IIS Server Security - Deny requests from specific countries

Author

Deny requests from specific countries

walter1234

2005-01-19, 5:52 pm

I would like to create an additional tab on the iis website properties page.
I need to create an add-in to the IIS Management Utility as a new tab on the
properties page.
The function of this tab would be to allow the administrator to deny
admitance to requesters from particular countries. Can you point me to
documentation that explains how to add a tab to the page, and any other
aspects of this project. I already know how to identify the country from
which the request originated.
I am not even sure that this is possible.
The preferred language is C#
Thanks in advance for any help.

Miha Pihler [MVP]

2005-01-19, 5:52 pm

Hi,

May I ask how you will identify the country?

I am from EU and let say you want to block me (my country). Will it be a
problem for you if I use a public proxy in US or Canada or ... to access and
see the content of your page?

--
Mike
Microsoft MVP - Windows Security

"walter1234" <walter1234@discussions.microsoft.com> wrote in message
news:62DD0F7A-A63C-492A-8060-226255377571@microsoft.com...
>I would like to create an additional tab on the iis website properties
>page.
> I need to create an add-in to the IIS Management Utility as a new tab on
> the
> properties page.
> The function of this tab would be to allow the administrator to deny
> admitance to requesters from particular countries. Can you point me to
> documentation that explains how to add a tab to the page, and any other
> aspects of this project. I already know how to identify the country from
> which the request originated.
> I am not even sure that this is possible.
> The preferred language is C#
> Thanks in advance for any help.
>

walter1234

2005-01-19, 5:52 pm

Hello Mike (or Miha)
Thanks for your reply.
Clearly someone with even modest knowledge could easily defeat this. I
suppose that one could make the assumption that most visitors to any site are
using a server in their own country. That said, it still could be useful for
this client. For example, if the request is coming from East Yemen, (just an
example) I don't want to respond.
I would just redirect you to a page that says "go away"
Anyway, this is what the rfp described. As for how to get the country from
the ip,
have a look at this article

http://www.codeproject.com/aspnet/countrylistbox.asp

If it is not possible, then so be it, but I would like to try because a
sucessfull outcome could lead to more work.

If you really think this is not feasable, I would appreciate a heads up.

Thanks much for your input
Walter

"Miha Pihler [MVP]" wrote:

> Hi,
>
> May I ask how you will identify the country?
>
> I am from EU and let say you want to block me (my country). Will it be a
> problem for you if I use a public proxy in US or Canada or ... to access and
> see the content of your page?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "walter1234" <walter1234@discussions.microsoft.com> wrote in message
> news:62DD0F7A-A63C-492A-8060-226255377571@microsoft.com...
>
>
>

Dave

2005-01-19, 8:48 pm

Leythos

2005-01-19, 8:48 pm

In article <#I9ZHun$EHA.2180@TK2MSFTNGP10.phx.gbl>, mihap-
news@atlantis.si says...
> Hi,
>
> May I ask how you will identify the country?
>
> I am from EU and let say you want to block me (my country). Will it be a
> problem for you if I use a public proxy in US or Canada or ... to access and
> see the content of your page?

I don't think many people need to worry about the proxy users as most of
that is just http traffic.

I block the sites listed below because their networks have actually
tried to break into our systems - either by slow user/password scanning
over days, or because they have made direct probes in x-seconds time.

While the list doesn't stop people using a proxy, it does stop a LOT of
the chatter we would normally see. I've not checked every IP on this
list other than at the time I added it, but none of them have any reason
to access our services (then or now). We're based in the Eastern USA and
have little reason to allow these networks/hosts to access our systems.

network 12.144.182.0/24 permanent
network 12.45.203.0/24 permanent
network 12.98.139.0/24 permanent
network 155.48.106.0/24 permanent
host 172.184.111.203 permanent
network 193.251.0.0/16 permanent
network 193.252.0.0/16 permanent
network 193.253.0.0/16 permanent
network 195.58.124.0/24 permanent
network 200.30.203.0/24 permanent
network 202.88.186.0/24 permanent
network 203.152.22.0/24 permanent
network 205.251.79.0/24 permanent
network 210.173.37.0/24 permanent
network 210.201.153.0/24 permanent
network 210.71.115.0/24 permanent
network 212.150.124.0/24 permanent
network 212.18.57.0/24 permanent
network 212.202.178.0/24 permanent
host 212.27.32.0-212.27.63.255 permanent
network 212.9.7.0/24 permanent
network 213.13.26.0/24 permanent
network 213.190.213.0/24 permanent
network 213.228.7.0/24 permanent
network 216.184.97.0/24 permanent
network 216.76.35.0/24 permanent
network 217.118.224.0/24 permanent
network 217.118.225.0/24 permanent
network 217.160.110.0/24 permanent
host 217.224.0.0-217.237.161.47 permanent
host 217.80.0.0-217.89.31.255 permanent
network 218.164.28.0/24 permanent
network 218.252.74.0/24 permanent
host 218.67.128.0-218.69.255.255 permanent
network 218.69.108.0/24 permanent
network 218.69.148.0/24 permanent
network 218.76.98.0/24 permanent
network 219.212.4.0/24 permanent
network 219.56.0.0/24 permanent
network 219.97.93.0/24 permanent
network 61.135.148.0/24 permanent
network 61.175.239.0/24 permanent
network 61.181.0.0/16 permanent
network 61.218.19.0/24 permanent
network 61.33.206.0/24 permanent
network 61.48.18.0/24 permanent
network 62.154.0.0/17 permanent
network 64.230.125.0/24 permanent
network 66.250.125.0/24 permanent
network 66.250.32.0/24 permanent
host 66.28.35.131 permanent
network 66.57.133.0/24 permanent
network 80.117.220.0/24 permanent
network 80.12.255.0/24 permanent
network 80.145.85.0/24 permanent
network 80.201.16.0/24 permanent
host 81.56.58.0-81.56.59.255 permanent

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Karl Levinson, mvp

2005-01-21, 2:50 am

"walter1234" <walter1234@discussions.microsoft.com> wrote in message
news:62DD0F7A-A63C-492A-8060-226255377571@microsoft.com...
> I would like to create an additional tab on the iis website properties
page.
> I need to create an add-in to the IIS Management Utility as a new tab on
the
> properties page.
> The function of this tab would be to allow the administrator to deny
> admitance to requesters from particular countries. Can you point me to
> documentation that explains how to add a tab to the page, and any other
> aspects of this project. I already know how to identify the country from
> which the request originated.
> I am not even sure that this is possible.
> The preferred language is C#
> Thanks in advance for any help.

Most people do not bother to do this. It is far more important to make sure
your web server and web application code are secure, use either Windows 2003
or IISLockdown with URLScan, etc.

If you still wanted to do this, I wouldn't use C# or IIS. I would do this
at your firewall, because IIS blocking only blocks requests to IIS, and I'm
not sure whether this blocks buffer overflows in, say, TLS / SSL. Doing
this at your firewall would probably also cause less latency and more
reliability, while letting you block non-IIS ports and non-IIS servers.
There are lists that map IP address blocks to countries, you might try
searching Google to find such lists, such as

http://www.google.com/search?hl=en&...es+list+country

Note that such lists are subject to change and may have some inaccuracies,
and yes, using a proxy to another country can bypass this. Having said
that, only you can determine whether doing this is a benefit for your
environment. Just because a countermeasure can be bypassed does not
automatically mean the countermeasure should be rejected, because any and
all countermeasures can be bypassed.