..
..
Free Windows Server Firewall
with Brute Force Detection
VBSFIREWALL is an open source, easy to use and reliable
solution to your windows 2003 or 2008 servers. It has brute force detection
functions and uses ipsec policy what make it very compact and powerful.
This program is provided as it is, you might use it at your own risk. VBSFirewall
was developed by Claudio to be used at http://www.multihost.com.br
and if you have any doubts fell free to send us an email at claudio@vbsfirewall.com.
The scripts are fully customized in any text editor. Is an Open Source Script
you can customize it if you want.
|
Features: Firewall.exe - Protects your Remote Desktop -Protects your MSFTP server - Shows you who have access to your server - Can be installed with 2 simple steps (see pre-requirements below). Automatic Configures your passive transfer MSFTP (iis6) port range. Handle event log format and W3C log formats to provide brute force detection and protection. Works direct with MS IPSec Policy. Very similar to iptables. Briefing 1) Remote Desktop Firewall, this will protect your terminal service connections and place the ip of users that are trying to brute force your server in a firewall list denying connections to their ip, sending you an email with a brief report, this will be scheduled to run each 8 minutes, it gets information directly in the server event log. After 5 wrong passwords the ip will be listed. 2) MSFTP firewall, this will do exactly the same as above
but protecting your MSFTP server. It is capable of denying anonymous
users and brute force attempts, sending you an email with a brief report,
this will be scheduled to run each 10 minutes, it gets information automatically
from your MS-FTP (iis6 manager) logs. Can handle both local and system
time. After more than 10 wrong passwords the ip will be listed. 4) Cleaning Task, a task scheduled to clean firewall ip list each 1 hour or anytime you wish. |
 |
How it Works?
Before you install you must complete the pre-requirements and also configure
your email in the scripts so please take a look at our hints below.
The installation is very simple, the installer will backup your local ipsec
security policy settings and then it will install our template. It is 100%
safe, free of spywares and anything like that. (Note that this template was
developed to be used on our windows helm hosting servers under heavy demand,
you may want to adjust a couple of ports to reflect your needs.) It will prompt
you to continue installing a required program to be used together with our
FTP firewall script named LOGPARSER 2. After that it will configure your ftp
passive port range in the IIS6 metabase. Finally it will prompt you asking
for the administrator server password for each one of the 4 scheduled tasked
it is going to create. If you don't type the correct server password you will
need to further click on control panel -> scheduled tasks -> right click
and select open, and fix the password in each one of the 4 created tasks properties.
The scripts will be saved in your root drive C:\
You will have an uninstaller too located at c:\uninsta.bat restoring yours
original configuration that is a default and has no ipsec functions at all.
The email function requires a local SMTP and that you insert your email into
the scripts. This is very easy to be accomplished using your note pad or word
pad editor. You can see our hints and downloads in the end of this page with
instructions on that, but keep reading these instructions.
Anytime an ip is denied it will appear in the firewall list.
How can I see the filter list? And what about the ips included in the firewall?
Star Menu -> Administrative Tools -> Local Security Policy -> Ipsec Policy > IP Security Policies -> on the right list double click vbsfirewall and open firewall properties -> double click the firewall name and it will open vbsfirewall properties window -> double click again at firewall filter list it will open edit rule properties -> scroll down until you can double click again on the firewall ip filter list -> there on this ip filter list the ips attempting to brute force your RDP or FTP will be dropped. Each one hour a Scheduled Task will release all ips. You may adjust the Schedule task to clean ips each 5 minutes during your initial tests and take care to avoid being locked out of your box for a long period or you can set the firewall ip list at ipsec to action permit instead of deny during your tests. Do not remove the fire.ips from your C:\ as it is going to be used each time clean task will be performed or in case you decide to uninstall it for any reason. Also clean your event logs periodically.
Click in the image to enlarge it.
Pre-Requirements for windows server 2003 and 2008.
You need to be Administrator member from the machine and make the 2 simple
tweaks below:
click on start menu> administrative tools> local security policy
> local policy > audit policy
and make it look like the image below double clicking and configuring each
one of the lines
 Windows 2003 server - click in the image to enlarge it. |
 Windows 2008 server - click in the image to enlarge it. |
click on start menu > administrative tools > internet information server
IIS6 manager> expand and right click at Ftp Default Web Site and choose
properties, then click on properties again besides the Active Log Format field.
