WebApp Sec mailing list archives
RE: OT: Win2k3 logging the IP address of failed FTP attempts
From: "Ian" <webappsec2 () fishnet co uk>
Date: Wed, 14 Jun 2006 09:47:41 +0100
On 13 Jun 2006 at 15:47, Adam Tuliper wrote:
Im not sure if you can get this to the event log, but the ip address should be logged to the text file iis log (as long as logging is enabled). You can parse this log file and then add the rules. You could parse this file, and use wmi to add an ip blocking rule to iis.. rather than having to hit the firewall each time..but just an idea.
Hi,
Thanks for all the responses. I don't really want to go do down the FTP log parsing route
as there are hundreds of sites on the server, each with their own log which rolls over at
midnight.
There are several routes I can go down:
ISAPI filter
IDS trigger
fake FTP site monitoring
If I come up with anything I'll drop the group a line.
Regards
Ian
--
-----Original Message----- From: Ian <webappsec2 () fishnet co uk> Sent: Mon, 12 June 2006 15:51:23 To: webappsec () securityfocus com Subject: OT: Win2k3 logging the IP address of failed FTP attempts Hi, Sorry for the slightly off topic question but I find myself at a loss and would like to query your collective intelligence. We have a win2k3 web server which hosts a few hundred domains. Recently I have noticed a load of brute force attempts against the administrator account coming from China. Not unusual but today I noticed ;) Unfortunately the IP address is not logged to the event log so I have had to use TCPView from SysInternals to figure out where they are coming from so I can block them at the firewall. (Easier than looking through the FTP logs of a hundred+ sites.) Does anyone know of a way to get the IP address into the event log? I have all the auditing rules switched on (ie. success,failure) but with no results. I wish to get the IP address so I could then automate the blocking of IPs for a set period of time. Sorry to post this here but a full work day of googling has left me with nothing. Regards Ian -- ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF -------------------------------------------------------------------------- ------------------------------------------------- Sent using http://www.DWmail.net, a free service Check your email [any email, anytime, anywhere] ------------------------------------------------- Disclaimer: DWmail.net is not responsible for the content sent via it's services. Additional header information is included regarding the source of an email. If you believe an email is junk you should look for the 'Originating IP' message header ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- OT: Win2k3 logging the IP address of failed FTP attempts Ian (Jun 12)
- RE: OT: Win2k3 logging the IP address of failed FTP attempts Adam Tuliper (Jun 14)
- RE: OT: Win2k3 logging the IP address of failed FTP attempts Ian (Jun 14)
- Re: OT: Win2k3 logging the IP address of failed FTP attempts Rob Creely (Jun 14)
- RE: OT: Win2k3 logging the IP address of failed FTP attempts Adam Tuliper (Jun 14)