Auto blocking attacking IP address?! RRS feed

  • Question

  • Dear all,

    Sorry if this already been answered. I spent an hour on the forum to search, but didn't find something useful.

    The question, I believe many already asked, is: when you left your Windows Server 2008 on the Internet, serving IIS, FTP, Remote Desktop, etc., you'll see lots of attack (i.e. trying to login with Brute Force). Although I could get these IP address from Security log, and then add it into Firewall block list, it's manual work.

    How about something magic that detect this and auto block this IP on everything for, say 5 mins?

    Best regards,


    Tuesday, June 21, 2011 11:12 AM


All replies

  • Hi,


    Stopping brute force attacks automatically isn't the job of a web server, or any server for that matter. Some smart IDS and expensive firewall have this feature I think.

    Wednesday, June 22, 2011 2:56 AM
  • That's something I didn't realize. So in fact Windows Firewall with Advanced Features should be discontinued and leave that function to some 3rd party companies.

    Apparently protection from Internet attack is not in the interest for Windows Server 2008/R2?!

    Tech-wise, how difficult this can be? If I can check Security Log and identify bad IPs and add to block list, why the system can't do this for me?

    Someone from MS to confirm this?




    Thursday, June 23, 2011 1:25 PM
  • Hi Dong,


    Thank you for your post.


    By providing host-based, two-way network traffic filtering for a computer, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local computer.


    By using the Software Configuration Wizard (SCW), you can create firewall rules to allow this computer to send traffic to or receive traffic from programs, system services, computers, or users. Firewall rules can be created to take one of three actions for all connections that match the rule's criteria: allow the connection, only allow a connection that is secured through the use of Internet Protocol security (IPsec), or explicitly block the connection.


    The firewall rules should be created manually, and it could not be created by Windows Firewall itself.


    For more information about Windows Firewall:


    Best Regards,


    • Marked as answer by James ZouModerator Tuesday, June 28, 2011 3:45 AM
    • Unmarked as answer by Xied75 Tuesday, June 28, 2011 10:27 AM
    Friday, June 24, 2011 1:39 AM
  • I managed to write a powershell script for this, to ACTIVELY protect my ports. :)

    Anyone interested to see it?




    Friday, October 7, 2011 10:41 AM
  • it should be a useful script. can you share it? thanks
    Friday, October 7, 2011 3:42 PM
  • Please do Xied! I have been looking for such a thing a long time..
    Monday, October 24, 2011 3:20 PM
  • Dear everyone,

    I finally got time to finish a blog on this, please check the code there.



    • Marked as answer by Xied75 Tuesday, April 24, 2012 1:20 PM
    Tuesday, March 6, 2012 7:31 PM
  • Hi.

    You may also be interested in having a look at

    Friday, July 6, 2012 2:40 PM
  • Nice job.

    If only there is a time machine I can travel back. :)

    A point to note:

    Seriously any Windows Server admin will question himself/herself twice (probably more) before downloading/trying something unknown, especially about security settings. PowerShell script is probably easier for them to decide/see inside, compared with a full program/service without source code.



    Friday, July 6, 2012 3:06 PM
  • Hehe.

    Yeah I see your point and I would recommend people to test it out in a test environment first.

    I've actually used for months now and iot worked brilliantly for our needs. I did try a few powershellscripts and vbs scripts but since I'm not a code guy really they didn't fit my needs as I wanted more reporting and also to protect SMTP AUTH and stuff on the servers

    Monday, July 16, 2012 11:59 AM
  • Greetings from the distant future ;)

    I've faced this issue with IIS for a while now. Personally, I run Apache on my Windows home server (even though WHS comes with IIS!) to serve my personal website from home. I do this because Apache doesn't have any integration with Windows at all, or the resulting mix of authentication that opens it up to such attacks. It's very frustrating that Microsoft ties something as hackable as IIS in so closely with Windows functions like RPC-over-HTTP and integrated Windows authentication. If not for RPC-over-HTTP, Microsoft products like Exchange could just communicate like everything else does - internally over shared memory or named pipes using its own (more-optimized!) protocols.

    So it's really quite frustrating to do some work for a company and have to fight with IIS to make it secure and perform well. Seeing w3wp.exe activity all the time, blown-up log files, and to go through those log files seeing thousands of requests of various types that I KNOW a company's users are not doing (because the company's users don't even know remote access is available or what the address is). But the site uses Exchange, and we'd like to polish up and provide remote access for the users.

    While I can (and have) used a custom port for RDP and don't even use FTP at all, we can't change port 80 if we expect things to work right. So it's a big "welcome mat" for script kiddies and port scanners. The attacks are obvious and persistent, so I agree 110% with OP - why isn't this part of IIS' core functionality? If it were, and if IIS weren't such a bloated disaster of a piece of "server" software (is the server dev team made of fresh-off-the-graduation-stage morons?), I might run it instead of Apache. Or I might even consider running Exchange at home. But I don't.

    The insultingly stupid response by "James Zou, moderator" which was also painfully marked as an answer with an ego eclipsing Kanye West, just reinforces how much I hate Microsoft's lack of real-world understanding. The firewall doesn't even have knowledge of requests passed through it - once it's accepted, its job is done - if that connection happens again in a hundredth of a second, it doesn't care, that's another happy request. Plus, if you block based on connection frequency, legit apps will be blocked since they use multiple requests the same as the scanners/brute-force scripts do. I can't even believe I'm explaining how stupid that "answer" was... YET THE GUY HAD THE GALL TO MARK IT AS ANSWERED. Ugh, Microsoft... :(

    Rantmode off. I saw the script and wanted to use it, but it only filters RDP and FTP, which are our two non-issues. Since the filters are written based on each one's detection mechanism, I'm not sure exactly how I can tweak it to work with IIS and HTTP requests. So I'm still looking for a solution to this, though I wouldn't be surprised if, like nearly everything else and like OP has had to do, I'll have to write the fix myself - probably adapted from Xied75's seemingly well-written script in the actual answer. :)

    • Edited by FalconFour Friday, August 8, 2014 8:28 AM
    Friday, August 8, 2014 8:23 AM
  • Hi, FalconFour,

    Thanks for the good word. Although I'm not quite sure how you would protect your port 80, I mean for FTP and RDP, they make connection first, then try to authenticate and leave a failed trail in the sys log; for your port 80, they don't authenticate for your HTTP, say if you have a ASP.NET website, you could config the lock out there for consecutive failed login. Otherwise I might be confused.

    Another thing may I suggest, it's time to move on, move to the Azure, it's much cheaper and less effort to have a VM there than maintain your own Home Server, it won't make you feel less geeky I believe. :)

    p.s. If you still prefer to get the PowerShell script working, let me know.

    Best regards,


    Friday, August 8, 2014 1:28 PM
  • I know this is super old, but I just implemented it on a Windows 10 Machine with perfect results. Question: While testing it out, I managed to block the ip of my cell phone. I'm happy this happened (means it works!) But, how do I now remove the ip address from the block list? 
    Saturday, October 5, 2019 2:09 AM
  • Just figured it out. I swear the IPs were not populating in the rule the first time I looked... 

    Thank you so much for this simple solution

    Saturday, October 5, 2019 2:17 AM