Banning IPs
- Thread starter riley
- Start date
WebDeveloper
Perch
The following code will prevent a visitor with the IP of 1.1.1.1 from accessing your site, provided you place it in an include file at the top of every page on your site.
incCheckIP.asp
--------------
Code:
<!--#include virtual="/includes/incCheckIP.asp"-->incCheckIP.asp
--------------
Code:
visitorIP = request.ServerVariables("REMOTE_HOST")
If visitorIP = "1.1.1.1"
Then Response.Redirect("http://www.website.com/banned.asp")
End IfWebDeveloper
Perch
This should work for more than one banned IP, using the following code in the same method as I've suggested above:
Code:
' Banned IP List
strBannedIPList="1.1.1.1,1.1.1.2,100.101.102.103,244.123.17.1"
arrBannedIPList=split(strBannedIPList,",")
visitorIP=request.ServerVariables("REMOTE_HOST")
For x=0 To ubound(arrBannedIPList)
If instr(visitorIP,arrBannedIPList(x)) then Response.Redirect("http://www.website.com/banned.asp")
NextWebDeveloper said:
I was thinking of something very similar, but I was thinking of placing it in the global.asax.vb Session_Start() sub (it's a .net application). It should also work in global.asa for asp3 applications. This would avoid having to place the include in every page of the site.
I am going to test this and see if it works. I am also going to see if I can enhance it so it will allow blocking of IP blocks (1.1.1.*, 1.2.*.*). I'll post my results.
riley
Well, here is what I came up with for my .net application. The code is in the Session_Start() sub of config.asax. It gets the bannedIP lists from the web.conig file. Although this is written for .net, it could be easily adapted for use in the config.asa file of an ASP3 application.
It allows you to ban ip address based on 1, 2, 3, or all 4 octets of the IP address. (IpBan1, IpBan2, IpBan3 and IpBan4 respectively: see below)
Unfortunately, it isn't smart enough to do ranges (1.1.1.1 - 1.1.1.50). I could make it do that too, but I don't want to do too much processing when the session starts, so I'm leaving it as it is.
The "RedirectBannedClientTo" value is the page to which a banned client should be redirected. A simple HTML page is recommended here, since you have decided to disallow this client using aspx processing. If the value of "RedirectBannedClientTo" is "", the code will simply return a 404 to the banned client.
Add keys to web.config:
Put this code in config.asax.vb:
I just installed it and tested it by banning my own ip -- it worked fine. If anybody tries this out, let me know how it works for you.
riley
It allows you to ban ip address based on 1, 2, 3, or all 4 octets of the IP address. (IpBan1, IpBan2, IpBan3 and IpBan4 respectively: see below)
Unfortunately, it isn't smart enough to do ranges (1.1.1.1 - 1.1.1.50). I could make it do that too, but I don't want to do too much processing when the session starts, so I'm leaving it as it is.
The "RedirectBannedClientTo" value is the page to which a banned client should be redirected. A simple HTML page is recommended here, since you have decided to disallow this client using aspx processing. If the value of "RedirectBannedClientTo" is "", the code will simply return a 404 to the banned client.
Add keys to web.config:
Code:
<appSettings>
<!-- IP Blocking (space separated lists) -->
<add key="IpBan1" value="1" />
<add key="IpBan2" value="1.1 2.2" />
<add key="IpBan3" value="1.1.1 2.2.2 3.3.3" />
<add key="IpBan4" value="1.1.1.1 2.2.2.2 3.3.3.3" />
<add key="RedirectBannedClientTo" value="banned.htm" />
</appSettings>Put this code in config.asax.vb:
Code:
Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
' Fires when the session is started
Try
Dim IpBanList1 As String = GetAppSetting("IpBan1", "")
Dim IpBanList2 As String = GetAppSetting("IpBan2", "")
Dim IpBanList3 As String = GetAppSetting("IpBan3", "")
Dim IpBanList4 As String = GetAppSetting("IpBan4", "")
Dim ClientIP4 As String = Request.ServerVariables("REMOTE_ADDR")
Dim IpPart() As String = ClientIP4.Split(CChar("."))
