-
Notifications
You must be signed in to change notification settings - Fork 0
Taking Action
phbits edited this page Mar 6, 2021
·
4 revisions
This module serves as an Intrusion Detection System (IDS) where it only alerts when failed login attempts are found. This is because taking action has many nuances as described below. When taking action on an IP address, one must keep in mind the application being protected and data it has access to. More importantly, a website hosting restricted data will be handled differently than others.
- Is the IP a proxy, or similar device, where it actually represents many private IP addresses (e.g. RFC1918)? If so, be cautious to block these IP addresses as it can result in blocking legitimate traffic.
- How the block is implemented. Some websites may find a straight block acceptable. Others may need a more cautious approach, perhaps sending the user to a landing page informing them they've exceeded the allowable threshold.
- Blocking and/or rate limiting an IP address is a judgement call based on the application being protected and technology used. Should an IP get blocked at the:
- Website - Allowing all other traffic to the web server including traffic to other hosted websites. This can be achieved via IP and Domain Restrictions.
- Server - Block only certain ports or everything by adding the IP address to a firewall rule within Windows Firewall (wf.msc).
- VIP - Block access at the virtual IP which is likely a load balancer. Again, should the IP be completely blocked or just access to certain ports and protocols? Some load balancers have an api allowing configuration updates like this where a single can be blocked.
- Perimeter - Perhaps the failed login attempts are a symptom of a larger attack requiring a perimeter block.
- Other - Each network is unique as well as it's capabilities with many ways to address a nefarious IP such as null routing, sandboxing, etc.
- Allowing formerly blocked and/or rate limited IP addresses is also a judgement call unique to the application being protected and technology used. It will also require maintaining a persistent data store to track when an IP was blocked and thus when to unblock.
- Automated vulnerability scanners and/or status monitors may trigger thresholds and need to remain unblocked.
- The process of integrating a Windows Event and/or Email alert can vary between organizations. Let alone taking action on such occurrences.
There are two techniques one can use to take action.
- Event Trigger - best when writing alerts to the Windows Event Log. This works well on standalone systems as well as those using Windows Event Collection (WEC).
- Wrapper - The wrapping script is launched via Scheduled Tasks which then runs Invoke-WebsiteFailedLogins. It can work with the returned object to perform any desired task.