How to configure HTTP vulnerability scan protection. HTTP Detection Engine Settings. HTTP server protection.
RdpGuard
Intrusion prevention system for your Windows Server
 
Follow:
Twitter
Telegram
Facebook
RSS

HTTP Vulnerability Scan Protection


Protection Overview

RdpGuard protects your HTTP server from vulnerability scan attempts. It monitors web server logs to find requests that may indicate vulnerability scan attempts and temporarily blocks source IP addresses if the number of requests reaches a set limit.

HTTP protection is based on the detection engine that uses a set of detection rules to determine if a request is a scan attempt.


To enable and configure HTTP protection

1. Start RdpGuard Dashboard and click the link next to HTTP

http protection link

HTTP Protection Link in RdpGuard Dashboard

The HTTP Protection Settings dialog will open:

http detection engine settings

HTTP Detection Engine Settings

IIS log directores

You can specify one or multiple IIS log directories for monitoring. IIS logs are usually located in C:\inetpub\logs\LogFiles

select IIS log directories

Select IIS log directories for monitoring


Detection Rules

Detection rules are set of key-value pairs with wildcards support. Each rule must start from the new line.

For example: 

key[equality-operator]value,key[equality-operator]value
key[equality-operator]value,key[equality-operator]value
Supported equality operators are: = (equals) and != (not equals)

For example: 

key1=value1, key2!=value2
key3=value3, key2=value4
key4=*value5
If log line details match any of the rules, the log line considered as scan attempt and source IP address is reported to RdpGuard Core, i.e. the Logical OR applies to the rules

Rule may contain any number of conditions separated by comma, the line matches the rule if all conditions are match, i.e. the Logical AND applies to rule conditions.

So, the example above will be interpreted as - treat log line as scan attempt if (key1 equals value1 and key2 not equals value2) OR (key3 equals value3 and key2 equals value4) OR (key4 ends with value5)

Supported keys are:

  • Method
  • Uri
  • Query
  • UserName
  • UserAgent
  • Referer
  • Status

Threshold

You can also apply the Threshold condition to the rule. This optional condition can be useful if you do not want to treat each rule match as scan attempt.

For example rule based on the HTTP Status code - this rule can be used to detect most of the scan attempts, because all they usually result to log entries with HTTP 404 status code.

But it might be not wise to threat each 404 hit as scan attempt (regular visitors may just misprint the page address or follow the obsolete link, if they do this 3 times they will be blocked, this is probably not what you want.

But repeating 404 requests may indicate vulnerability scan, so we may configure the engine to threat each ten 404 requests as one scan attempt and this is what the Threshold variable for.

For this reason we may omit the Threshold condition for Uri based rules, for example if someone is trying to open the /wp-login.php page (and we know that our website is not Wordpress based, so there is no such a page) this is most likely the scan attempt, so HTTP engine should report it immediately to RdpGuard Core.

Sample Rules

You can use the following example as a reference: 


Status=404,Threshold=15

Uri=*/.aws*
Uri=*/.env*
Uri=*/.git*
Uri=*/.hg/*
Uri=*/.svn*
Uri=*/.vscode*

Uri=/*.bz2
Uri=/*.tar.gz
Uri=/*.tgz
Uri=/*.7z
Uri=/*.zip, Uri!=/download/*
Uri=/*.rar

Uri=*/wp-content/*
Uri=*/wp-admin/*
Uri=*/wp-includes/*
Uri=*/wp-json/*
Uri=*/wp-config*
Uri=*/wp-login.php*

Uri=*/admin*
Uri=*/cgi-bin*
Uri=*/phpmyadmin*
Uri=*/webadmin*
Uri=*/wordpress*
Uri=*/plus/*
Uri=*/passwd*
Uri=*/uploads/*
Uri=*/phpunit/*

Uri=*webshell*

Uri=*login.php*
Uri=/info.php
Uri=/user.php
Uri=/type.php
Uri=*guestbook.php*
Uri=*xmlrpc.php*
Uri=*ofc_upload_image.php*

Uri=*ajax.js*
Uri=*login.action*

Advanced Settings

Clicking the "advanced settings" link will open the Advanced HTTP Settings dialog where you can configure additional HTTP protection settings.

http detection engine settings

Advanced HTTP Detection Engine Settings

Use the X-Forwarded-For field to read client IP address

By default, RdpGuard reads the client IP address from the Client IP field in the IIS log. If your web server is behind a proxy server, you may need to enable this option to read the client IP address from the X-Forwarded-For field.

