IIS / PHP Brute Force Security Module – Suggestions?

I am running WordPress on IIS 7.5 – I was reviewing my logs today and noticed that there are lots of brute force attempts on my website, looking for files that might compromise its security. Specifically looking for setup files, phpMyAdmin, other mysql stuff etc – all of which are 404.

Based on this information, what are some ways that I could create a security module to A) Block someone with more than [n] number of 404’s in a row. B) Block someone who matches certain keywords, eg looking for phpMyAdmin. C) This is optional but an ideal solution would also block IP addresses if I wanted to hardcode / add some.

Read More

I have some ideas but I am also looking for other suggestions. Since the server is IIS I would prefer the solution to be using C# ASP.NET or embedded somehow in IIS.

Related posts

Leave a Reply

2 comments

  1. Implement an HttpHandler to intercept all requests. IF they are looking for those modules, log their ip and stop the attack there adding the ip to a list of blocked hosts.

    Yes – someone can forge an IP (more of a concern in a DoS attack and not feasible here) but they can’t forge an entire session (roughly a packet) so they can’t continue on that IP to get a response and know if the file exists anyways .

    This method would be used if you want to handle ips in a special way such as block all further access immediately.

    If you don’t need that type of control and just want to block consider custom URLScan rules to block it immediately since UrlScan now comes built into IIS.
    See:
    http://www.hanselman.com/blog/HackedAndIDidntLikeItURLScanIsStepZero.aspx

  2. A) Block someone with more than [n] number of 404’s in a row.

    There’s a wordpress plugin called “Better WP Security”, it has 404 detection feature which allow exactly this feature. I’m now using it and it’s working very well.

    B) Block someone who matches certain keywords, eg looking for phpMyAdmin.

    You don’t want to block just anyone who tries to access phpMyAdmin, because that would include yourself as well. You want to filter the requests by IP – do not allow any IP who is not in the whitelist to visit phpMyAdmin. You’ll find out how to do this in my answer of your 3rd question below.

    C) This is optional but an ideal solution would also block IP addresses if I wanted to

    You can follow below steps to disallow access to wp-login.php and wp-admin on IIS 7.5 for IPs that are not in the whitelist. You can mimic the example to include any file(e.g. phpMyAdmin) you want in your wordpress folder, by copying code between(inclusively) tags in the code of step 4 and change the “path” attribute.

    1, Open the web.config file in your wordpress root folder, if you don’t find it there, create one

    2, Enable “IP and Domain Restrictions” role by following [this article][1]

    3, Open IIS Manager, click on root node, in the right panel, select “Feature Delegation”, find “IPv4 Address and Domain Restrictions” item, grant “Read/Write” delegation to it

    4, Open the web.config file, if you created the file yourself and it’s empty, then add the following code(see notes at the bottom for explanation):

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
     <location path="wp-login.php">
            <system.webServer>
            <security>
                <ipSecurity allowUnlisted="false">    
                    <clear/>
                    <add ipAddress="100.100.100.29" allowed="true"/>
                    <add ipAddress="111.111.111.0" subnetMask="255.255.255.0" allowed="true"/>
                </ipSecurity>
            </security>
            <modules runAllManagedModulesForAllRequests="true"/>
            </system.webServer>
      </location>
    
      <location path="wp-admin">
            <system.webServer>
            <security>
                <ipSecurity allowUnlisted="false">    
                    <clear/>
                    <add ipAddress="100.100.100.29" allowed="true"/>
                    <add ipAddress="111.111.111.0" subnetMask="255.255.255.0" allowed="true"/>
                </ipSecurity>
            </security>
            <modules runAllManagedModulesForAllRequests="true"/>
            </system.webServer>
      </location>
    </configuration>
    

    If you are working on an existing web.config file, then you only need to add code between tags into the existing tags in your web.config.

    Explanation: This code blocks all IPs from visiting wp-login.php or wp-admin, exceptions are IPs 100.100.100.29 and 111.111.111.1-255. Please replace these IPs with your own list.

    5, Now try visit wp-login.php or wp-admin from IPs that are not in the list, you should be given a 403 – Access Denied error.