Dim ClientIP1 As String = IpPart(0)
Dim ClientIP2 As String = IpPart(0) & "." & IpPart(1)
Dim ClientIP3 As String = IpPart(0) & "." & IpPart(1) & "." & IpPart(2)
If IpBanList1.IndexOf(ClientIP1) > -1 _
OrElse IpBanList2.IndexOf(ClientIP2) > -1 _
OrElse IpBanList3.IndexOf(ClientIP3) > -1 _
OrElse IpBanList4.IndexOf(ClientIP4) > -1 Then
Dim RedirectPage As String = GetAppSetting("RedirectBannedClientTo", "")
If RedirectPage = String.Empty Then
Response.Status = "404 Not Found"
Response.End()
Else
Response.Redirect(RedirectPage)
End If
End If
Catch
End Try
End Sub
Private Function GetAppSetting(ByVal Key As String, ByVal DefaultValue As String) As String
'Get appsetting by Key. If not found, return DefaultValue.
Try
Return System.Configuration.ConfigurationSettings.AppSettings(Key).ToString
Catch
Return DefaultValue
End Try
End FunctionI just installed it and tested it by banning my own ip -- it worked fine. If anybody tries this out, let me know how it works for you.
riley
Correction:
I forgot one of the most important things for this code. Because it is working at Session_Start(), we must include a Session.Abandon() so the session is not established. Without that statement, the client would be denied access on his first request, but would be able to access the site on subsequent requests until the session times out.
With the Session.Abandon statement, the client cannot get in. Therefore, the IF statement should look like this:
Sorry about the omission. I posted this in a hurry.
riley
I forgot one of the most important things for this code. Because it is working at Session_Start(), we must include a Session.Abandon() so the session is not established. Without that statement, the client would be denied access on his first request, but would be able to access the site on subsequent requests until the session times out.
With the Session.Abandon statement, the client cannot get in. Therefore, the IF statement should look like this:
Code:
If IpBanList1.IndexOf(ClientIP1) > -1 _
OrElse IpBanList2.IndexOf(ClientIP2) > -1 _
OrElse IpBanList3.IndexOf(ClientIP3) > -1 _
OrElse IpBanList4.IndexOf(ClientIP4) > -1 Then
[b]Session.Abandon()[/b]
Dim RedirectPage As String = GetAppSetting("RedirectBannedClientTo", "")
If RedirectPage = String.Empty Then
Response.Status = "404 Not Found"
Response.End()
Else
Response.Redirect(RedirectPage)
End If
End IfSorry about the omission. I posted this in a hurry.
riley
I thought I would post a follow-up and point out a few things that I have realized and discovered.
I would suggest that the code I posted should return a "403 Forbidden" instead of a 404. It is not only more technically correct, but it also avoids any problems you might encounter if you use Custom Errors.
Generally, the code I posted here and installed seems to be doing ok for many situations, but additional research into the issue of "bad bots" has lead me to the conclusion that I need to write something more sophisticated.
Clearly, the code needs to accomodate IP ranges. Here is a real-life example:
While looking through my logs, I noticed that my sites (all of them) have been visited regularly by a webbot with ip addresses like 63.148.99.237 and 63.148.99.239. Looking up this IP address reveals the following:
see http://www.cyveillance.com/
That's nice, but not on my bandwidth, thank you. So I want to ban them from my sites. Notice, however, their IP addresses range from 63.148.99.224 to 63.148.99.255.
My original code could only handle this accurately if you made entries for each IP address in the range, which creates a huge ban list. Currently, I have simply blocked 63.148.99 but that also blocks 224 IPs that don't belong to them. Hence, handling ranges is important.
Also, I would like to allow a bit of flexibility about what happens when an IP is blocked. The new version of the code I'm working on will allow you to optionally specify what to do with a banned client. For example, the new code would allow you to do this with Cyveillance:
63.148.99.224-255;URLhttp://www.cyveillance.com/
thereby banning only their IP addresses and redirecting their bot to their own website. (a bit of poetic justice I think)
I have also discovered many listings on the web that contain the IP addresses and UserAgent strings of many bots that simply harvest email addresses for spam. Further research into my logs (and my email client's trash folder) reveals
that I have been visited by quite a few of these bots. So my new code will also handle a UserAgent list. (ever wonder why the email addresses on your sites get so much span? Check your logs...)
