Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I programmatically add an IP address to Dynamic IP Restrictions extension in IIS7 from my ASP.NET app?

Tags:

asp.net

iis

iis-7

I'm creating a forums based site and want to block the members that post spam or abuse. I was thinking about using an HTTPModule to do this but I came across the Dynamic IP Restrictions extension to IIS7. I wonder if it's possible to add IPs dynamically from my app to the extension?

Also, if you have experience with that extension this will be great. I'm esp. interested to know whether it can affect performance in a high traffic website.

Thanks

like image 972
Waleed Eissa Avatar asked Feb 26 '09 09:02

Waleed Eissa


2 Answers

I was also interested in this.

At first I was using the UI in IIS7 to blacklist IP addresses.

enter image description here

I did take a look at the Rick Strahl link mentioned above but found a great resource here:

http://www.iis.net/configreference/system.webserver/security/ipsecurity/add

The code sample on that page shows you how to perform the action using C#. Here is the snip from that site

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetApplicationHostConfiguration();
         ConfigurationSection ipSecuritySection = config.GetSection("system.webServer/security/ipSecurity", "Default Web Site");
         ConfigurationElementCollection ipSecurityCollection = ipSecuritySection.GetCollection();

         ConfigurationElement addElement = ipSecurityCollection.CreateElement("add");
         addElement["ipAddress"] = @"192.168.100.1";
         addElement["allowed"] = false;
         ipSecurityCollection.Add(addElement);

         ConfigurationElement addElement1 = ipSecurityCollection.CreateElement("add");
         addElement1["ipAddress"] = @"169.254.0.0";
         addElement1["subnetMask"] = @"255.255.0.0";
         addElement1["allowed"] = false;
         ipSecurityCollection.Add(addElement1);

         serverManager.CommitChanges();
      }
   }
}

To get the Microsoft.Web.Administration package, in visual studio goto Tools -> Nuget Package Manager -> Package Manager Console.

Then type:

Install-Package Microsoft.Web.Administration

Another way of performing the same task is to use the command line and the appcmd command.

The following command does the same thing:

appcmd.exe set config "Default Web Site/SSM" -section:system.webServer/security/ipSecurity /+"[ipAddress='192.168.100.1',allowed='False']" /commit:apphost

and could be called from code using:

string website = "Default Web Site/SSM";
string ipAddress = "192.168.100.1";
string allowDeny = "False";

string cmd = string.Format("%systemroot%\\system32\\inetsrv\\appcmd.exe set config \"{0}\" -section:system.webServer/security/ipSecurity /+\"[ipAddress='{1}',allowed='{2}']\" /commit:apphost", website, ipAddress, allowDeny);
Process.Start(cmd);

The above command works but it turns out if you call it from C# it complains saying "The system cannot find the file specified Exception". To get around that you have to supply an admin username/password.

Here is the function:

void BlacklistIP(string ipAddress)
{
    string website = "Default Web Site/SSM";
    string allowDeny = "False";
    string domain = "";

    string args = string.Format(" set config \"{0}\" -section:system.webServer/security/ipSecurity /+\"[ipAddress='{1}',allowed='{2}']\" /commit:apphost", website, ipAddress, allowDeny);

    System.Security.SecureString password = new System.Security.SecureString();
    password.AppendChar('y');
    password.AppendChar('o');
    password.AppendChar('u');
    password.AppendChar('r');
    password.AppendChar('p');
    password.AppendChar('a');
    password.AppendChar('s');
    password.AppendChar('s');
    password.AppendChar('w');
    password.AppendChar('o');
    password.AppendChar('r');
    password.AppendChar('d');

    Process.Start(@"C:\windows\System32\inetsrv\appcmd.exe", args, "Administrator", password, domain);
}

Et Voila!

like image 160
Ocean Airdrop Avatar answered Sep 21 '22 16:09

Ocean Airdrop


It looks likes Rick Strahl has achieved this using the IIS API, please see link below:

http://www.west-wind.com/WebLog/posts/59731.aspx

Andrew

like image 23
REA_ANDREW Avatar answered Sep 22 '22 16:09

REA_ANDREW