Ask the Expert

Locking IP address when SSL login is entered incorrectly

Is there anyway to lock an IP address when Secure Sockets Layer (SSL)login has been wrongly entered for a certain times?

    Requires Free Membership to View

No. There's no way built into IIS. There are a couple of alternatives that may meet your needs.

The simplest is to have Web users authenticate to NT4 or Windows 2000 user accounts, and enable password lockouts. After x number of unsuccessful authentication attempts, the password will be locked out. This solution doesn't block a user's IP address, however, so it doesn't completely meet your needs.

It's also possible to create an ISAPI filter that intercepts incoming HTTP requests and counts the number of times requests from a given IP address include authentication information. If a specific address is attempting a brute-force attack, this ISAPI filter could manipulate the IIS metabase and institute Source-IP Filtering for that address. This meets your needs, but you'll have to do some coding.


This was first published in February 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: