Blocking Malicious Bots with IIS

Cover Image for Blocking Malicious Bots with IIS

TLDR;

In this post I'll show you how to block most malicious bots from hitting your Sitecore site with one simple IIS configuration change (hackers hate it!).

The Backstory

I'm a bit of a vigilante when it comes to crime, hackers, malicious bots, scams, and spam. The words of Vincent Vega from Pulp Fiction forever echo in my head:

I wish I could have caught him doin' it. I'd have given anything to catch that ***hole. It'd been worth him doing it just so I could've caught him doing it.

Professionally, I've also had the privilege (or curse) of having regularly observed bot behavior for years.

Every Sitecore site is constantly being scanned by bots. Launching a new Sitecore site? Prepare for an onslaught of bots scanning for WordPress and PHP vulnerabilities, causing noise in the Sitecore logs. I've seen this happen on every single Sitecore site I've launched. It's a rite of passage. And surprisingly, Sitecore sites are STILL being launched that are not guarded by a WAF. Even with a WAF, there is a chance that bots will hit your server if you have any public endpoints that aren't secured.

Why Even Try Blocking Bots?

Aside from the obvious security benefits, there are a handful of reasons:

  • Reduce server load
  • Improve performance (exception handling is expensive)
  • Reduce log noise (and make it easier to find real issues)
  • Reduce the risk of hitting your Application Insights log quota (if using Azure)
  • Free the bots up to scan other sites (wait...)

The Clues

The common error messages you're going to see are:

  • Potentially dangerous request. Request.Path value was detected from the client
  • Server cannot set status after HTTP headers have been sent
  • A potentially dangerous Request.RawUrl value was detected from the client
  • The required anti-forgery cookie "__RequestVerificationToken" is not present.

Legitimate users can still trigger these errors, but if you're seeing a lot of them, it's probably bots.

The IIS Config Change

The vast majority of malicious bots can be blocked with a simple modification to your IIS configuration. We are going to apply the change server-wide, meaning that all sites will be affected by this. Before you make this change, you should review your logs to see if there are any legitimate requests in your specific use case(s) that could be blocked by this change.

We will use the IIS URL Rewrite Module to abort requests containing paths or query strings that are known to be malicious. The list of paths and query strings is not exhaustive, but it's a good start.

The file to modify is: C:\Windows\System32\inetsrv\config\applicationHost.config

Note that saving the file will cause IIS to restart, so you may want to do this during a maintenance window.

applicationHost.config

_30
<system.webServer>
_30
<rewrite>
_30
<globalRules>
_30
<rule name="Block known malicious IPs" patternSyntax="Wildcard" stopProcessing="true">
_30
<match url="*" />
_30
<conditions>
_30
<!--<add input="{REMOTE_ADDR}" pattern="x.xxx.xx.xxx" />-->
_30
</conditions>
_30
<action type="AbortRequest" />
_30
</rule>
_30
<rule name="Block known malicious paths" stopProcessing="true">
_30
<match url="ajaxprocessor\.jsp|cgi-bin\/login\.cgi|af\.internalsubmit\.json|ekajaxtransform\.aspx|\/poc\.jsp\/|lucee\/admin\/imgProcess\.cfm|\/MUP\/|\/etc\/passwd|\.php|\/cgi-bin\/|\.af\.internalsubmit\.json|trace\.axd|CMSPages\/Staging\/SyncServer\.asmx\/ProcessSynchronizationTaskData|poc\.jsp|Telerik\.Web\.UI\.WebResource\.axd|php-cgi|af\.internalsubmit\.json" />
_30
<action type="AbortRequest" />
_30
</rule>
_30
<rule name="Block known malicious query strings" patternSyntax="Wildcard" stopProcessing="true">
_30
<match url="*" />
_30
<conditions>
_30
<!-- All are case insensitive -->
_30
<add input="{QUERY_STRING}" pattern="*&lt;script>*" />
_30
<add input="{QUERY_STRING}" pattern="*%3Cscript%3E*" />
_30
<add input="{QUERY_STRING}" pattern="*&lt;svg/onload*" />
_30
<add input="{QUERY_STRING}" pattern="*base64_decode*" />
_30
<add input="{QUERY_STRING}" pattern="*shell_exec*" />
_30
<!-- Use your imagination to add more common linux commands -->
_30
</conditions>
_30
<action type="AbortRequest" />
_30
</rule>
_30
</globalRules>
_30
</rewrite>
_30
</system.webServer>

Instead of returning 403s or 404s, abort the request. Doing so returns the least amount of information possible as to why the request wasn't processed successfully. GHOST those bots! It will also prevent bot traffic from hitting your custom 404 page, which can keep analytics numbers more accurate.

