Problem solve Get help with specific problems with your technologies, process and projects.

Locking out an IP-Address after X login attempts

Is there anyway to lock an IP-address when the SSL login has been wrongly entered a specific number of times?

No, there's no way built into IIS. There are a couple of alternatives that may meet your needs though.

The simplest is to have Web users authenticate to NT4 or Windows 2000 user accounts and enable password lockouts. After x number of unsuccessful authentication attempts, the password will be locked out. However, this solution doesn't block a user's IP address so it doesn't completely meet your needs.

It's also possible to create an ISAPI filter that intercepts incoming HTTP requests and counts the number of times requests from a given IP address include authentication information. If a specific address is attempting a brute-force attack, this ISAPI filter could manipulate the IIS metabase and institute Source-IP Filtering for that address. This meets your needs but you'll have to do some coding.

This was last published in March 2001

Dig Deeper on Windows client management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.