dstiles - 8:30 pm on Aug 8, 2012 (gmt 0)
Most of the sites on my web server block the same IP ranges - eg some Amazon, US servers, Chinese etc ranges. These bans are specific, mostly as /17 to /14 ranges. As far as I can tell I've never had a "breakthrough" from these IPs, at least nothing that has shown up in logs. All of these sites are ASP coded.
I recently set up a mail server's PHP WebMail interface on the same server. It has its own IP and its own sub-domain (eg: wm.example.com) and has, for practical purposes, only an https port enabled.
In the IIS control panel I have set up the IP ranges for this "site" to "Allow Only..." instead of "Allow All Except...", the IP ranges being mostly UK broadband ranges so my customers can use the interface whilst keeping out the world at large.
I was expecting the log for this site to show nothing for any IP that wasn't enabled. In fact, I'm getting approx one hit per day (eg fake google UAs, attempted hacks etc) from blocked IPs. Has anyone else seen this sort of thing? (It is possible, of course, that my statement re: not seeing ANY blocked IPs on the other sites is slightly innacurate.)
The log format is W3 extended (same as all the others, with the same fields enabled). An oddity is that sometimes the log shows the rDNS value instead of the raw IP - is this some feature of PHP? I wouldn't have expected there to be any difference.
Anyone have anything helpful on this, please?