and make it look like the image below marking each one of the log options
as "checked"
 Windows 2003 server - click in the image to enlarge it. |
 Windows 2008 server - click in the image to enlarge it. |
command line:
If you want to manually deny an ip you can issue this command line
> netsh ipsec static add filter filterlist=firewall srcaddr=Me
dstaddr=X.X.X.X protocol=any mirrored=yes
Important Hints
If you want, is also possible to change the settings of the Scheduled Tasks,
direct from the windows control panel (you can tweak clean task to
run each 1 minute during your tests)
Do not forget to open rdpfire.vbs, wholog.vbs and ftpfire.vbs in the notepad or your favorite text editor and customize a couple of lines and adjust your email and other parameters near to the lines below:
rdpfire.vbs
line 37
strEmailRecipient = ""
place your email inside of the quotation marks
line 346
"127.0.0.1"
if you need replace this ip for your mail localhost or correct ip address
of your local smtp
line 42 * not required
dtmStartDate = UTC(Dateadd("n", -8
this -8 means each 8 minutes so if you change the Scheduled Task to run for
instance each 10 minutes you must switch here -8 to -10
line 238 * not required
if ac >= 5
this line defines the limit of 5 password errors or more it will deny connection
to the ip in the firewall ip list
wholog.vbs
line 37
strEmailRecipient = ""
place your email inside of the quotation marks
line 346
"127.0.0.1"
if you need replace this ip for your mail localhost or correct ip address
of your local smtp
line 42 * not required
dtmStartDate = UTC(Dateadd("n", -5
this -5 means each 5 minutes so if you change the Scheduled Task to run for
instance each 10 minutes you must switch here -5 to -10
ftpfire.vbs
line 90
Email "mail@yourdomain.com", "[LOG] Security Log Alert - FTP
alarm", body
place your email inside of the quotation marks
line 148
"127.0.0.1"
if you need replace this ip for your mail localhost or correct ip address
of your local smtp
line 39 * not required
(TO_TIMESTAMP(date,time)))) < 600"
the 600 means seconds that is = to 10 minutes, if you want to schedule this
scrip to run each 5 minutes switch 600 to 300
line 52 * not required
if recordSet.GetRecord().getValue(1) >= 10 then
this line defines the limit of 10 password errors or more it will deny connection
to the ip in the firewall ip list
Extras
You can also download our MTA script for Mail Enable Standard www.mailenable.com
that will provide a simple antispam solution and also a ClamAV antivirus scanner
for free. This program runs also in both windows 2003 and 2008 servers. You
can use also an external antispam such as spamassassin or mefilter, but using
many filters will costs performance and memory. It is specially design to
work with MEFilter www.mefilter.com
. MeFilter splits a message to multiple recipients into many messages so with
this MTA script you can jump messages with multiple recipients to a generic
filter rules and scan only messages sent to one or two recipients only.
To have the antivirus function working properly you must download and extract our zip, and install ClamAV-Devel that is a cygwin linux emulated port from the original *nix clamAV
then under c:\clamav-devel\ you need to create a folder named TMP
c:\Clamav-Devel\TMP
download pickup.vbs and newclam.cmd and place both at
c:\program files\mail enable\bin\
In Mail Enable MMC expanding SMTP and right clicking at Properties
under Advanced Smtp enable alternate catch-all header and named as bcc
BCC - click in the image to enlarge it.
In Mail Enable MMC expanding Agents and right clicking at MTA properties you
can copy and paste the pickup.vbs script using the following command:
cscript //T:30 "C:\Program Files\Mail Enable\Bin\pickup.vbs"
MTA - click in the image to enlarge it.
you need to open pickup.vbs in the notepad or your favorite
text editor and customize some lines and then restart MTA agent under Mail
Enable's MMC.
Also you have to Schedule a Clean Task to clean TMP directory from time to
time as it will be filled very fast under heavy mail servers.
Downloads (*see pre-requirements and important hints above before installing
this program)
Windows 2003 vbs firewall
full installer (just double click at the exe and you are ready to go, will
install everything)
Windows 2008 vbs firewall full installer (*
you must run C:\install.bat after unpacking the exe in order to finish the
installation on 2008 servers)
Mail Enable - Mail Transport
Agent script with ClamAv and MEfilter integration.
* take a look at pre-requirements above
Donations
we appreciate your PayPal donations and we can offer for free some script
from our collection including:
Mail Enable Count Queue (can report you anytime mail queue is above a
threshold)
SQL brute force monitor will get on event log information on who is
trying to force a SQL password
Http Error Log and Http Error Site Log are two scripts that
can dig and find string inside your main logs and customers domain logs very
useful to find hijacking of malicious scripts
Simple yet good backup script that uses FTP to transfer 7zip
files over machines, backup an entire folder and subfolders.
Another Security Important Hints
In any system although a firewall can be very important, your
root driver permissions and web site permissions are also crucial to your
system integrity, so you need to keep C:\ with full access just to Administrator
and System accounts only. Also you should avoid executable content on your
web server, keep your system updated with the most recent service packs, moderate
the use of isapi and cgi extensions, sandbox your users in individual application
pools, asp.net in shared environments should be running under Medium Trust,
SQL servers demands also good security, so try to research as much as you
can on this issues.
some strings can be helpful to find malicious software injections under linux
or windows system especially when you are running php as an IIS6 isapi extension
or as an apache module try use find or findstring commands or grep command
at your web site logs and look for:
txt? (perhaps the most important string to grep or find on your
website daily logs is txt? reveals many php injections)
cgi
.pl
.exe
.com
formmail
email
.src
.pif
cmd.exe
ftp://ftp.
others;
Other References
These scripts were originally distributed on some boards in
old forums posts such as:
http://forums.theplanet.com/lofiversion/index.php/t80929.html
http://forums.webhostautomation.com/showthread.php?t=12381
(c) copyright 2003-2009 multihost.com.br