Windows Server具有事件日志記錄的功能,其IIS日志文件里記錄了包括下列信息:誰訪問了您的站點,訪問者查看了哪些內(nèi)容等等。通過定期檢查這些日志文件,網(wǎng)站管理員可以檢測到服務器或站點的哪些方面易受攻擊或存在其他安全隱患。
不過,目前的日志分析工具并不是很完善,有些功能并不具備,特別是針對某個URL地址進行攻擊的分析并不多,下面是一個VB Script程序,保存為VBS程序后可以在服務器上運行,用于分析和檢測IIS日志里針對某個URL地址進行攻擊的IP地址。
ASP/VB Code復制內(nèi)容到剪貼板
- targeturl = "/archives/2761.html" '受攻擊網(wǎng)站的URL地址。
- logfilepath = "C:\LogFiles\W3SVC\ex110813.log" '受攻擊網(wǎng)站的日志路徑。
- On Error Resume Next
- Set fileobj = CreateObject("scripting.filesystemobject")
- Set fileobj2 = CreateObject("scripting.filesystemobject")
- Set myfile = fileobj2.opentextfile(logfilepath, 1, False)
- Do While myfile.atendofstream <> True
- myline = myfile.readline()
- myline2 = Split(myline, " ")
- newip = myline2(9)
- myurl = myline2(5)
- If targeturl = myurl Then
- writelog newip
- End If
- Loop
- myfile.Close
- Set fileobj2 = Nothing
- Msgbox "結束."
- Sub writelog(errmes)
- ipfilename = "blockip.txt"
- Set logfile = fileobj.opentextfile(ipfilename, 8, True)
- logfile.writeline errmes
- logfile.Close
- Set logfile = Nothing
- End Sub
分析出來的IP如果出現(xiàn)異常,可以通過程序,將其批量添加到IIS的屏蔽IP列表里,下面是網(wǎng)上找到的一段VBScript代碼,將其改名為vbs后,把上面那段程序的IP導入,即可批量屏蔽攻擊者的IP地址。
ASP/VB Code復制內(nèi)容到剪貼板
- '/*=========================================================================
- ' * Intro VBScript使用ADSI為IIS批量添加屏蔽或允許訪問的IP
- ' * FileName VBScript-ADSI-IIS-Add-Deny-Grant-IP-Change-MetaBase.xml.vbs
- ' *==========================================================================*/
- 'AddDenyIP2All "192.168.1.106,255.255.255.0"
- 'AddDenyIP "123456","127.0.0.1"
- 'AddDenyIP2All "14.113.226.116"
- '添加要屏蔽的IP或一組計算機,到一個指定站點上
- Sub AddDenyIP(strWebNo, strDenyIp)
- On Error Resume Next
- Set SecObj = GetObject("IIS://LocalHost/W3SVC/" & strWebNo & "/Root")
- Set MyIPSec = SecObj.IPSecurity
- MyIPSec.GrantByDefault = True
- IPList = MyIPSec.IPDeny
- i = UBound(IPList) + 1
- ReDim Preserve IPList(i)
- IPList(i) = strDenyIp
- MyIPSec.IPDeny = IPList
- SecObj.IPSecurity = MyIPSec
- SecObj.Setinfo
- End Sub
- '添加要屏蔽的IP或一組計算機,到IIS公共配置,以應用到所有站點
- '如果之前對有些站點單獨做過屏蔽IP設置,在些設置不會生效,得在總的網(wǎng)站上設置一下,然后覆蓋所有子結點
- Sub AddDenyIP2All(strDenyIp)
- On Error Resume Next
- Set SecObj = GetObject("IIS://LocalHost/W3SVC")
- Set MyIPSec = SecObj.IPSecurity
- MyIPSec.GrantByDefault = True
- IPList = MyIPSec.IPDeny
- i = UBound(IPList) + 1
- ReDim Preserve IPList(i)
- IPList(i) = strDenyIp
- MyIPSec.IPDeny = IPList
- SecObj.IPSecurity = MyIPSec
- SecObj.Setinfo
- End Sub
- '添加允許的IP或一組計算機,到一個指定站點上
- Sub AddGrantIP(strWebNo, strGrantIp)
- On Error Resume Next
- Set SecObj = GetObject("IIS://LocalHost/W3SVC/" & strWebNo & "/Root")
- Set MyIPSec = SecObj.IPSecurity
- MyIPSec.GrantByDefault = False
- IPList = MyIPSec.IPGrant
- i = UBound(IPList) + 1
- ReDim Preserve IPList(i)
- IPList(i) = strGrantIp
- MyIPSec.IPGrant = IPList
- SecObj.IPSecurity = MyIPSec
- SecObj.Setinfo
- End Sub
- '添加允許的IP或一組計算機,到IIS公共配置,以應用到所有站點
- '如果之前對有些站點單獨做過屏蔽IP設置,在些設置不會生效,得在總的網(wǎng)站上設置一下,然后覆蓋所有子結點
- Sub AddGrantIP2All(strGrantIp)
- On Error Resume Next
- Set SecObj = GetObject("IIS://LocalHost/W3SVC")
- Set MyIPSec = SecObj.IPSecurity
- MyIPSec.GrantByDefault = False
- IPList = MyIPSec.IPGrant
- i = UBound(IPList) + 1
- ReDim Preserve IPList(i)
- IPList(i) = strGrantIp
- MyIPSec.IPGrant = IPList
- SecObj.IPSecurity = MyIPSec
- SecObj.Setinfo
- End Sub
- '顯示IIS公共配置里禁止訪問的IP
- Sub ListDenyIP()
- Set SecObj = GetObject("IIS://LocalHost/W3SVC")
- Set MyIPSec = SecObj.IPSecurity
- IPList = MyIPSec.IPDeny 'IPGrant/IPDeny
- WScript.Echo Join(IPList, vbCrLf)
- ' For i = 0 To UBound(IPList)
- ' WScript.Echo i + 1 & "-->" & IPList(i)
- ' Next
- End Sub