In log files from web servers you often find strange requests. For example requests for wp-login.php on server that don’t have PHP or WordPress installed. Or that someone is requesting the same page over and over. Most of the times this is not a real problem. But it gets a problem or at least annoying when you get hundreds or thousands of these requests from the same IP address.
If I see things like that happening the first step is to find out where the request is coming from. For that I would go the certain websites. Based on the outcome I would then block that IP address or even the whole subnet in the firewall. Problem is that some of these website only allow a limit amount of lookups.
To make it more easier for myself I created a PowerShell function that uses a Rest API to do the lookup.
The function is easy to use. It has one parameter -IPAddress that can contain one more IP Addresses. It also accepts pipeline input.
This works well and fast. The only problem is that it also overwrites everything that is already in the RemoteAddress list. To add an IP address you need to get the current value first, then add the new IP address to that value and finally set the new scope.
To make my life more easier I created a function to do all this. It is essentially a wrapper around Set-NetFirewallAddressFilter. And you can use it the same way.
For security reasons some administrators want to hide what web server they are using. Personally I am not convinced that it would stop hackers to attack your server. But is is good practice to expose as little information as possible and security audits also require not to expose these pieces of information in the response headers.
In this post I will show you how to disable some common and not so common headers in Windows Server 2016 and higher. In the examples I disable the headers on the server level. It is however possible to disable some headers on site level.
In the image above you can see that 2 headers can be interesting for attackers. The headers ‘Server’ and ‘X-Powered-By’.
To stop IIS returning the header ‘Server’ you can use the following command.
You will have to restart IIS after these commands. Otherwise the headers will keep showing up. The first command is to disable the header at the proxy level. The second command is to disable the header at the webfarm level. In my example the name of the webfarm is called test. You need to replace that with the name of your webfarm.
Now the server will return clean response headers.
One thing that have found very annoying of the recent PowerShell versions is the beep that you hear when you press <BackSpace> and hit the beginning of the line. Fist I thought it was a setting in Windows 10 but I could not find it. And apparently it is the wrong place to look for it.
The beep sound is actually provided by the PSReadLine module which is used my default and also gives us these time saving keyboard shortcuts. See yesterday’s post. To turn it off is very easy. Just use the next command:
Set-PSReadlineOption -BellStyle None
After you executed this command you will not hear the beep anymore. At least not in your current PowerShell session. To make it permanent you need to put it in your profile script.
When you are working in PowerShell and forgot which short cutes are available. Then you have two options. The first one is to go to the documentation, see the link above. Or you can type <Ctrl+Alt+?>. You will then get the full list of shortcuts. The list you see in the image below is only halve of the keyboard shortcuts. See for yourself in your own PowerShell Window.
You probably have been using some of these shortcuts without knowing it. Like the <UpArrow> and <DownArrow> keys to scroll thought the history. But did you know there are als keyboard shortcuts to search in the history? These are <Ctrl+r> and <Ctrl+s>. With the first one you can search backwards in your history. And with the second one you can search forward in your history. The screen will show if you do a backward for forward search.
To search backward in your history you first press <Ctrl+r> and then type part of the command or parameter you want to search for. The first result will be shown. Press <Ctrl+r> to scroll through the results. Press <Enter> to select the result and the press <Enter> again to execute the command. Forward search <Ctrl-s> works in the same way.
Another useful shortcut is <Ctrl+SpaceBar>, this is like <Tab> on steroids. We have all used <Tab> to complete commands. But finding the right command can take some time. There are for example 16 commands that start with Get-NetIP. Instead of pressing <Tab> many times until you find the right one. You can also press <Ctrl+SpaceBar> and then get a nice menu with all the possible commands. You can then select the command you want with the <Arrow> keys and the press <SpaceBar> to use the command. To execute the command immediately just press <Enter>.
The shortcut <Ctrl+SpaceBar> not only works for command, but also for parameters and parameter values.
As you can see using shortcuts can make your life in PowerShell more easier and efficient. Give it a try.