When Written: Feb 2009

Server Defender can make the life of an IIS administrator much easier
Hosting web sites can seem like easy money. Just stick some files on a server and charge your customer a monthly fee. Easy stuff, but like a lot of things that appear to be easy to the uninitiated a lot of extra work is often done behind the scenes to keep this running smoothly. There are a lot of tools out there to help this process, but what happens when you think someone is trying to hack a web site hosted on one of your servers? Obviously we could just gather the log files and analyse them ourselves, but with a busy site these log files can be large and contain millions of lines making this quite a task, so anything that helps is most welcome.
The other day I came across a tool that not only alerted you to possible attacks but would also block them. Server Defender from Port80 ( www.port80software.com) installs on a box running IIS 5 or 6 ( there is a version for IIS7 being developed ) and monitors all the requests going to the websites held on that server. Depending on the settings, if it detects an attempted hack, possibly via code injection into the URL string, it will either alert you or automatically block the IP. The software displays a table of all the alerts it has detected and you can mark them as ‘safe’ or block the IP address that they are coming from. The detection engine not only checks for known types of attacks or blocks possible character sets that are known to be in an attack , but it also uses a ‘behavioural engine’ rather like an anti virus program to try and detect possible attacks that it currently does not know about. Server Defender is a great piece of software to run on a server that is hosting web sites built by others as you don’t have control over their code. Set it to just alert and then monitor things and then advise your clients where their code is allowing a possible vulnerability.
The ability to simply block an IP address with a single click is very useful as often an attacker will try several things and this is easily spotted as you will see several alerts all about the same IP address. Server Defender will also report on requests rejected by Microsoft’s free IIS plug-in, UrlScan. This saves looking through another set of logs to keep an eye on the health of your server. Server Defender is a great tool and is worth checking out. They have a 30 day eval on their web site for download. I was so hooked on what it was doing that I paid real money to renew my licence when my 30 days trial ran out.
Article by: Mark Newton
Published in: Mark Newton