Can IIS automatically block IPs based on certain queries?

Question

Can IIS7 automatically block IP addresses if certain queries are tried against my server? Like, is it smart enough to figure out that it's getting spammed by similar requests from the same IP under a short peroid of time?

e.g.

Here are some stats from my log files today :

#Software: Microsoft Internet Information Services 7.0
#Version: 1.0
#Date: 2009-09-12 00:28:22
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2009-09-12 00:28:22 208.96.29.85 GET /admin/js/keyhandler.js - 80 - 85.25.71.40 Toata+dragostea+mea+pentru+diavola - 404 0 2 1471 196 218
2009-09-12 00:28:22 208.96.29.85 GET /admin/pma/js/keyhandler.js - 80 - 85.25.71.40 Toata+dragostea+mea+pentru+diavola - 404 0 2 1471 200 234
2009-09-12 00:28:23 208.96.29.85 GET /admin/phpmyadmin/js/keyhandler.js - 80 - 85.25.71.40 Toata+dragostea+mea+pentru+diavola - 404 0 2 1471 207 234
2009-09-12 00:28:23 208.96.29.85 GET /db/js/keyhandler.js - 80 - 85.25.71.40 Toata+dragostea+mea+pentru+diavola - 404 0 2 1471 193 218
2009-09-12 00:28:23 208.96.29.85 GET /dbadmin/js/keyhandler.js - 80 - 85.25.71.40 Toata+dragostea+mea+pentru+diavola - 404 0 2 1471 198 218
2009-09-12 00:28:24 208.96.29.85 GET /myadmin/js/keyhandler.js - 80 - 85.25.71.40 Toata+dragostea+mea+pentru+diavola - 404 0 2 1471 198 234
2009-09-12 00:28:24 208.96.29.85 GET /mysql/js/keyhandler.js - 80 - 85.25.71.40 Toata+dragostea+mea+pentru+diavola - 404 0 2 1471 196 218
2009-09-12 00:28:24 208.96.29.85 GET /mysqladmin/js/keyhandler.js - 80 - 85.25.71.40 Toata+dragostea+mea+pentru+diavola - 404 0 2 1471 201 218
2009-09-12 00:28:25 208.96.29.85 GET /typo3/phpmyadmin/js/keyhandler.js - 80 - 85.25.71.40 Toata+dragostea+mea+pentru+diavola - 404 0 2 1471 207 218

Nothing serious, but just a pain in the butt. Yes, they all 404'd. But now it's also possible that this spammer/bot/script kiddie knows my IP exists AND that I'm a webserver. Yes, I'm being way over-paranoid but I'm trying to play devil's advocate here.

So if we get hit by a bot/script that has some query in it, say Toata+dragostea+mea+pentru+diavola (that's the user agent in this case) or /admin/phpmyadmin/js/keyhandler.js (an actual resource), then can this be auto-blocked?

score 0 · Answer 1 · answered Sep 12 '09 at 01:09

0

If you're running IIS7, the URL Rewrite Module may be able to help you out. Some assembly required.

answered Sep 12 '09 at 01:09

JohnW

501
3
8

Could you elaborate on how it could be used in this scenario? – Pure.Krome Sep 12 '09 at 01:16

score 0 · Accepted Answer · answered Oct 19 '09 at 21:19

0

Look at URL Scan, or even better - WebKnight. Both allow you to block certain keywords within URLs.

answered Oct 19 '09 at 21:19

Lazlow

383
3
10

1

More uptodate link for URL Scan: http://learn.iis.net/page.aspx/473/using-urlscan – Pure.Krome Oct 20 '09 at 03:51

Can IIS automatically block IPs based on certain queries?

2 Answers2

Linked