-
Notifications
You must be signed in to change notification settings - Fork 0
How to Launch
There are three techniques for running this module.
- PowerShell Prompt
- Scheduled Task
- Invoked by a Wrapper
This method should be used before setting up as a scheduled task or within a wrapper. It involves calling Invoke-WebsiteFailedLogins directly from a PowerShell prompt. This is preferred since there are many validation checks to ensure everything runs error free. When there are no more errors, add the -RunningConfig switch when calling from a scheduled task or wrapper. Doing so skips nearly all of the validation checks making the script run faster.
Be sure to run the PowerShell prompt using the same user account that will be used as a scheduled task or called from a wrapper. Many potential issues are due to permissions.
For larger organizations, this method is likely preferred since the Smtp and/or WinEvent alert can be integrated into the appropriate channels (e.g. ticketing, SIEM, etc).
Launching this module via Task Scheduler should occur more frequently than what is set for StartTime as this will provide overlap. For example, if this module was configured StartTime = 1800 (30 minutes), scheduling it to run every 600 seconds (10 minutes) would provide overlap by including logs from the last three invocations. While this technique will result in an IP being reported multiple times for the same traffic, it also ensures IPs are not missed between each time the module runs.
The shortest occurrence one should use with this module is 5 minutes. If a shorter window is necessary, consider implementing a real-time monitor via ModSecurity or similar Web Application Firewall (WAF).
Once the configuration file has been finalized and no longer produces errors, consider running Invoke-WebsiteFailedLogins with the -RunningConfig switch. Doing so will exclude validation checks against the configuration file and only perform the necessary operations of massaging various settings.
This technique includes running WebsiteFailedLogins within another PowerShell script which would then be invoked via Scheduled Tasks. The benefit of this method is custom logic can be used to process results. For example, IP addresses can be submitted to abuseipdb.com or immediately blocked in IIS.