Do you mean something like http://nnn.nnn.nnn.nnn?

If someone can get your web site using just an IP then the server's security is set up incorrectly (I forget the method for correcting this: it's usually preset).

The IIS record should include ONLY those domains and/or subdomains that should invoke the web site and MUST be set to a specific IP which must also be present in the domains DNS record.

If a specific IP is not selected for the domain in IIS (eg if it's set to All Unassigned) then any IP directed at that server may access the site. If there are several domains using a single IP (most common scenario) then all the domains must be specified correctly in IIS.

Is it possible another IIS record is set up for the IP? Have you disabled the "default" site?

[edited by: phranque at 5:21 am (utc) on May 17, 2014]
[edit reason] unlinked url [/edit]

the default site has been stopped.
Only example.com and www.example.com are being included as the host header value.

Still an external website is able to point to that ip and deliver the contents

However an external website is able to point to my ip and present the same page.

How can I stop the external url accessing my ip address

if you have a hostname canonicalization redirect in place then any request your server gets for a hostname that isn't yours would have a 301 response to the canonical url.

dukelips - are you sure it's being targetted at the IP?

I often log hits from scraper/robots on my IPs (instead of a proper URL) and I reject those attempts. There is little you can do to prevent an IP access but IIS should not deliver a page for it (other than an error code with appropriate error code).

Is this a common occurrence? I would expect no more than a few dozen hits a week using an IP instead of a proper URL. If it is more frewquent then look into your hosting company assigning your IP accidentally to another web site.

Also, of course, what happens when YOU access the web site by IP? I would expect, as I said above, you would get an error page.

And find out the IP that is sourcing the access attempt, then follow up on that. If it's a server farm then take appropriate blocking measures (eg in IIS).

thanks for your help.
The issue is with the ip address allowed to deliver the page and a miscreant has been using it.

Use a different home directory for the default website

The issue is with the ip address allowed to deliver the page

the issue is with requests for IP addresses not being redirected to the canonical hostname.

the issue is with requests for IP addresses not being redirected to the canonical hostname.

Keep saying it, phranque, eventually they'll listen ;)

How can I stop the external url accessing my ip address

You can't stop them requesting it. (Same principle as for the vilest Ukrainin robot that has been getting nothing but 403s for the past five years. At most you can stop them at a firewall.) You can only stop them from getting content.

At the outset you said

www.example.com and example.com

But you're not serving content wantonly from both forms. (Uh.... are you?) Requests for the wrong one are redirected to the right one. (Uh.... aren't they?)

Details of wording will depend on your server. But the underlying pattern is always: Look at "Host:" field in request header. If it is anything other than your one preferred name, forcibly redirect them to the preferred name. Depending on your site and your target audience, you may or may not make an exception for requests that are missing the "Host:" line altogether. (HTTP 1.0 and/or antiquated browsers.) But the first step is to deal with the request header.

Now, if your unwanted visitors are human, they will still end up on your site, because their browsers will redirect them. But at least you'll get the credit, and search engines will know what's going on.