Ban IP of FTP abuser using VBScript

Ban IP of FTP abuser using VBScript

am 30.10.2006 22:45:45 von C

Awhile back, I wrote a vbscript
(http://blog.netnerds.net/2006/07/ban-administrator-ftp-logi n-attemps/)
that uses Event Viewer, IIS://, IPSECURITY and the IIS logfile parser.
It works well except in order enforce the ban of the IPs, IIS must be
restarted. I'm sure I'm probably just missing a line..can any assist?
Here's the script

Push Event Viewer Alert
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set eventSink = wscript.CreateObject("WbemScripting.SWbemSink",
"EVSINK_")
strWQL = "Select * from __InstanceCreationEvent where
TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.SourceName =
'MSFTPSVC' and TargetInstance.EventCode = 100"
objWMIService.ExecNotificationQueryAsync eventSink,strWQL

' Keep it going forever
While (True)
Wscript.Sleep(1000)
Wend

Sub EVSINK_OnObjectReady(objObject, objAsyncContext)
If InStr(LCase(objObject.TargetInstance.Message),"administrator ") > 0
Then
Set objFTPSVC = GetObject("IIS://localhost/MSFTPSVC")
Set WshShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLog = CreateObject("MSWC.IISLog")
Set objDictionary = CreateObject("Scripting.Dictionary")
Set objFTPIPSec = objFTPSVC.IPSecurity

'Iterate through each FTP site. See #2 up above.
For Each objSITE in objFTPSVC
If lcase(objSITE.class) = "iisftpserver" Then
ftpLogFilePath =
WshShell.ExpandEnvironmentStrings(objSITE.LogFileDirectory) &
"\msftpsvc" & objSITE.Name

Set objFolder = objFSO.GetFolder(ftpLogFilePath)
Set objFiles = objFolder.Files
For Each fileName In objFiles
lastFile = fileName
Next
strLogFile = lastFile
Set file = Nothing
Set objFolder = Nothing

'Use the IIS log file parser provided by MSFT
objLog.OpenLogFile strLogFile, 1, "MSFTPSVC", 1, 0

'(FileName,IOMode,ServiceName,ServiceInstance,OutputLogFileF ormat)
' 0 = NotApplicable, 1 = ForReading
While NOT objLog.AtEndOfLog
objLog.ReadLogRecord
If LCase(objLog.URIStem) = "administrator" Then
ClientIP = objLog.ClientIP
If objDictionary.Exists(ClientIP) = False Then
objDictionary.Add ClientIP, "255.255.255.255" '255
is just there for padding.
End If
End If
Wend
objLog.CloseLogFiles 1
End If
Next

'Append the newly banned IPs to the currently banned IPs
If objDictionary.Count > 0 And objFTPIPSec.GrantByDefault = True
Then
bannedIPArray = objFTPIPSec.IPDeny
For i = 0 to ubound(bannedIPArray)
clientIP =
Left(bannedIPArray(i),InStr(bannedIPArray(i),",")-1)
If objDictionary.Exists(ClientIP) = False Then
objDictionary.Add bannedIPArray(i), "255.255.255.255"
End If
Next

objFTPIPSec.IPDeny = objDictionary.Keys
objFTPSVC.IPSecurity = objFTPIPSec
objFTPSVC.SetInfo
End If

Set objFTPIPSec = Nothing
Set objDictionary = Nothing
Set objLog = Nothing
Set objFSO = Nothing
Set objFTPSVC = Nothing
End If
End Sub