The config changes can also be viewed in the IIS Manager:

Locate the IIS URL Rewrite Module View and edit the rules

Going Further

If you don't have a WAF, get one. Otherwise, here are some more untested ideas from my friend ChadGBD:


_1
<match url="wp-login\.php|admin\.asp|\.env|\.git|cfide\/administrator|phpmyadmin|jmx-console|manager\/html|mysql\/admin|sqladmin|webadmin|webdb|websql|phpmanager|php-myadmin|phpmy-admin|pma2005|web-console|server-status|server-info|CFIDE\/administrator|\.bak|\.backup|\.db|\.sql" />


_12
<add input="{QUERY_STRING}" pattern="*passwd*" />
_12
<add input="{QUERY_STRING}" pattern="*echo.*base64*" />
_12
<add input="{QUERY_STRING}" pattern="*wget http*" />
_12
<add input="{QUERY_STRING}" pattern="*curl http*" />
_12
<add input="{QUERY_STRING}" pattern="*chmod +x*" />
_12
<add input="{QUERY_STRING}" pattern="*cmd=*" />
_12
<add input="{QUERY_STRING}" pattern="*exec=*"/>
_12
<add input="{QUERY_STRING}" pattern="*eval\(*" />
_12
<add input="{QUERY_STRING}" pattern="*concat\(*" />
_12
<add input="{QUERY_STRING}" pattern="*union select*" />
_12
<add input="{QUERY_STRING}" pattern="*drop table*" />
_12
<add input="{QUERY_STRING}" pattern="*update.*set*" />

Have a good day (unless you're a hacker) and keep slapping those bots.

-MG


More Stories

Cover Image for Critical Security Bulletin SC2024-001-619349 Announced

Critical Security Bulletin SC2024-001-619349 Announced

> And other scintillating commentary

Cover Image for NextJS/JSS Edit Frames Before JSS v21.1.0

NextJS/JSS Edit Frames Before JSS v21.1.0

> It is possible. We have the technology.

Cover Image for NextJS: Unable to Verify the First Certificate

NextJS: Unable to Verify the First Certificate

> UNABLE_TO_VERIFY_LEAF_SIGNATURE

Cover Image for Tips for Applying Cumulative Sitecore XM/XP Patches and Hotfixes

Tips for Applying Cumulative Sitecore XM/XP Patches and Hotfixes

> It's probably time to overhaul your processes

Cover Image for Azure PaaS Cache Optimization

Azure PaaS Cache Optimization

> App Services benefit greatly from proper configuration

Cover Image for Script: Boost SIF Certificate Expiry Days

Script: Boost SIF Certificate Expiry Days

> One simple script that definitely won't delete your system32 folder

Cover Image for Hello World

Hello World

> Welcome to the show

Cover Image for Security Series: App Service IP Restrictions

Security Series: App Service IP Restrictions

> How to manage IP rules "at scale" using the Azure CLI

Cover Image for Tips for Forms Implementations

Tips for Forms Implementations

> And other pro tips

Cover Image for On Sitecore Development

On Sitecore Development

> Broadly speaking

Cover Image for On Mentorship and Community Contributions

On Mentorship and Community Contributions

> Reflections and what I learned as an MVP mentor

Cover Image for Troubleshooting 502 Responses in Azure App Services

Troubleshooting 502 Responses in Azure App Services

> App Services don't support all libraries

Cover Image for Super Fast Project Builds with Visual Studio Publish

Super Fast Project Builds with Visual Studio Publish

> For when solution builds take too long

Cover Image for Tips for New Sitecore Developers

Tips for New Sitecore Developers

> If I had more time, I would have written a shorter letter

Cover Image for SPE Script Performance & Troubleshooting

SPE Script Performance & Troubleshooting

> Script never ends or runs too slow? Get in here.

Cover Image for How to Run Old Versions of Solr in a Docker Container

How to Run Old Versions of Solr in a Docker Container

> Please don't make me install another version of Solr on my local...

Cover Image for JSS + TypeScript Sitecore Project Tips

JSS + TypeScript Sitecore Project Tips

> New tech, new challenges

Cover Image for Symposium 2022 Reflections

Symposium 2022 Reflections

> Sitecore is making big changes

Cover Image for Ideas For Docker up.ps1 Scripts

Ideas For Docker up.ps1 Scripts

> Because Docker can be brittle

Cover Image for NextJS: Short URL for Viewing Layout Service Response

NextJS: Short URL for Viewing Layout Service Response

> Because the default URL is 2long4me

Cover Image for On Sitecore Stack Exchange (SSE)

On Sitecore Stack Exchange (SSE)

> What I've learned, what I see, what I want to see

Cover Image for Year in Review: 2022

Year in Review: 2022

> Full steam ahead

Cover Image for NextJS: Access has been blocked by CORS policy

NextJS: Access has been blocked by CORS policy

> CORS is almost as much of a nuisance as GDPR popups

Cover Image for Content Editor Search Bar Not Working

Content Editor Search Bar Not Working

> Sometimes it works, sometimes not

Cover Image for Early Returns in React Components

Early Returns in React Components

> When and how should you return early in a React component?

Cover Image for Sitecore Symposium 2022

Sitecore Symposium 2022

> What I'm Watching 👀

Cover Image for Add TypeScript Type Checks to RouteData fields

Add TypeScript Type Checks to RouteData fields

> Inspired by error: Conversion of type may be a mistake because neither type sufficiently overlaps with the other.

Cover Image for JSS: Reducing Bloat in Multilist Field Serialization

JSS: Reducing Bloat in Multilist Field Serialization

> Because: performance, security, and error-avoidance

Cover Image for Don't Ignore the HttpRequestValidationException

Don't Ignore the HttpRequestValidationException

> Doing so could be... potentially dangerous