-
Notifications
You must be signed in to change notification settings - Fork 0
/
WebsiteFailedLogins.psd1
101 lines (70 loc) · 3.46 KB
/
WebsiteFailedLogins.psd1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
@{
RootModule = 'WebsiteFailedLogins.psm1'
ModuleVersion = '2.0'
GUID = '12e3c270-ef13-42bb-bea3-40b8cf44a49f'
Author = 'phbits'
CompanyName = 'phbits'
Description = @'
This PowerShell module was created to identify the following scenarios affecting IIS hosted websites.
1. Brute Force Login Attempts - excessive failed logins from a single IP address and often targeting a single account.
2. Password Spraying Attempts - excessive failed logins from a single IP address using a single password across multiple user accounts.
3. Distributed Login Attempts - either of the above techniques being sourced from multiple IP addresses.
It leverages Microsoft Logparser and a configuration file to parse the target website's IIS logs. When a threshold is met or exceeded an alert is generated via standard out, email, and/or written to a Windows Event Log. No changes are needed on the webserver. This module can even run on a separate system where there's access to the IIS logs.
Checkout the wiki for details: https://github.com/phbits/WebsiteFailedLogins/wiki
'@
NestedModules = @(
'Resources\WebsiteFailedLogins.alert.psm1',
'Resources\WebsiteFailedLogins.config.psm1',
'Resources\WebsiteFailedLogins.logins.psm1',
'Resources\WebsiteFailedLogins.lp.psm1'
)
FunctionsToExport = @(
'Invoke-WebsiteFailedLogins',
'Get-WebsiteFailedLoginsReadme',
'Copy-WebsiteFailedLoginsReadme',
'Get-WebsiteFailedLoginsDefaultConfiguration',
'Copy-WebsiteFailedLoginsDefaultConfiguration'
)
FileList = @(
'LICENSE',
'README.md',
'WebsiteFailedLogins.psd1',
'WebsiteFailedLogins.psm1',
'Resources\WebsiteFailedLogins_default.ini',
'Resources\WebsiteFailedLogins.alert.psm1',
'Resources\WebsiteFailedLogins.config.psm1',
'Resources\WebsiteFailedLogins.logins.psm1',
'Resources\WebsiteFailedLogins.lp.psm1'
)
PrivateData = @{
PSData = @{
Tags = 'IIS','Logparser','W3SVC','Logs','FailedLogin','BruteForce','PasswordSpray','Detection','IDS'
ProjectUri = 'https://github.com/phbits/WebsiteFailedLogins'
LicenseUri = 'https://github.com/phbits/WebsiteFailedLogins/blob/main/LICENSE'
ReleaseNotes = @'
## [2.0.0.0] - 2021-03-13
### Added
- WinEvent and Smtp alert data can now be formatted in text, json, or xml.
- FriendlyName setting available in configuration ini to better describe website.
- Added configuration validation checks.
- Detailed documentation at: https://github.com/phbits/WebsiteFailedLogins/wiki
### Changed
- Performs just one Logparser query when launching Invoke-WebsiteFailedLogins.
- Returned data is a hashtable object.
- Placed related functions into separate module files.
- Improved configuration validation.
- Improved Alert logic.
- System.Diagnostics.Process wrapper runs Logparser script.
- Standardized all timestamps to UTC.
- Updated function documentation and README.
### Removed
- Usage of global variables for sharing configuration settings.
## [1.0.0.0] - 2019-01-30
### Changed
- Initial release
- Tested on Windows Server 2016
'@
} # End of PSData hashtable
} # End of PrivateData hashtable
HelpInfoURI = 'https://github.com/phbits/WebsiteFailedLogins/wiki'
}