.SourceName = 'MSFTPSVC' and TargetInstance.EventCode = 100" objWMIService.ExecNotificationQueryAsync eventSink,strWQL ' Keep it going forever While (True) Wscript.Sleep(1000) Wend Sub EVSINK_OnObjectReady(objObject,objAsyncContext) If InStr(LCase(objObject.TargetInstance.Message),"administrator") > 0 Then Set objFTPSVC = GetObject("IIS://localhost/MSFTPSVC") Set WshShell = CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objLog = CreateObject("MSWC.IISLog") Set objDictionary = CreateObject("Scripting.Dictionary") Set objFTPIPSec = objFTPSVC.IPSecurity 'Get IP address of server so we can use it later to give the offending IP a bad route Set IPConfigSet = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE") for each IPConfig in IPConfigSet if Not IsNull(IPConfig.DefaultIPGateway) then serverIP = IPConfig.IPAddress(0) Next Set IPConfigSet = Nothing 'Iterate through each FTP site. See #2 up above. For Each objSITE in objFTPSVC If lcase(objSITE.class) = "iisftpserver" Then ftpLogFilePath = WshShell.ExpandEnvironmentStrings(objSITE.LogFileDirectory) & "\msftpsvc" & objSITE.Name Set objFolder = objFSO.GetFolder(ftpLogFilePath) Set objFiles = objFolder.Files For Each fileName In objFiles lastFile = fileName Next strLogFile = lastFile Set file = Nothing Set objFolder = Nothing 'Use the IIS log file parser provided by MSFT objLog.OpenLogFile strLogFile,1,"MSFTPSVC",0 '(FileName,IOMode,ServiceName,ServiceInstance,OutputLogFileFormat) ' 0 = NotApplicable,1 = ForReading While NOT objLog.AtEndOfLog objLog.ReadLogRecord If LCase(objLog.URIStem) = "administrator" Then ClientIP = objLog.ClientIP If objDictionary.Exists(ClientIP) = False Then 'Kill the route to the machine then add it to the array of banned IPs. Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "ROUTE ADD " & clientIP & " MASK 255.255.255.255 " & serverIP,True Set WshShell = Nothing objDictionary.Add ClientIP,"255.255.255.255" '255 is just there for padding. End If End If Wend objLog.CloseLogFiles 1 End If Next 'Append the newly banned IPs to the currently banned IPs If objDictionary.Count > 0 And objFTPIPSec.GrantByDefault = True Then bannedIPArray = objFTPIPSec.IPDeny For i = 0 to ubound(bannedIPArray) clientIP = Left(bannedIPArray(i),InStr(bannedIPArray(i),",")-1) If objDictionary.Exists(ClientIP) = False Then objDictionary.Add bannedIPArray(i),"255.255.255.255" End If Next objFTPIPSec.IPDeny = objDictionary.Keys objFTPSVC.IPSecurity = objFTPIPSec objFTPSVC.SetInfo End If Set objFTPIPSec = Nothing Set objDictionary = Nothing Set objLog = Nothing Set objFSO = Nothing Set objFTPSVC = Nothing End If End Sub