Windows IIS記錄檔剖析器

　　Windows Server具有事件記錄記錄的功能，其IIS記錄檔裡記錄了包括下列資訊：誰訪問了您的網站，訪問者查看了哪些內容等等。通過定期檢查這些記錄檔，網站管理員可以檢測到伺服器或網站的哪些方面易受攻擊或存在其他安全隱患。

　　不過，目前的日誌分析工具並不是很完善，有些功能並不具備，特別是針對某個URL地址進行攻擊的分析並不多，下面是一個VB Script程式，儲存為VBS程式後可以在伺服器上運行，用於分析和檢測IIS日誌裡針對某個URL地址進行攻擊的IP地址。

"代碼開始
targeturl = "/archives/2761.html"  "受攻擊網站的URL地址。
logfilepath = "C:\LogFiles\W3SVC\ex110813.log"  "受攻擊網站的日誌路徑。

On Error Resume Next
Set fileobj = CreateObject("scripting.filesystemobject")
Set fileobj2 = CreateObject("scripting.filesystemobject")
Set myfile = fileobj2.opentextfile(logfilepath, 1, False)
 
Do While myfile.atendofstream <> True
myline = myfile.readline()
myline2 = Split(myline, " ")
newip = myline2(9)
myurl = myline2(5)
If targeturl = myurl Then
      writelog newip
End If
Loop

myfile.Close
Set fileobj2 = Nothing
Msgbox "結束."

Sub writelog(errmes)
ipfilename = "blockip.txt"
Set logfile = fileobj.opentextfile(ipfilename, 8, True)
logfile.writeline errmes
logfile.Close
Set logfile = Nothing
End Sub
"代碼結束
 

　　分析出來的IP如果出現異常，可以通過程式，將其大量新增到IIS的屏蔽IP列表裡，下面是網上找到的一段VBScript代碼，將其改名為vbs後，把上面那段程式的IP匯入，即可批量屏蔽攻擊者的IP地址。

"代碼開始
"/*=========================================================================
" * Intro VBScript使用ADSI為IIS大量新增屏蔽或允許訪問的IP
" * FileName VBScript-ADSI-IIS-Add-Deny-Grant-IP-Change-MetaBase.xml.vbs
" *==========================================================================*/
"AddDenyIP2All "192.168.1.106,255.255.255.0"
"AddDenyIP "123456","127.0.0.1"
"AddDenyIP2All "14.113.226.116"

"添加要屏蔽的IP或一組電腦，到一個指定網站上
Sub AddDenyIP(strWebNo, strDenyIp)
On Error Resume Next
Set SecObj = GetObject("IIS://LocalHost/W3SVC/" & strWebNo & "/Root")
Set MyIPSec = SecObj.IPSecurity
MyIPSec.GrantByDefault = True
IPList = MyIPSec.IPDeny
i = UBound(IPList) + 1
ReDim Preserve IPList(i)
IPList(i) = strDenyIp
MyIPSec.IPDeny = IPList
SecObj.IPSecurity = MyIPSec
SecObj.Setinfo
End Sub
"添加要屏蔽的IP或一組電腦，到IIS公用配置，以應用到所有網站
"如果之前對有些網站單獨做過屏蔽IP設定，在些設定不會生效，得在總的網站上設定一下，然後覆蓋所有子結點
Sub AddDenyIP2All(strDenyIp)
On Error Resume Next
Set SecObj = GetObject("IIS://LocalHost/W3SVC")
Set MyIPSec = SecObj.IPSecurity
MyIPSec.GrantByDefault = True
IPList = MyIPSec.IPDeny
i = UBound(IPList) + 1
ReDim Preserve IPList(i)
IPList(i) = strDenyIp
MyIPSec.IPDeny = IPList
SecObj.IPSecurity = MyIPSec
SecObj.Setinfo
End Sub
"添加允許的IP或一組電腦，到一個指定網站上
Sub AddGrantIP(strWebNo, strGrantIp)
On Error Resume Next
Set SecObj = GetObject("IIS://LocalHost/W3SVC/" & strWebNo & "/Root")
Set MyIPSec = SecObj.IPSecurity
MyIPSec.GrantByDefault = False
IPList = MyIPSec.IPGrant
i = UBound(IPList) + 1
ReDim Preserve IPList(i)
IPList(i) = strGrantIp
MyIPSec.IPGrant = IPList
SecObj.IPSecurity = MyIPSec
SecObj.Setinfo
End Sub
"添加允許的IP或一組電腦，到IIS公用配置，以應用到所有網站
"如果之前對有些網站單獨做過屏蔽IP設定，在些設定不會生效，得在總的網站上設定一下，然後覆蓋所有子結點
Sub AddGrantIP2All(strGrantIp)
On Error Resume Next
Set SecObj = GetObject("IIS://LocalHost/W3SVC")
Set MyIPSec = SecObj.IPSecurity
MyIPSec.GrantByDefault = False
IPList = MyIPSec.IPGrant
i = UBound(IPList) + 1
ReDim Preserve IPList(i)
IPList(i) = strGrantIp
MyIPSec.IPGrant = IPList
SecObj.IPSecurity = MyIPSec
SecObj.Setinfo
End Sub
"顯示IIS公用配置裡禁止訪問的IP
Sub ListDenyIP()
Set SecObj = GetObject("IIS://LocalHost/W3SVC")
Set MyIPSec = SecObj.IPSecurity
IPList = MyIPSec.IPDeny "IPGrant/IPDeny
WScript.Echo Join(IPList, vbCrLf)
" For i = 0 To UBound(IPList)
" WScript.Echo i + 1 & "-->" & IPList(i)
" Next
End Sub