Configuration File [Website] - phbits/WebsiteFailedLogins GitHub Wiki

[Website] FriendlyName

Friendly name of website being monitored. Can be any string meeting the regex: "^[a-zA-Z0-9-_\. ]{1,50}$". This value is logged in the message body allowing easier identification of the monitored website.

Example Values

FriendlyName = www.domain.com

FriendlyName = Main Website 1

[Website] Sitename

The sitename of a website is logged in the IIS log field s-sitename. This value is used to identify the target website since multiple host headers and/or IP addresses can be bound to it.

The PowerShell cmdlet Get-IISSite will show the ID for each website. That ID can be appended to W3SVC to create the Sitename.

As an example, a website with ID = 1 would have Sitename = w3svc1.

Example Value

Sitename = W3SVC1

[Website] Authentication

Choose one of the following three options for Authentication.

Basic

This method of authentication occurs in the browser via request/response headers and will generate an HTTP 401 response when authentication fails. Authentication credentials are included in every request as base64 encoded values.

Windows

Like basic authentication, this technique occurs in the browser via request/response headers and generates an HTTP 401 when authentication fails. NTLM is used almost exclusively since Kerberos requires additional server-side configurations and KDC accessibility.

Forms

Authentication is handled solely by the website/application and often implemented by the developer. Therefore how Forms authentication is implemented can vary widely. For this reason, an additional configuration setting needs to be specified: UrlPath. Additionally, authentication attempts must use an HTTP POST (IIS log field cs-method) when clients submit login credentials.

Unconventional Methods

If the prior three authentication methods don't work, a custom Logparser query can be used to properly identify login requests. Just open a new Issue.

Example Value

Authentication = Basic

Authentication = Windows

Authentication = Forms

[Website] HttpResponse

When a failed login occurs, the HTTP response code (IIS log field sc-status) must be specified here. For Basic and Windows authentication it will most likely be 401. Forms should also be 401 though it could be different based on implementation.

Example Value

HttpResponse = 401

[Website] UrlPath

Only necessary if Authentication = Forms. Specify the URL path (IIS log field cs-uri-stem) where credentials are submitted for authentication.

Since implementations of Forms Authentication can vary, specifying the URL path helps identify failed logins when HTTP response codes are nonstandard.

NOTE: Forms authentication must use an HTTP POST (cs-method) when submitting login credentials.

Example Value

UrlPath = /login.aspx

[Website] LogPath

Folder containing the IIS logs for the target website. If the environment is a web server farm, specify the parent folder containing IIS logs from each server. Logparser will recursively search the provided directory. The example value is configured as LogPath = D:\inetpub\logs\LogFiles\W3SVC1, so IIS logs from all servers should be subfolders as shown below.

W3SVC1
    ├───Server1
    ├───Server2
    └───Server3

This setting has the greatest impact on performance. While Logparser is very fast, providing it gigabytes upon gigabytes of logs will have the greatest impact on performance. For more information read Performance.

Example Value

LogPath = D:\inetpub\logs\LogFiles\W3SVC1

[Website] FailedLoginsPerIP

The number of failed logins from a single IP address having occurred since the StartTime that will trigger an alert.

Example Value

FailedLoginsPerIP = 20

[Website] TotalFailedLogins

The total number of failed logins having occurred since the StartTime that will trigger an alert.

This technique is useful for identifying failed logins where multiple IP addresses operate at a threshold below what is set for FailedLoginsPerIP. Depending on how thresholds are set, TotalFailedLogins could be triggered by a single IP address or many. Check out Investigate TotalFailedLogins for more information.

Example Value

TotalFailedLogins = 100

[Website] StartTime

Number of seconds from when the script is launched to establish the StartTime. Any requests from that point forward will be included. Since IIS logs via UTC, all timestamps use UTC as well.

For example, if StartTime = 1800 (30 minutes), StartTime will be calculated using: (Get-Date).ToUniversalTime().AddSeconds(-1800)

Recommend establishing this setting so there's overlap with prior invocations. Suppose WebsiteFailedLogins is launched every 10 minutes (600 seconds); then using StartTime = 1800 provides sufficient overlap by including logs from the last three times WebsiteFailedLogins was launched. While this may cause an IP to be flagged multiple times for the same traffic, it ensures failed logins are calculated across each time the module is launched and aims at preventing traffic from flying under the radar.

Example Value

StartTime = 1800