This means that someone is trying to get access to your server by attacking ASP.NET websites hosted on the machine.
Even if you have all updates and patches installed, the server may still be at risk.
Somewhat less important, but still significant, these hacking attempts abuse your server resources -
CPU, RAM, Bandwidth and even the free disk space (the logs may grow enormously).
RdpGuard may help you stop these hacking attempts
and protect your Windows Web Server by blocking attackers' IP addresses.
For Windows Vista/7/8/8.1/10/11 and Windows Server 2008/2012/2016/2019/2022
To Enable ASP.NET Web Forms Protection
1. Start RdpGuard Dashboard and click on the link next to Web Forms
Click the 'Web Forms' link
The ASP.NET Web Forms Protection Dialog will open:
ASP.NET Web Forms Protection Dialog
Tick the Enable ASP.NET web forms protection checkbox and click Save
Custom Rules for ASP.NET Web Forms Protection
In order to protect ASP.NET web forms RdpGuard monitors the Application event log for Events with ID 1309.
These events are written to the log each time .NET detects an error in web application. Sometimes these errors
may indicate intrusion attempts and RdpGuard helps you block IP addresses behind these attempts.
By default RdpGuard processes 1309 Events that match the following criteria:
But you may want to extend these rules to process more events that match your specific use cases and setups. And starting from version 7.8.7
RdpGuard offers this possibility.
You may now override standard detection rules to include more events for processing.
Please check the rules syntax below.
Detection rules are based on the Event Data content of the events with ID 1309.
The Event Data section for event ID 1309 looks like below:
XML for Event ID 1309 (click to open full size image)
You may define custom rules to match specific Data fields in the EventData section.
Each Data field can be referenced by it's index number, like EventData1, EventData2 .. EventDataN
The rules are set of key-value pairs with wildcards support. Each rule must start from the new line.
If event details match any of the rules, the event is included into further processing, i.e. the OR operator applies to the rules
Rule may contain any number of conditions separated by comma, the event matches the rule if all conditions are match, i.e. the AND operator applies to rule conditions.
So, the example above will be interpreted as - include event if (EventData1 equals 3003 and EventData18 equals HttpRequestValidationException)
OR (EventData1 equals 3005 and EventData18 equals HttpException and EventData19 contains ValidateInputIfRequiredByConfig)