I've done quite a bit of searching on this and I haven't found a
satisfactory answer besides a few expensive add-on packages. I'm
hoping someone has some ideas.

Basically, I'm getting brute forced to death on my IIS FTP sites. They
haven't found their way in yet, but, this weekend, I had 11 different
ip addresses(one in the US, several in Korea, one in Argentena, several
in China, etc) hitting my two different servers(on two different
networks) at a rate of about 25 password attempts per second. I came
in on saturday, blocked(via ip security policy) the 4 addresses that
where busy, then came in this morning(monday) and blocked the
remaining. This sitting around watching log files and blocking
addresses doesn't solve the underlying problem in that I need to be
able to just block an ip after so many attempts.

I used to use a 3rd party FTP server back on NT/2000 because I read at
how horrible IIS was, but as soon as I got Server 2003, I switched to
IIS's FTP. But good lord, this isn't what I call secure when its just
a matter of time before they hit the right combination, no matter how
long/complex I've made my users passwords(which, they've already
complained about).

If any of the IIS team are reading this, give us a "Maximum Password
Tries" and a "Block for how many minutes" capability. Reset the list
when IIS is restarted if you want, but, give us some simple to
configure tools to help curb this problem.

Simple? Don't use FTP. That's the only real solution that is also simple.

It _is_ only a matter of time. And if you leave the users up to change
their passwords they'll get in in seconds or minutes.

A couple of suggestions;

If you have no business need to have the pacific rim access your site via
FTP, block all their class As at the firewall. You can find lists of these
addresses at a lot of anti-spam sites. Don't mess around with single IPs,
they are compromised machines and will probably never come back. They'll
just go on to a different target and set up a new zombie to try your server.
With 10,000s of these machines in each country over there... you will get
tired of it long before they do. Typically, FTP is a "webmaster" tool, not
an end user tool. So you can do this and offer any downloads you need to
them via HTTP.

Better yet, find out the WAN IP addresses of the authorized users, and block
ALL access to FTP except for those. (Use entire C blocks for dynamic users.)

If you don't have access to a real firewall, you can use IIS "security
settings" to sort of do it there. It won't stop the traffic, but it will
keep them from guessing a password. Additional use, is doing that causes
the FTP log in attempt to log the password they are trying.

[quoted text, click to view]

[quoted text, click to view]

Not very simple if you have old softwares that sending tracking
information via FTP up to the server that where written back in 1996
and do not lend themselves to be upgraded. Combined with several web
sites that we host that have various companies updating their sites.
We do have some of our demos available for FTP download, I could
certainly close down that FTP site, but it still leaves several others
that really have to stay online without deticating a huge amount of
resources to rewriting applications and retraining people that have
been happy and healthy for 10 years now.

This is indeed a need without a defined response capability in Windows
(and not just for FTP auth attempts). Some form of host based IPS
(intrusion prevention) within Windows would be welcome.

However, I am concerned in that your post seemed to indicate a
worry that one of these may find the right password, which in turn
implies you are seeing attempts using valid account names.
I deal with runs of auth attempts, but they are dumb (even attempting
login with built-in group names!!) and mostly just bandwidth and cpu
cycle pests. If you must have the exposures the pests probe, and you
have no form of IPS that can detect and block, then you live with it.
If however you are seeing valid account names attempted you do
definitely need to examine all aspects of your exposure to the network.

Roger

[quoted text, click to view]

Upon leaving for the day, I checked logs and promptly shut down another
attack, then, before I could leave, another ip address took over, and
another and another for about 20 addresses.

So, now, a couple of frustrating hours later, I'd like to share the
source code of what I pieced together from various code chunks around
the net. I've got the IISBlockFTPAttempts class used in another app
that runs on a schedule anyway but used this test console app when I
was debugging which someone could set up in scheduler or adapt it to
anything else. It simply runs through each of the FTP sites, checks
for bad password entries in the logs for the day, counts them up, if
the number of attempts from an ip address exceeds a given number, then
it adds that ip address to the denied addresses for all the FTP sites.

using System;
using System.Collections;
using System.Collections.Specialized;
using System.ComponentModel;
using System.Data;
using System.Diagnostics;
using System.Reflection;
using System.Threading;
using System.Xml;
using System.DirectoryServices;
using System.IO;

namespace IISBlock
{
/// <summary>
/// Summary description for Class1.
/// </summary>
class Class1
{
/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main(string[] args)
{
Console.WriteLine("Starting");
IISBlockFTPAttempts ftpb=new
IISBlockFTPAttempts("WEBSERVER1","MyAdmin","MyAdminPass",30);

ftpb.GetBlockList();
ftpb.FTPBlock();

//ftpb.Remove.Add("10.10.10.8");
//ftpb.FTPRemove();

//ftpb.Blocked.Add("10.10.10.8");
//ftpb.FTPBlock();

