-
Notifications
You must be signed in to change notification settings - Fork 0
How to Launch
There are three techniques for running this module.
- PowerShell Prompt
- Scheduled Task
- Invoked by a Wrapper
This method should be used before setting up as a scheduled task or within a wrapper. It involves calling Invoke-WebsiteFailedLogins directly from a PowerShell prompt. This is preferred since there are many validation checks to ensure everything runs error-free. When there are no more errors, add the -RunningConfig switch when calling from a scheduled task or wrapper. Doing so skips nearly all of the validation checks making the script run faster.
Be sure to run the PowerShell prompt using the same user account that will be used as a scheduled task or called from a wrapper. Many potential issues are due to permissions.
For larger organizations, this method is likely preferred since the Smtp and/or WinEvent alert can be integrated into the appropriate channels (e.g. ticketing, syslog, etc).
Launching this module via Task Scheduler should occur more frequently than what is set for StartTime as this will provide overlap. For example, if this module was configured StartTime = 1800 (30 minutes), scheduling it to run every 600 seconds (10 minutes) would provide overlap by including logs from the prior invocations. While this technique will result in an IP being reported multiple times for the same traffic, it also ensures IP traffic rates are calculated over a greater timespan. Additionally, this technique helps address log drift which is a byproduct of IIS logging. Writing a log entry for each request as it comes is inefficient. So IIS will queue several records to make a single write. This may cause a request to not show up in the log for some time and thus the term log drift.
The shortest reoccurrence one should use with this module is 5 minutes. If a shorter window is necessary, consider implementing a real-time monitor via ModSecurity or similar Web Application Firewall (WAF).
Once the configuration file has been finalized and no longer produces errors, launch Invoke-WebsiteFailedLogins with the -RunningConfig switch. Doing so will exclude validation checks against the configuration file as it will assume all errors have been resolved. Only the minimum checks are performed which greatly improves performance.
To schedule a task, use the command line utility SCHTASKS or the MMC taskschd.msc.
There's related information about Task Scheduling in the Event Trigger section under Taking Action.
This technique requires invoking WebsiteFailedLogins within another PowerShell script that would be launched via Scheduled Tasks. The benefit is having any combination of custom logic to process results. For example:
- Results can be formatted and submitted to abuseipdb.com
- Results can be immediately blocked in IIS using cmdlets from the IISAdministration module
- Results can be blocked in any programmatically feasible way
- Vulnerability scanners can be excluded
- Previously blocked IPs can be removed after some timespan
A PowerShell Wrapper is available under Taking Action.
Before taking this approach, be certain all errors have been resolved as mentioned in the first section PowerShell Prompt. Then use the -RunningConfig switch within the wrapper.