OT: MS Server Question, HELP!, calling on the geeks ... Options

[SirAndy]

sooo, on one (actually 2) of our servers running IIS, we get a lot of hack attempts lately. they're all of the same type, buffer overflow attacks on port 80.

i have all the latest security patches (Windows NT 4) and they are NOT compromising the box, that's the good news.

the bad news is, that lately, the type of attack has slightly changed and now they succeed in crashing IIS!

so here's the problem:
this box (or 2) run important eCommerce websites for me so closing port 80 or moving to another port is NOT an option.
moving to another OS is NOT an option. banning IP's is NOT a option (most of those kids are on dialup DSL, so i would have to block a whole range, most likely cutting out legit customers)
how can i run those websites without having IIS die on me a couple of times a day?

the only thing i can think of is to implement some sort of content filtering that removes malicious code before it gets to the web-server.
anyone here who has a running example of a setup like that?
what (good) firewalls have that sort of filtering and how much do they cost?

i'm at the end of the rope here ... (IMG:style_emoticons/default/fighting19.gif)
Andy

[SirAndy]

I've told ya before Andy, I'm no Windoze 'spert, but ditch IIS. If I'm not mistaken, you can load Apache on NT can't ya? At least that way you have a snowball's chance in hell of getting updates at least for your web server.

can't do that. the site uses ASP. a lot. like over 100,000 lines of code. plus it uses various ActiveX components.

i'm not going to redo all that just to switch ...
(IMG:style_emoticons/default/wink.gif) Andy

PS.: i *think* i got it under control for now. the file permission issues was kind of a PITA, but that is working again.
the urlscan filter seems to be working. fingers crossed ...

thanks guys for all the help! (IMG:style_emoticons/default/pray.gif)

[SirAndy]

i am truely baffled by the amount of hack-attempts on this server.
today alone so far (and it's only 10:50 am !) we had a whooping 2264 malformed URL's trying to hack into the system ...

aren't those kids supposed to be in school right now? (IMG:style_emoticons/default/confused24.gif)
Andy

[kafermeister]

Wow Andy. Sorry to see all the problems. Hope you got it under control. I would have to concour that IIS5 or some type of IDS system would benefit your eCommerce environment.

One of the guys here was mentioning something about an appliance that goes between your web server and the outside world that filters much/many of the IIS specific exploits. I'll try to find out what it is if your interested in looking it up.

Rick

[fiid]

i am truely baffled by the amount of hack-attempts on this server.
today alone so far (and it's only 10:50 am !) we had a whooping 2264 malformed URL's trying to hack into the system ...

aren't those kids supposed to be in school right now? (IMG:style_emoticons/default/confused24.gif)
Andy

My apache on linux server also has to put up with numerous IIS compromise attempts per minute.

I would never consider putting a Windows or IIS box directly on the net. The on-box firewalls for windows help a lot, and you can certainly improve your situation a lot, but until you get your windows machine behind another firewall machine you can't call it secure, mainly because you just don't know what that code is doing. Microsoft has been proven in past performance to ignore some security violations in their code. At least if it's open source, you can fix it yourself, or hire someone to fix it for you.

Let me know if I can help at all.

l8r,

Fiid.

[fiid]

Oh - and by "directly on the net" I mean "with a routable IP address". Put it on 192.168.x.x or 10.x.x.x - that way there's no direct path to the machine from the outside, not can there be unless you specifically configure it.

[fiid]

In addition - if you are running 2 IIS servers - putting the right thing in front of it will allow you to do load balancing and failover in addition to filtering of security risks.

This means you can keep your site up and running when you have a blue screen of death situation, or anything else happens that causes one of your servers to not be running anymore.

l8r,

Fiid.