This option should only be enabled if you are hosting the website behind a proxy.

Note: Proper configuration of your proxy server and IIS logging is required for this feature to work correctly.

Please refer to the Configuring IIS to Detect Source IP Behind a Proxy guide for detailed instructions.

Blocking Requests When Using X-Forwarded-For

When using the X-Forwarded-For option, the default blocking mechanism may not work as expected because banning the real client IP must be done on the proxy level. Without additional configuration, the blocking will not actually occur.

To ensure requests from detected malicious IPs are blocked, you can use IIS IP Restrictions combined with Custom Actions in RdpGuard.

Configuring Custom Actions in RdpGuard

Follow these steps to configure IIS to block IPs based on RdpGuard detections:

  • Ensure that the IP and Domain Restrictions feature is installed in IIS.
  • Enable IIS IP Restrictions to prevent requests from blocked IPs.
  • Use Custom Actions in RdpGuard to dynamically update the IIS IP block list when a new malicious IP is detected.

Configure the following actions in RdpGuard:

IP Blocked Action

  • Task: Execute program
  • Path: c:\Windows\system32\inetsrv\appcmd.exe
  • Arguments: 
    set config /section:system.webServer/security/ipSecurity /+"[ipAddress='%IP%',allowed='false']"

IP Unblocked Action

  • Task: Execute program
  • Path: c:\Windows\system32\inetsrv\appcmd.exe
  • Arguments: 
    set config /section:system.webServer/security/ipSecurity /-"[ipAddress='%IP%']"

With this setup, detected malicious IPs will be automatically added to the IIS IP restrictions list, effectively blocking their requests.

 
RdpGuard 9.9.9 Free Trial

RdpGuard protects:

Social Connection
RdpGuard Logo
 
People like RdpGuard!
Our customers say

"This sotware is really great. It's a relief. Because my server is constantly under attack. Thanks RdpGuard" - Joaquim De Sousa Marques

"Nice product. I used to implement something similiar in a low-tech and cumbersome manner via a script called TSBlock (not mine). This makes it much easier and is well worth the pricetag for SMB's." - J. Johnson

"Absolutely amazed at your product. We are a church in the North Dallas area, and I discovered this morning multiple failed logon attempts via our Remote Access Server. A friend suggested your product, so I immediately downloaded the trial. It had a list of about five blocked IP addresses in minutes, and that was enough to lead me to push the BUY button. Over the past 10-15 minutes the list is now about thirty with at least a third being international attempts to break into our system. Thanks for a great product. You may have just saved us much grief." - John Hallford

"Love the software. RDP on our Windows servers is just ridiculous. We would block it in the router but we have lots of old-time customers that would have issues." - Scott Hirsch

"Love the software! Makes it easier than tailoring VB Scripts!!" - Nick Brennan

"It's a great product - really stopping those RDP attackers :-)" - Dave, UK

"First of all: Your application is very (!!!) useful and I like it very much securing my 2012 R2 server. RdpGuard is the best solution, I found on the market and after 10 minutes of testing it I ordered the fully-featured version. :-)" - Carsten Baltes

Our Other Products
TntDrive
Easily mount Amazon S3 Bucket as a Windows Drive
S3 Browser
Powerful Windows Client for Amazon S3 and Amazon CloudFront
Copyright © 2012-2025 NetSDK Software. All rights reserved.  Terms of Use.  Privacy Policy.