|How Blocking Impacts Traffic and Other Web Services|
From dstiles on [webmasterworld.com...]
|you really need to read up on mail and web differences. There is no way that me blocking your mail server from accessing my WEB site on port 80 will affect the capability of your mail server from accepting mail from my on-server mail server sending on port 25. Here, we all block certain types of WEB activity. How we block MAIL activity is entirely different and is carried out via the mail server, not the web server. |
I thought this was an interesting topic to bring up to help others clarify what happens when you block IP addresses in various places.
Web servers, Apache, IIS, etc. are on port 80
Mail servers, SMTP, etc. are on port 25 or 587
Admin control panels like Plesk use port 8443 for their web server.
Putting something in your servers firewall will have global impact and block all ports, including 25, 80, 587, etc. unless you specify which ports should be impacted.
Putting something in your Apache conf or .htaccess files only impacts port 80 unless otherwise specified so blocking IP addresses in Apache is relatively safe as only the web servers are impacted, not email, no Admin control panels, etc. Remember, blocking IPs within the web server can only impact web services.
However, if you don't do business in some country that has a high volume of abuse, which would be SSH, SMTP, WEB, etc. basically attacking your whole server, then dropping that country, assuming you don't do business with them, in your server firewall is the best way to protect the server from their attacks.
Typically I whitelist services like FTP, SSH, etc. that only I use to accept a very narrow range of access which is the equivalent of blocking out the rest of the world from attacking those services. If you have another server or some dedicated IP address being used on a server, for an SSL certificate as an example, you can whitelist that IP as well and tunnel across to your server in an emergency if your other IPs change suddenly which can and does happen.
For instance, just recently Comcast changed my from range 71.* to 50.* one night which is a pretty radical change and I needed to use the emergency entrance to gain access.
Just beware that if you harden your server too much you just might harden yourself out of the server. There's a backdoor for my hosting company which could also be used to fix the problem but I'd be kind of red faced calling them and telling them I whitelisted myself out of the server... again. :)
Just kidding, I've never locked myself out yet but I thought I did once.
That's the basic nuts and bolts, quick recap; blocking IPs within the web server only impact web services but blocking in the firewall blocks access to all services on the server unless ports are specified, so beware.
Hope that clears it up for some people.
Thanks for expanding on my note, Bill.
One thing: HTTPS on web servers uses 443 (usually). And, POP3 uses port 110 and IMAP 143. I'm also careful about who can access those - in fact, more careful: they are my customers' mailboxes!