Console.WriteLine("Finished");
}
}
public class IISBlockFTPAttempts
{
private string ServerName;
private string ServerUserName;
private string ServerPassword;
private int AttemptsBeforeKill;
public ArrayList Blocked=new ArrayList();
public ArrayList Remove=new ArrayList();

public IISBlockFTPAttempts(string ServerName,string
ServerUserName,string ServerPassword,int AttemptsBeforeKill)
{
this.ServerName=ServerName;
this.ServerUserName=ServerUserName;
this.ServerPassword=ServerPassword;
this.AttemptsBeforeKill=AttemptsBeforeKill;
}
public void GetBlockList()
{
SortedList ht=new SortedList();
DateTime dt=DateTime.Now;
string
FileName="ex"+(dt.Year-2000).ToString("00")+dt.Month.ToString("00")+dt.Day.ToString("00")+".log";
DirectoryEntry root = new
DirectoryEntry("IIS://"+ServerName+"/MSFTPSVC",ServerUserName,ServerPassword);
foreach (DirectoryEntry IIS in root.Children)
{
if (IIS.SchemaClassName == "IIsFtpServer")
{
Console.WriteLine(IIS.Name);
string LogFilePath = System.IO.Path.Combine(
IIS.Properties["LogFileDirectory"].Value.ToString(),
"MSFTPSVC"+IIS.Name);
string LogFileName=LogFilePath+"\\"+FileName;
Console.WriteLine(LogFileName);
if(File.Exists(LogFileName))
{
FileStream fs=new
FileStream(LogFileName,FileMode.Open,FileAccess.ReadWrite);
StreamReader sr=new StreamReader(fs);
string s;
while((s=sr.ReadLine())!=null)
{
if(s.IndexOf("PASS - 530")!=-1)
{
string[] fields=s.Split(' ');
if(fields.Length>1)
{
string ip=fields[1].Trim();
if(ht.ContainsKey(ip))
ht[ip]=((int)ht[ip])+1;
else
ht.Add(ip,(int)1);
}
}
}
sr.Close();
fs.Close();
}
IIS.Close();
//IIS.Dispose();
}
}
root.Close();
//root.Dispose();
for(int i=0;i<ht.Count;i++)
{
string ip=(string)ht.GetKey(i);
if((int)ht[ip]>AttemptsBeforeKill)
Blocked.Add(ip);
}
}
public void FTPBlock()
{
DirectoryEntry root = new
DirectoryEntry("IIS://"+ServerName+"/MSFTPSVC",ServerUserName,ServerPassword);
foreach (DirectoryEntry site in root.Children)
{
if (site.SchemaClassName == "IIsFtpServer")
{
Console.WriteLine(site.Name);
DirectoryEntry IIS = new
DirectoryEntry("IIS://"+ServerName+"/MSFTPSVC/"+site.Name+"/root",ServerUserName,ServerPassword);
Type typ = IIS.Properties["IPSecurity"][0].GetType();
object IPSecurity = IIS.Properties["IPSecurity"][0];

Array origIPDenyList = (Array) typ.InvokeMember("IPDeny",
BindingFlags.DeclaredOnly |
BindingFlags.Public | BindingFlags.NonPublic |
BindingFlags.Instance | BindingFlags.GetProperty,
null, IPSecurity, null);

Array.Sort(origIPDenyList);

ArrayList ToAdd=new ArrayList();
for(int i=0;i<Blocked.Count;i++)
{
string block=Blocked[i]+", 255.255.255.255";
bool bAlreadyDone=false;
foreach(string s in origIPDenyList)
{
if(s==block)
{
Console.WriteLine(s+" = "+block);
bAlreadyDone=true;
}
}
if(bAlreadyDone==false)
{
ToAdd.Add(block);
Console.WriteLine("Adding "+block);
}
}
if(ToAdd.Count>0)
{
bool bGrantByDefault = (bool) typ.InvokeMember("GrantByDefault",
BindingFlags.DeclaredOnly |
BindingFlags.Public | BindingFlags.NonPublic |
BindingFlags.Instance | BindingFlags.GetProperty,
null, IPSecurity, null);

if(!bGrantByDefault)
{
typ.InvokeMember("GrantByDefault",
BindingFlags.DeclaredOnly |
BindingFlags.Public | BindingFlags.NonPublic |
BindingFlags.Instance | BindingFlags.SetProperty,
null, IPSecurity, new object[] {true});
}

object[] newIPDenyList = new
object[origIPDenyList.Length+ToAdd.Count];
int i=0;
foreach(string s in origIPDenyList)
{
newIPDenyList[i]=s;
i++;
}
for(int x=0;x<ToAdd.Count;x++)
{
newIPDenyList[i]=(string)ToAdd[x];
i++;
}
Array.Sort(newIPDenyList);

typ.InvokeMember("IPDeny",
BindingFlags.DeclaredOnly |
BindingFlags.Public | BindingFlags.NonPublic |
BindingFlags.Instance | BindingFlags.SetProperty,
null, IPSecurity, new object[] {newIPDenyList});

IIS.Properties["IPSecurity"][0] = IPSecurity;

// commit the changes
IIS.CommitChanges();
//IIS.RefreshCache();
IIS.Close();
//IIS.Dispose();
Console.WriteLine("Added");
}
else
Console.WriteLine("None to add");
}
}
root.CommitChanges();
root.Close();
//root.Dispose();
}
public void FTPRemove()
{
DirectoryEntry root = new
DirectoryEntry("IIS://"+ServerName+"/MSFTPSVC",ServerUserName,ServerPassword);
foreach (DirectoryEntry site in root.Children)
{
if (site.SchemaClassName == "IIsFtpServer")
{
Console.WriteLine(site.Name);
DirectoryEntry IIS = new

Nice. You now have me thinking of extending this in two ways.
Reading other logs (security and IIS http), and adding address
to a "block pest" IPsec filter.

Thanks for sharing.
Roger
[quoted text, click to view]