服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 防止在Microsoft FTP服务器(IIS6 / 7)中的暴力攻击
Intereting Posts
IIS 7.5 – 如何获取? 从数据库Apache的基本authentication,而不是从文件如何? 如何把狙击规则和另一个规则的结果联系起来 谷歌速度国防部 从S3写入EBS时出错 如何将反向代理configuration为仅通过文件扩展进行代理? 还原mysql到过去的任何特定时间? 有一个已知的问题,恢复从curl下载从IIS? “何处”将Exchange 2007 Serverangular色置于networking中 在sudoers文件中parsing错误 RTT和带宽分配 如何克隆正在运行的EBS支持的AMI 如何优化Windows Server 2008 TCP延迟? 在networking服务器上运行trac 使用WDS部署映像需要多less额外空间

防止在Microsoft FTP服务器(IIS6 / 7)中的暴力攻击

看看我的ftp服务器日志文件,我发现很多暴力攻击,其中相同的IP地址尝试100个用户名/密码组合。

有什么我可以做的,让这些蛮力攻击者的生活更难? 如果某个IP有x次失败的login尝试,它会被lockingx次。

服务器是Microsoft Windows Server 2008。

从IIS新闻组中查看这个post,了解一些代码来解决这个问题

下面是Chrissy Lemaire的剧本 

'**************************************************************************** ' This script created by Chrissy LeMaire ([email protected]) ' Website: http://netnerds.net/ ' ' NO WARRANTIES, etc. ' ' This script instantly bans IP addresses trying to login to FTP ' using the NT account "Administrator" ' ' Run this script on the FTP server. It sits in the back and waits for an ' event viewer "push" that lets it know someone failed FTP authentication. ' ' This script has only been tested on Windows Server 2003. It assumes, as it ' should, that there are no legitimate Administrator account FTP logins. ' ' "What it does" ' 1. Sets an Async Event Sink to notify the script when someone fails MS-FTP auth ' 2. When alerted, the script parses the last day's FTP logs for all FTP sites (this ' is because the Event Viewer doesn't tell you which FTP site, if you have more than ' one, is the one getting hit) ' 3. Compiles the list of IPs to be banned and then bans them using IIS /and/ ' IP level banning (thanks Spencer @ netortech.com for the idea) '***************************************************************************** ' Push Event Viewer Alert Set objWMIService = GetObject("winmgmts:{(security)}!root/cimv2") Set eventSink = wscript.CreateObject("WbemScripting.SWbemSink", "EVSINK_") strWQL = "Select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.SourceName = 'MSFTPSVC' and TargetInstance.EventCode = 100" objWMIService.ExecNotificationQueryAsync eventSink,strWQL ' Keep it going forever While (True) Wscript.Sleep(1000) Wend Sub EVSINK_OnObjectReady(objObject, objAsyncContext) If InStr(LCase(objObject.TargetInstance.Message),"administrator") > 0 Then Set objFTPSVC = GetObject("IIS://localhost/MSFTPSVC") Set WshShell = CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objLog = CreateObject("MSWC.IISLog") Set objDictionary = CreateObject("Scripting.Dictionary") Set objFTPIPSec = objFTPSVC.IPSecurity 'Get IP address of server so we can use it later to give the offending IP a bad route Set IPConfigSet = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE") for each IPConfig in IPConfigSet if Not IsNull(IPConfig.DefaultIPGateway) then serverIP = IPConfig.IPAddress(0) Next Set IPConfigSet = Nothing 'Iterate through each FTP site. See #2 up above. For Each objSITE in objFTPSVC If lcase(objSITE.class) = "iisftpserver" Then ftpLogFilePath = WshShell.ExpandEnvironmentStrings(objSITE.LogFileDirectory) & "\msftpsvc" & objSITE.Name Set objFolder = objFSO.GetFolder(ftpLogFilePath) Set objFiles = objFolder.Files For Each fileName In objFiles lastFile = fileName Next strLogFile = lastFile Set file = Nothing Set objFolder = Nothing 'Use the IIS log file parser provided by MSFT objLog.OpenLogFile strLogFile, 1, "MSFTPSVC", 1, 0 '(FileName,IOMode,ServiceName,ServiceInstance,OutputLogFileFormat) ' 0 = NotApplicable, 1 = ForReading While NOT objLog.AtEndOfLog objLog.ReadLogRecord If LCase(objLog.URIStem) = "administrator" Then ClientIP = objLog.ClientIP If objDictionary.Exists(ClientIP) = False Then 'Kill the route to the machine then add it to the array of banned IPs. Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "ROUTE ADD " & clientIP & " MASK 255.255.255.255 " & serverIP, 1, True Set WshShell = Nothing objDictionary.Add ClientIP, "255.255.255.255" '255 is just there for padding. End If End If Wend objLog.CloseLogFiles 1 End If Next 'Append the newly banned IPs to the currently banned IPs If objDictionary.Count > 0 And objFTPIPSec.GrantByDefault = True Then bannedIPArray = objFTPIPSec.IPDeny For i = 0 to ubound(bannedIPArray) clientIP = Left(bannedIPArray(i),InStr(bannedIPArray(i),",")-1) If objDictionary.Exists(ClientIP) = False Then objDictionary.Add bannedIPArray(i), "255.255.255.255" End If Next objFTPIPSec.IPDeny = objDictionary.Keys objFTPSVC.IPSecurity = objFTPIPSec objFTPSVC.SetInfo End If Set objFTPIPSec = Nothing Set objDictionary = Nothing Set objLog = Nothing Set objFSO = Nothing Set objFTPSVC = Nothing End If End Sub

只需阻止对该IP或子网的FTP服务器的访问。 可能性是,IP将永远不需要合法的访问您的FTP服务器。

您可以在IIS中或通过防火墙/ ACL执行此操作。

您可以更改FTP端口。

  1. 使用Internet服务pipe理器,将FTP属性设置为所需的端口。
  2. 应用更改并停止服务。
  3. 打开文件服务(位于\ System32 \ Drivers \ Etc目录中。
  4. find行ftp 21 / tcp,并将其更改为反映新端口。
  5. 保存该文件,然后运行位于\ System32目录中的文件Services.exe。
  6. 在Internet服务pipe理器中重新启动FTP服务。 (从这个线程 )。

…或者,您可以安装CopSSH ,将其指向高端口并使用SFTP。

如果你真的需要端口21上的FTP,看看FileZilla 。 它有一个内置的反锤击function。