Welcome to ISAserver.org

Block Certain IP Addy: How Do I??

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> General >> Block Certain IP Addy: How Do I??

Page: [1]

Message

<< Older Topic Newer Topic >>

Block Certain IP Addy: How Do I?? - 18.Dec.2007 12:23:08 PM

hardworkpays

Posts: 11
Joined: 13.Oct.2004
From: Mempho, TN
Status: offline

I've been working with ISA2000 for quite a while, but for some reason, I've never had a reason to do just this: (it sounds so easy I'm perplexed).

Ive got a website, and unfortunately, it is getting SLAMMED with a whole bunch of viagra ads... I want to simply BLOCK a certain IP address(es) from accessing.. Do I need to create a packet filter for EACH one (port 80) with remote computer being IP address... I'm up to 25.. Is there an easier way... Also, what is the best way of determining which IP address is actually hitting my web server since I pass traffic through ISA server to internal server and I only get IP address of ISA box in my web logs. ( I can't look at SESSIONS all day long :-) )

Any help is appreciateed...

Post #: 1

Featured Links*

RE: Block Certain IP Addy: How Do I?? - 19.Dec.2007 1:20:17 AM

AHIT

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

I've never encountered this as a problem but here's a potential solution.
No need to create individual packet filters to block individual IP addresses.
Simply create 1 destination set - call it, say, "BlockTheseIPs" and then add the individual IP's to it.
Then in your web publishing rule have it set to apply to "Client address sets below" and EXCEPT your "BlockTheseIPs" client set.
I'm unsure if you'd need to create a "EveryIPAddress" type client set with 0.0.0.1 thru to 255.255.255.254 in it (ie: Every possible IP in IPv4)

Beyond that, I assume it's blog/comments posting or forum postings that your siffering from. Can you impliment a compulsory login system or captcha system or even "moderator" type confirmations?

Comment/forum spam is a problem in its own right and I don't think outright blocking at the firewall is the best solution.

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to hardworkpays)

Post #: 2

RE: Block Certain IP Addy: How Do I?? - 19.Dec.2007 8:58:19 AM

hardworkpays

Posts: 11
Joined: 13.Oct.2004
From: Mempho, TN
Status: offline

Thank you... It's certainly some sort of "spam"... I blocked port 80 all day yesterday, and took a look at the IPPD logs... This is a small church site, so 20 posts in a day is common. The logs indicated that over 200 IP addresses were BLOCKED at port 80 just overnight! Again, thanks...

(in reply to AHIT)

Post #: 3

RE: Block Certain IP Addy: How Do I?? - 19.Dec.2007 9:33:28 AM

hardworkpays

Posts: 11
Joined: 13.Oct.2004
From: Mempho, TN
Status: offline

Slight update.... I took some of Shinder's advice on alternate port publishing, used the DEFAULT WEB RULE to forward requests to port 12345 of my internal web server... I then matched up the web server to receive requests on that port. I have NOT had SPAM in 45 miniutes (which is by far the longest without for the last 7 days)... We'll see.. Again, I apprecaite your response.. Let's see how goes..

(in reply to hardworkpays)

Post #: 4

RE: Block Certain IP Addy: How Do I?? - 19.Dec.2007 10:04:57 PM

AHIT

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

Dr. Tom... he's our man.... if he can't do it....
OK, end of cheerleading!
Hope it all goes well for you.
.. and thanks for posting the update.
LOTS of posts here from "1st timers" who never write back with how the suggestions worked for them.... or they just never visit again to see the answer put forward!

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to hardworkpays)

Post #: 5

RE: Block Certain IP Addy: How Do I?? - 20.Dec.2007 5:59:45 AM

hardworkpays

Posts: 11
Joined: 13.Oct.2004
From: Mempho, TN
Status: offline

Thx... However, this problem persists... No doubt, it's port 80 upon which this is tranversing... I'll try your "destination set" idea . I love the IPPEXTD logs, however, I wish there was a way of logging who gets THROUGH to the site, not just who gets blocked... I could then better match up TIMES of these troublesome posts and begin to create a "Bad IP" database. Server rules don't have a way of being LOGGED, do they :-) I'll keep you posted..

(in reply to AHIT)

Post #: 6

RE: Block Certain IP Addy: How Do I?? - 20.Dec.2007 7:35:37 PM

AHIT

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

Ahh.. but you CAN log allowed traffic as well.
Suggest NOT doing it for extended periods though as it's pretty resource intensive and uses wads of disk space!
From the ISA help:

To log allowed packets

In the console tree of ISA Management, right-click IP Packet Filters and then click Properties.
Where?

Internet Security and Acceleration Server
Servers and Arrays
Name
Access Policy
IP Packet Filters
On the Packet Filters tab, select the Log packets from 'Allow' filters check box.

Notes

To open ISA Management, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
You can only log allowed packets if packet filtering is enabled.
Logging allowed packets causes additional load on the server.