Deny requests from specific countries -- iis security

Psst! Did you know DevelopmentNow is a mobile web site design agency?

Contact us for help mobilizing your site, or to sign up for our beta Mobile Web SDK!

iis security : Deny requests from specific countries

walter1234
1/19/2005 2:53:08 PM

I would like to create an additional tab on the iis website properties page.
I need to create an add-in to the IIS Management Utility as a new tab on the
properties page.
The function of this tab would be to allow the administrator to deny
admitance to requesters from particular countries. Can you point me to
documentation that explains how to add a tab to the page, and any other
aspects of this project. I already know how to identify the country from
which the request originated.
I am not even sure that this is possible.
The preferred language is C#
Thanks in advance for any help.

walter1234
1/19/2005 3:49:03 PM

Hello Mike (or Miha)
Thanks for your reply.
Clearly someone with even modest knowledge could easily defeat this. I
suppose that one could make the assumption that most visitors to any site are
using a server in their own country. That said, it still could be useful for
this client. For example, if the request is coming from East Yemen, (just an
example) I don't want to respond.
I would just redirect you to a page that says "go away"
Anyway, this is what the rfp described. As for how to get the country from
the ip,
have a look at this article

http://www.codeproject.com/aspnet/countrylistbox.asp

If it is not possible, then so be it, but I would like to try because a
sucessfull outcome could lead to more work.

If you really think this is not feasable, I would appreciate a heads up.

Thanks much for your input
Walter

[quoted text, click to view]

Dave
1/20/2005 12:05:39 AM

[quoted text, click to view]

interesting, but easy to defeat of course. maybe an isapi filter like how
urlscan works would be a way to do it. not sure how you would get it into
the iis utility though.

Miha Pihler [MVP]
1/20/2005 12:08:00 AM

Hi,

May I ask how you will identify the country?

I am from EU and let say you want to block me (my country). Will it be a
problem for you if I use a public proxy in US or Canada or ... to access and
see the content of your page?

--
Mike
Microsoft MVP - Windows Security

[quoted text, click to view]

Leythos
1/20/2005 12:13:08 AM

In article <#I9ZHun$EHA.2180@TK2MSFTNGP10.phx.gbl>, mihap-
news@atlantis.si says...
[quoted text, click to view]

I don't think many people need to worry about the proxy users as most of
that is just http traffic.

I block the sites listed below because their networks have actually
tried to break into our systems - either by slow user/password scanning
over days, or because they have made direct probes in x-seconds time.

While the list doesn't stop people using a proxy, it does stop a LOT of
the chatter we would normally see. I've not checked every IP on this
list other than at the time I added it, but none of them have any reason
to access our services (then or now). We're based in the Eastern USA and
have little reason to allow these networks/hosts to access our systems.

network 12.144.182.0/24 permanent
network 12.45.203.0/24 permanent
network 12.98.139.0/24 permanent
network 155.48.106.0/24 permanent
host 172.184.111.203 permanent
network 193.251.0.0/16 permanent
network 193.252.0.0/16 permanent
network 193.253.0.0/16 permanent
network 195.58.124.0/24 permanent
network 200.30.203.0/24 permanent
network 202.88.186.0/24 permanent
network 203.152.22.0/24 permanent
network 205.251.79.0/24 permanent
network 210.173.37.0/24 permanent
network 210.201.153.0/24 permanent
network 210.71.115.0/24 permanent
network 212.150.124.0/24 permanent
network 212.18.57.0/24 permanent
network 212.202.178.0/24 permanent
host 212.27.32.0-212.27.63.255 permanent
network 212.9.7.0/24 permanent
network 213.13.26.0/24 permanent
network 213.190.213.0/24 permanent
network 213.228.7.0/24 permanent
network 216.184.97.0/24 permanent
network 216.76.35.0/24 permanent
network 217.118.224.0/24 permanent
network 217.118.225.0/24 permanent
network 217.160.110.0/24 permanent
host 217.224.0.0-217.237.161.47 permanent
host 217.80.0.0-217.89.31.255 permanent
network 218.164.28.0/24 permanent
network 218.252.74.0/24 permanent
host 218.67.128.0-218.69.255.255 permanent
network 218.69.108.0/24 permanent
network 218.69.148.0/24 permanent
network 218.76.98.0/24 permanent
network 219.212.4.0/24 permanent
network 219.56.0.0/24 permanent
network 219.97.93.0/24 permanent
network 61.135.148.0/24 permanent
network 61.175.239.0/24 permanent
network 61.181.0.0/16 permanent
network 61.218.19.0/24 permanent
network 61.33.206.0/24 permanent
network 61.48.18.0/24 permanent
network 62.154.0.0/17 permanent
network 64.230.125.0/24 permanent
network 66.250.125.0/24 permanent
network 66.250.32.0/24 permanent
host 66.28.35.131 permanent
network 66.57.133.0/24 permanent
network 80.117.220.0/24 permanent
network 80.12.255.0/24 permanent
network 80.145.85.0/24 permanent
network 80.201.16.0/24 permanent
host 81.56.58.0-81.56.59.255 permanent

--
--
spamfree999@rrohio.com

Karl Levinson, mvp
1/21/2005 1:26:36 AM

[quoted text, click to view]

Most people do not bother to do this. It is far more important to make sure
your web server and web application code are secure, use either Windows 2003
or IISLockdown with URLScan, etc.

If you still wanted to do this, I wouldn't use C# or IIS. I would do this
at your firewall, because IIS blocking only blocks requests to IIS, and I'm
not sure whether this blocks buffer overflows in, say, TLS / SSL. Doing
this at your firewall would probably also cause less latency and more
reliability, while letting you block non-IIS ports and non-IIS servers.
There are lists that map IP address blocks to countries, you might try
searching Google to find such lists, such as

http://www.google.com/search?hl=en&lr=&safe=off&q=ip-addresses+list+country

Note that such lists are subject to change and may have some inaccuracies,
and yes, using a proxy to another country can bypass this. Having said
that, only you can determine whether doing this is a benefit for your
environment. Just because a countermeasure can be bypassed does not
automatically mean the countermeasure should be rejected, because any and
all countermeasures can be bypassed.

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages about iis security

View Other Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008

iis security : Deny requests from specific countries

About

Services

Portfolio

Blog

Products

Discuss

Contact