The new version of this code is written, but it needs some cleanup and refinement. Also, the code has become quite complex and is not well suited for posting here. The code is now in its own class that can be instantiated and executed by the Session_Start() sub in the global.asax.vb file (or somewhere else, like an aspx page, for that matter). I would be willing to share the dll if anyone is interested.
Is anybody interested? Or am I the only one crazy enough to be concerned about this issue? Post here and let me know.
riley
I would suggest that the code I posted should return a "403 Forbidden" instead of a 404. It is not only more technically correct, but it also avoids any problems you might encounter if you use Custom Errors.
Generally, the code I posted here and installed seems to be doing ok for many situations, but additional research into the issue of "bad bots" has lead me to the conclusion that I need to write something more sophisticated.
Clearly, the code needs to accomodate IP ranges. Here is a real-life example:
While looking through my logs, I noticed that my sites (all of them) have been visited regularly by a webbot with ip addresses like 63.148.99.237 and 63.148.99.239. Looking up this IP address reveals the following:
So I looked up Cyveillance on Yahoo and found they are a company that provides services to other companies to "identify trademark abuses across the World Wide Web."
see http://www.cyveillance.com/
That's nice, but not on my bandwidth, thank you. So I want to ban them from my sites. Notice, however, their IP addresses range from 63.148.99.224 to 63.148.99.255.
My original code could only handle this accurately if you made entries for each IP address in the range, which creates a huge ban list. Currently, I have simply blocked 63.148.99 but that also blocks 224 IPs that don't belong to them. Hence, handling ranges is important.
Also, I would like to allow a bit of flexibility about what happens when an IP is blocked. The new version of the code I'm working on will allow you to optionally specify what to do with a banned client. For example, the new code would allow you to do this with Cyveillance:
63.148.99.224-255;URLhttp://www.cyveillance.com/
thereby banning only their IP addresses and redirecting their bot to their own website. (a bit of poetic justice I think)
I have also discovered many listings on the web that contain the IP addresses and UserAgent strings of many bots that simply harvest email addresses for spam. Further research into my logs (and my email client's trash folder) reveals
that I have been visited by quite a few of these bots. So my new code will also handle a UserAgent list. (ever wonder why the email addresses on your sites get so much span? Check your logs...)
The new version of this code is written, but it needs some cleanup and refinement. Also, the code has become quite complex and is not well suited for posting here. The code is now in its own class that can be instantiated and executed by the Session_Start() sub in the global.asax.vb file (or somewhere else, like an aspx page, for that matter). I would be willing to share the dll if anyone is interested.
Is anybody interested? Or am I the only one crazy enough to be concerned about this issue? Post here and let me know.
riley
WebDeveloper
Perch
I'm interested!riley said:
You're definitely NOT the only one concerned about this issue... and I think we all get a little cRaZy after many hours of staring at our computer screensriley said:
WebDeveloper
Perch
Riley,
Have you got it working yet? If so, let me know where I can check it out! Thanks!
Have you got it working yet? If so, let me know where I can check it out! Thanks!
WebDeveloper said:
It's written and it works quite well. But, owing to the fact that it is very versitile, I still have a few things that need perfecting (mostly to keep people from shooting themselves in the foot). For example, the code must prohibit the redirect of a banned client to another .aspx page on the same site. This would be bad, because that page would start a session, the ban-checking code would execute again and discover the client should be banned, and redirect the client to that .aspx page again, which would start a session again, and so on, ad infinitum... Not a good thing...
This is something I was alluding to in a previous post when I stated that a simple .htm page would be appropriate for doing redirects within your site. On the other hand, Transfers to .aspx pages on the same site would be quite desirable and very useful.
I've also been thinking that maybe I should create 2 versions. One would simply return a "403" error to the client. The other version would have all the other features that allow you to specify what should happen to each of the various banned clients, including redirects, transfers, etc. Hey, maybe the simple one is freeware and fancy one is for sale. What do you think?
riley
WebDeveloper
Perch
riley said:
I think go with it! You've got a great script in the works, many people will find it useful, if you can get a couple bucks for your time, why not do it?
Good luck, if I can help in any way, let me know. Also, let me know when you have something done, I'd like to check it out.