Ban IP of FTP abuser using VBScript

From: "c" <clemaire@xxxxxxxxx>
Date: 30 Oct 2006 13:45:45 -0800

Awhile back, I wrote a vbscript
(http://blog.netnerds.net/2006/07/ban-administrator-ftp-login-attemps/)
that uses Event Viewer, IIS://, IPSECURITY and the IIS logfile parser.
It works well except in order enforce the ban of the IPs, IIS must be
restarted. I'm sure I'm probably just missing a line..can any assist?
Here's the script

Push Event Viewer Alert
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set eventSink = wscript.CreateObject("WbemScripting.SWbemSink",
"EVSINK_")
strWQL = "Select * from __InstanceCreationEvent where
TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.SourceName =
'MSFTPSVC' and TargetInstance.EventCode = 100"
objWMIService.ExecNotificationQueryAsync eventSink,strWQL

' Keep it going forever
While (True)
Wscript.Sleep(1000)
Wend

Sub EVSINK_OnObjectReady(objObject, objAsyncContext)
If InStr(LCase(objObject.TargetInstance.Message),"administrator") > 0
Then
Set objFTPSVC = GetObject("IIS://localhost/MSFTPSVC")
Set WshShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLog = CreateObject("MSWC.IISLog")
Set objDictionary = CreateObject("Scripting.Dictionary")
Set objFTPIPSec = objFTPSVC.IPSecurity

'Iterate through each FTP site. See #2 up above.
For Each objSITE in objFTPSVC
If lcase(objSITE.class) = "iisftpserver" Then
ftpLogFilePath =
WshShell.ExpandEnvironmentStrings(objSITE.LogFileDirectory) &
"\msftpsvc" & objSITE.Name

Set objFolder = objFSO.GetFolder(ftpLogFilePath)
Set objFiles = objFolder.Files
For Each fileName In objFiles
lastFile = fileName
Next
strLogFile = lastFile
Set file = Nothing
Set objFolder = Nothing

'Use the IIS log file parser provided by MSFT
objLog.OpenLogFile strLogFile, 1, "MSFTPSVC", 1, 0

'(FileName,IOMode,ServiceName,ServiceInstance,OutputLogFileFormat)
' 0 = NotApplicable, 1 = ForReading
While NOT objLog.AtEndOfLog
objLog.ReadLogRecord
If LCase(objLog.URIStem) = "administrator" Then
ClientIP = objLog.ClientIP
If objDictionary.Exists(ClientIP) = False Then
objDictionary.Add ClientIP, "255.255.255.255" '255
is just there for padding.
End If
End If
Wend
objLog.CloseLogFiles 1
End If
Next

'Append the newly banned IPs to the currently banned IPs
If objDictionary.Count > 0 And objFTPIPSec.GrantByDefault = True
Then
bannedIPArray = objFTPIPSec.IPDeny
For i = 0 to ubound(bannedIPArray)
clientIP =
Left(bannedIPArray(i),InStr(bannedIPArray(i),",")-1)
If objDictionary.Exists(ClientIP) = False Then
objDictionary.Add bannedIPArray(i), "255.255.255.255"
End If
Next

objFTPIPSec.IPDeny = objDictionary.Keys
objFTPSVC.IPSecurity = objFTPIPSec
objFTPSVC.SetInfo
End If

Set objFTPIPSec = Nothing
Set objDictionary = Nothing
Set objLog = Nothing
Set objFSO = Nothing
Set objFTPSVC = Nothing
End If
End Sub

.

Prev by Date: Re: Can you pass RemoteUser, LogonUser or AuthUser to J2EE application?
Previous by thread: Re: Certificate problem
Index(es):
- Date
- Thread

Relevant Pages

Re: IIS6 Dynamic pages execusion problem
... The event viewer is white clean of any IIS errors or warnings, ... "Rany M. Sabry" wrote in message ...
(microsoft.public.inetserver.iis)
Re: New users creating get page cannot be displayed when accessing OWA
... see any events in the event viewer so i am confused. ... Internet Information Services (IIS) ... hopefully you can explain how to completly resolve. ... do changing our email format. ...
(microsoft.public.exchange.admin)
Re: error codes
... IIS Status code, refer ... You can have the IP display in the event viewer ... I am seeing this and others in> the logs for my web server. ... how do i get event> viewer security to display the ip of someone trying> multiple passwords to get in? ...
(microsoft.public.inetserver.iis.security)
Re: "Username/Password validation failed" error on Win2000AS
... Now I've to check why the Event Viewer crashes... ... "Lorenzo Barbieri" wrote in message ... >>> The IIS Application is demoted to a simple Virtual Directory. ...
(microsoft.public.inetserver.iis)