We had several websites hosted on a Windows server and usually there were several attempts to hack those websites using SQL Injection.
I needed a script to add IP addresses in bulk to a Firewall rule in Windows server.
Custom 500 error page
We have configured the web.config to show a custom 500 error page instead of the default one.
And in that custom 500 page, we have a script to log those errors and send us an email when that error occurs.
We use this for debugging or fixing issues with the application that we run.
This is the code in web.config file for allowing custom error pages:
<httpErrors>
<remove statusCode="500" subStatusCode="100" />
<error statusCode="500" subStatusCode="100" path="/iishelp/common/500-100.asp" responseMode="ExecuteURL" />
</httpErrors>
And in our "500-100.asp" (custom error page) we had the following code:
strMessage = "HTTP Referrer : " & Request.ServerVariables("HTTP_REFERER") & vbCrLf & _
"URL : " & Request.ServerVariables("URL") & vbCrLf & _
"IP Address: " & Request.ServerVariables("REMOTE_ADDR") & vbCrLf & _
"Browser: " & Request.ServerVariables("HTTP_USER_AGENT") & vbCrLf & _
"Category: " & objASPError.Category & vbCrLf & _
"Filename: " & objASPError.File & vbCrLf & _
"ASP Code: " & objASPError.ASPCode & vbCrLf & _
"Error Number: " & objASPError.Number & vbCrLf & _
"Source: " & objASPError.Source & vbCrLf & _
"Line Number: " & objASPError.Line & vbCrLf & _
"Column: " & objASPError.Column & vbCrLf & _
"Description: " & objASPError.Description & vbCrLf & _
"ASP Description: " & objASPError.ASPDescription & vbCrLf & _
"All HTTP: " & Request.ServerVariables("ALL_HTTP") & vbCrLf & _
"POST Fields: " & Request.Form & vbCrLf & _
"GET Fields: " & Request.QueryString & vbCrLf
This message is sent as an email and also logged in Error Log Table.
Using the IP Address information from the error message, we wanted to block the IP Address range whenever we find some kind of hacking attempt on the website.
PowerShell Script
We were adding the IP address range manually in the Firewall rule.
For example, if the IP Address was "157.55.39.12", we will add the whole range, "157.55.39.0/24" in the blocking Firewall rule.
But this was cumbersome to do it manually.
So, we used this PowerShell script for adding the IP address range to the Firewall rule, automatically.
param (
[Parameter(Mandatory = $true)]
[string]
$FirewallRuleName,
[Parameter(Mandatory = $true)]
[string[]]
$NewIPs
)
$firewallRule = Get-NetFirewallRule -Name $FirewallRuleName
$existingRemoteAddresses = (Get-NetFirewallAddressFilter -AssociatedNetFirewallRule $firewallRule).RemoteAddress
# Convert the existing remote addresses and new IP addresses to arrays
$existingRemoteAddressesArray = $existingRemoteAddresses -split ","
$updatedRemoteAddresses = $existingRemoteAddressesArray + $NewIPs
# Remove any leading or trailing spaces from the IP addresses
$updatedRemoteAddresses = $updatedRemoteAddresses.Trim()
Set-NetFirewallRule -Name $FirewallRuleName -RemoteAddress $updatedRemoteAddresses -Confirm:$false
#Write-Output $updatedRemoteAddresses
It was stored in a folder, "C:\PowerShellScripts"
The code was called in PowerShell as the following:
cd C:\PowerShellScripts
.\AddFirewall.ps1 -FirewallRuleName "Block Other Server IP Addresses" -NewIPs "157.55.39.0/24", "5.255.231.0/24", "213.180.203.0/24", "207.46.13.0/24", "114.119.159.0/24", "114.119.133.0/24"
With this option we were able to add lots of IP address ranges to the Firewall rule to block offending IP Addresses.
Top comments (0)