WebsiteFailedLogins

2.0

This PowerShell module was created to identify the following scenarios affecting IIS hosted websites.

1. Brute Force Login Attempts - excessive failed logins from a single IP address and often targeting a single account.
2. Password Spraying Attempts - excessive failed logins from a single IP address using a single password across multiple user accounts.
3. Distribut
This PowerShell module was created to identify the following scenarios affecting IIS hosted websites.

1. Brute Force Login Attempts - excessive failed logins from a single IP address and often targeting a single account.
2. Password Spraying Attempts - excessive failed logins from a single IP address using a single password across multiple user accounts.
3. Distributed Login Attempts - either of the above techniques being sourced from multiple IP addresses.

It leverages Microsoft Logparser and a configuration file to parse the target website's IIS logs. When a threshold is met or exceeded an alert is generated via standard out, email, and/or written to a Windows Event Log. No changes are needed on the webserver. This module can even run on a separate system where there's access to the IIS logs.

Checkout the wiki for details: https://github.com/phbits/WebsiteFailedLogins/wiki

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name WebsiteFailedLogins

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Author(s)

phbits

Owners

Tags

IIS Logparser W3SVC Logs FailedLogin BruteForce PasswordSpray Detection IDS

Functions

Invoke-WebsiteFailedLogins Get-WebsiteFailedLoginsReadme Copy-WebsiteFailedLoginsReadme Get-WebsiteFailedLoginsDefaultConfiguration Copy-WebsiteFailedLoginsDefaultConfiguration

Dependencies

This module has no dependencies.

Release Notes

## [2.0.0.0] - 2021-03-13

### Added

- WinEvent and Smtp alert data can now be formatted in text, json, or xml.
- FriendlyName setting available in configuration ini to better describe website.
- Added configuration validation checks.
- Detailed documentation at: https://github.com/phbits/WebsiteFailedLogins/wiki

### Changed

- Performs just one Logparser query when launching Invoke-WebsiteFailedLogins.
- Returned data is a hashtable object.
- Placed related functions into separate module files.
- Improved configuration validation.
- Improved Alert logic.
- System.Diagnostics.Process wrapper runs Logparser script.
- Standardized all timestamps to UTC.
- Updated function documentation and README.

### Removed

- Usage of global variables for sharing configuration settings.

## [1.0.0.0] - 2019-01-30

### Changed

- Initial release
   - Tested on Windows Server 2016

Version History

Version Downloads Last updated
2.0 (current version) 88 3/13/2021
1.0 182 1/30/2019