Blocking malicious users, bots, and crawlers via IP address

Overview

As with all websites, internal or public, it's important to know how to block access to individual IP addresses or IP address ranges. This can be useful to avoid unwanted traffic from bots or malicious users with known sources, or for blocking web crawlers that are ignoring your robots.txt file.

Within the DNN UI, you can block or permit users from logging into your instance but if you need to completely block access to your domains, you'll need to make changes to the DNN web.config file.

 

NOTE: The steps following will trigger an automatic application pool restart so it is advisable to do this outside of normal business hours. As a best practice, make sure to take a backup of your site before proceeding. 

 

Solution

  1. Within your operating system, go to Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
  2. In the Connections menu to the left of the screen, click on the arrow icon to the left of your server name to expand the selection.
  3. Click on the arrow icon to the left of Sites to expand this selection.
  4. Right-click on the name of your DNN site and select Explore.
    IIS.jpg

  5. In the folder explorer, find the file web.config and double-click to open in notepad. 
  6. Press Ctrl+F and search for "system.webserver"
  7. Within this section, find the following (it should be around line 126 or 127.)
    handlers.jpg
  8. Copy the following and insert in between the two lines in the above screenshot, customizing the IP addresses and subnet masks as needed:
    • <security>
      <ipSecurityallowUnlisted="true">    <!-- this line allows everybody, except those listed below -->
      <clear/>     <!-- removes all upstream restrictions -->
      <addipAddress="125.16.119.23"/>     <!-- blocks the specific IP of 125.16.119.23  -->
      <addipAddress="83.116.119.0"subnetMask="255.255.255.0"/>     <!--blocks network 83.116.119.0 to 83.116.119.255-->
      <addipAddress="83.116.0.0"subnetMask="255.255.0.0"/>     <!--blocks network 83.116.0.0 to 83.116.255.255-->
      <addipAddress="83.0.0.0"subnetMask="255.0.0.0"/>     <!--blocks entire /8 network of 83.0.0.0 to 83.255.255.255-->
      </ipSecurity>
      </security>
  9. Save the web.config file. This will automatically recycle the application pool and place the blocks in effect. 

 

Testing

  1. Input your own IP address into the block list for your site using the steps above.
  2. Navigate to your specific DNN URL
  3. You should see a 403 Error Page
  4. Remove your own IP from the block list using the same steps.
  5. If your block works for you but you are still seeing unwanted traffic, ensure you have the correct IP for the unwanted party. You may also need to expand your block list subnet if the traffic comes from a dynamic IP range.

Comments

0 comments

Please sign in to leave a comment.