How to use IP blocklists on Windows Server shared hosting - Microsoft IIS Web Server and ASP.NET forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

How to use IP blocklists on Windows Server shared hosting

I'm looking for a solution shared hosting customers to use my IP blocklists

Wizcrafts

7:25 pm on Mar 4, 2012 (gmt 0)

10+ Year Member

Greetings;
I write and publish several IP blocklists for use on Apaches hosted websites. The foremost version is used in .htaccess files in shared hosting accounts. It uses the Apache mod_access module to deny from or allow from listed IP addresses and CIDRs.

I have been asked several times by people with websites hosted on Windows Server shared accounts, how they can import my IP blocklists. One version of each blocklist is already in iptables format, which server admins can import into the Windows Server firewall. But, common users, with shared hosting accounts cannot access the firewall.

I am hoping that someone here knows of some method of converting .htaccess Mod_Access "deny from" directives into a form usable and importable into a shared Windows hosting account.

Here is an example of what I am referring to:


<Files *>
order deny,allow
deny from 192.168.0.1 192.168.0.0/16 10.0.0.0/8
deny from .....
</Files>

Note, that some of my deny from lists include hundreds of space separated CIDRs. I would be willing to convert them into single lines of deny froms if necessary. My iptables blocklists are already one per line, like this example:


192.168.0.0/16
192.168.1.0/23
192.168.3.4
..... (dozens more) .....

I don't particularly mind if the solution is commercial or open source. It is up to end users to choose their method, if any exists. All I have found thus-far is ISAPI Rewrite, which deals with Mod_Rewrite engine directives, but not Mod_Access (to my knowledge). If someone knows differently, first hand, please let me know.

Thanks in advance!

Ocean10000

2:58 pm on Mar 5, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I do not know of an easy way in pre IIS 7, or know of a commercial solution which I am familiar with.

In IIS 7 and newer there is a way to add IP address's to a block list stored in the web.config file on a per website level.

IP Security [iis.net]

Staffa

3:43 pm on Mar 5, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I have been on Win servers for years and use ISAPI Rewrite.
Though I have no experience with Apache and htaccess, comparing from what I read on these forums it works just as good.

You can block single IP addresses or whole/part ranges

Wizcrafts

3:44 pm on Mar 5, 2012 (gmt 0)

10+ Year Member

Thanks Ocean10000. I read that article and it is targeted at system admins. I suppose that a Windows hosting company might provide an interface, or single IP input field for their shared account customers to use.

I guess that it is up to the server admins to compile and maintain a firewall IP blocklist, such as my iptables lists.

It is unfortunate that someone with the knowledge of both IIS and Apache doesn't come up with a user installable equivalent of Mod_Access for Windows hosting accounts.

Wizcrafts

3:46 pm on Mar 5, 2012 (gmt 0)

10+ Year Member

Staffa;
How does one block entire CIDRs using ISAPI Rewrite? I read their FAQs and searched their forums, without success on this matter.

scooterdude

3:49 pm on Mar 5, 2012 (gmt 0)

10+ Year Member

In windows shared hosting, some hosts have

ISAPI rewrite installed
which mimics all the .htaccess code slightly modified

other hosts install
IIS URL Rewrite 2.0
which is free, from Microsoft and is coded entirely the microsoft way, but will replicate almost all the functions of .htaccess if you find out how to configure it
[iis.net...]

Staffa

10:40 pm on Mar 5, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Wizcrafts

ISAPI Rewrite comes in two versions. The latest v.3 is pretty similar to htaccess, though I wouldn't know since I never used either ;o)

V.2 is different from htaccess and an example of blocking a range of IPs would be

#block 208.80.0.0 - 208.80.255.255
RewriteCond %REMOTE_ADDR 208\.80\..*\..*

with a third line, right underneath the two above for what you want to do with the intruder

RewriteRule .* /directory/ [I,L] ( >>>>> redirect to a specific directory)
or
RewriteRule .* [F] (>>>>>> block outright)
or
RewriteRule (.*) http\://127.0.0.1\ [I,RP] (>>>>> redirect to themselves)

Blocking a more complex IP range would look like :

#block AMAZON AWS 72.44.32.0 - 72.44.63.255
RewriteCond %REMOTE_ADDR 72\.44\.(?:3[2-9]|[4-5]\d|6[0-3])\..*

I have been using it for, give or take, 10 years without any problems

Wizcrafts

11:01 pm on Mar 5, 2012 (gmt 0)

10+ Year Member

Thanks for the replies guys. I have sent a request for info to Helicontech. If/when I hear back about this I will update it in this topic.

This is a matter that calls for the use of the Apache Mod_Access directives: "Files" - "Order" - "deny from" and "allow from." It looks to me as though the Helicon "Ape" program contains this function and is installable into shared hosting accounts.

Hopefully the Ape has the solution. The concept of rewriting hundreds of CIDRs into RegExpr is not on my radar.

FYI: My blocklists were developed with assistance from well known members of the Apache Web Server Forum. They have been continually refined and updated since 2005. It all began with a necessity to block Nigerian scammers from a particular forum I belonged to. I am now a moderator at that forum.

Wizcrafts

4:48 am on Mar 9, 2012 (gmt 0)

10+ Year Member

I have received a reply from Helicontech, regarding their APE program for Windows servers. It contains the "mod_authz_host" module, which has replaced mod_access, which has been deprecated as of Apache 2.1.

Things change frequently and I never knew that Mod_Access was gone!

At least Windows hosting users have a viable option, although commercial, to use IP blocklists and .htaccess rules.

scooterdude

12:42 pm on Mar 9, 2012 (gmt 0)

10+ Year Member

Did you not see Microsofts IIS rewrite module then ?

[iis.net...]

Wizcrafts

3:22 pm on Mar 9, 2012 (gmt 0)

10+ Year Member

Scooterdude;
I read the IIS URL Rewrite details and it begins by stating that it is meant for server administrators. Most of the hosting companies I have contacted in the past are not willing to install such scripts that affect the entire server. The program I mentioned can be installed by end users, into their personal websites on shared, vps, or dedicated servers.

Really, the mod_authz_host module in APE is exactly what is needed to apply my blocklists exactly as they are written. No url rewrites are needed. The ISAPI Rewrite program only allowed for Regular Expressions to control IP addresses and CIDRs. That was out of the question due to the huge number of varying CIDRs in my blocklists.

I was invited to try APE, but I only have Apache hosting. If I find someone on a shared Windows server I'll have them check it out.

scooterdude

5:11 pm on Mar 9, 2012 (gmt 0)

10+ Year Member

2 things, I very much doubt that any hosting company would permit any webmaster to install software that modified iis7 behaviour like that. IIS 7 is not like the LAMPS environment.

I've only come accross 1 host who had ISAPI preinstalled, they had chosen this over IIS rewrite,(pre install ISAPI maywell be a pre requisite for software mentioned by you)however without mentioning their name, i know that the largest shared hosting provider for iis7 prinstalls iis rewrite

Anyway, I 'm probably wrong so Good luck,sounds like we'll all be needing IP block list soon :)

Wizcrafts

2:02 am on Mar 10, 2012 (gmt 0)

10+ Year Member

The documentation on APE says it runs in its own directory and a "bin" directory, under the web root. It is a web application. Any more I don't know.

I dread what is going to happen as IPv6 is fully deployed. Every customer might have thousands of IP addresses. Blocklists may become a thing of the past, except for legacy IPv4 addresses that aren't going away anytime soon.

Thanks for you input Scooterdude. This topic has brought new data to my positronic net.