How to handle vulnerability searches in IIS?

Question

I have a web server running an ASP.NET web application on IIS 8.5. I noticed that several 404 errors were logged by the application which are not related to my application in anyway.

Here are few example urls:

/jmx-console
/rom-0
/content/moin_static160beta1/robots.txt
/content/ecrire/gnu_lgpl_fr.txt

What is the best way to handle this kind of traffic? Should I ignore them because server already returned 404 for such requests?

The OP states his problem very clearly, closing this question would be a mistake. — peterh, Apr 30 '15 at 00:30

score 3 · Accepted Answer · answered Apr 29 '15 at 16:43

3

For Linux servers I manage these attempts using fail2ban so that it will autoban the IPs that attempt to find vulnerabilities on the web server. IIS has some free plugins (Microsoft supported) that do the same thing. These tools allow you to restricts the types of HTTP requests that IIS will process and/or temporarily ban the IPs that make those requests.

http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions http://www.iis.net/downloads/microsoft/urlscan

answered Apr 29 '15 at 16:43

Alfonso

101
2

Thanks for the answer. It is not clear to me what kind of a response the server should return to the requester? Also are there any public resources with this kind of banning rules? – jorel Apr 29 '15 at 16:57
You can specify which response to return to an HTTP client for which the IP address is blocked. The module can return status codes 403 and 404 or just terminate the HTTP connection and not return any response. Also for the URL scan plugin they have a detailed guide: http://www.iis.net/learn/manage/configuring-security/use-request-filtering – Alfonso Apr 29 '15 at 18:47

How to handle vulnerability searches in IIS?

1 Answers1