VBScript: Windows XP/IIS 5.1 DOES Support Denying Access by IP Addresses

In helping a visitor to troubleshoot running my IIS FTP ban script, I realized that while XP makes it appear as though it doesn’t support banning users by IP address, it actually does provide that support; you just have to ban the IPs programatically.

Here, you can see that the IP address and domain name restrictions section is greyed out. However, you can use the following VBScript to enable and ban users in IIS’ Default Web SIte. The first script listed does the following:

1. Ensures that AllowByDefault is set to true (which is the default anyway)
2. Bans a few example IP addresses
3. Confirms the addresses were successfully banned

Ban-a-rama

strComputer = "localhost"
arrBanTheseIPs = Array("10.0.0.200","42.42.42.42")

'Set Objects
Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
Set objIPRestrict = objWebSite.IPSecurity

objIPRestrict.GrantByDefault = True
objIPRestrict.IPDeny = arrBanTheseIPs
objWebSite.IPSecurity = objIPRestrict
objWebSite.SetInfo

WScript.Echo "The following IP addresses are now banned:"
arrDeniedIPs = objIPRestrict.IPDeny
for i = 0 to Ubound(arrDeniedIPs)
  WScript.Echo arrDeniedIPs(i)
next

'Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing

To Delete All Previously Banned IPs, you would use the following code which overwrites all the IPs with one invalid IP.

Mass Unban

strComputer = "localhost"

'Set Objects
Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
Set objIPRestrict = objWebSite.IPSecurity

objIPRestrict.GrantByDefault = True
objIPRestrict.IPDeny = Array("0.0.0.0")
objWebSite.IPSecurity = objIPRestrict
objWebSite.SetInfo

'Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing

If you find yourself needing to unban a single IP address, you can use the following code which gathers all the banned IPs except the one you want to delete and rebans them (IPDeny requires a full list each time you set it).

Unban One IP

strComputer = "localhost"

'Set Objects
Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
Set objIPRestrict = objWebSite.IPSecurity

strUnbanSingleIP = "10.0.0.200"
arrIPAddresses = objIPRestrict.IPDeny

For i = 0 to ubound(arrIPAddresses)
strClientIP = Left(arrIPAddresses(i),InStr(arrIPAddresses(i),",")-1)
  If strClientIP <> strUnbanSingleIP Then
   If Len(strStillBanned) = 0 Then
   strStillBanned = strClientIP
   Else
   strStillBanned = strStillBanned & "," & strClientIP
End If
  End If
Next

If Len(strStillBanned) = 0 Then strStillBanned = "0.0.0.0" 'just in case it was the only one
arrStillBannedIPs = split(strStillBanned,",")

objIPRestrict.IPDeny = arrStillBannedIPs
objWebSite.IPSecurity = objIPRestrict
objWebSite.SetInfo

'Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing

If your script is successful, banned users will see the following message:

You are not authorized to view this page

HTTP 403.6 – Forbidden: IP address rejected

To show all of the current IPs which have been banned, run the following script

View Banned IPs

strComputer = "localhost"

'Set Objects
Set objWebSite = GetObject("IIS://" & strComputer & "/W3SVC/1")
Set objIPRestrict = objWebSite.IPSecurity

arrDeny = objWebSite.Get("IPSecurity").IPDeny
   For i = 0 to Ubound(arrDeny)
      strBannedIPs = strBannedIPs & arrDeny(i) & vbCrlf
   Next

   If len(strBannedIPs) > 0 Then
      msgbox "IP, Subnet: " & vbCrLF & strBannedIPs
   Else
      msgbox "No IPs have been banned."
   End if

'Kill Objects
Set objIPRestrict = Nothing
Set objWebSite = Nothing

While I haven’t tested it, the same scripts should work if you want to deny all IPs except those explicitly listed. To do so, simply set objIPRestrict.GrantByDefault to False and replace the above mentions of IPDeny with IPGrant. Same goes for MSFTPSVC — if you want to modify the FTP service settings, just change the above instances of “W3SVC” to “MSFTPSVC”.

Posted in IIS, Security, VBScript
11 comments on “VBScript: Windows XP/IIS 5.1 DOES Support Denying Access by IP Addresses
  1. You can use “MSFTPSVC” in place of “W3SVC” but you need /Root at the end. So it would like like “/MSFTPSVC/1/Root”.

    I also can’t get them to take affect on the FTP service until you reboot it. Any ideas?

    Just that I would give you a heads up.

    Love the scripts! Thanks.

  2. Chrissy says:

    HMMMMMMMMMMMM We’ve been wondering about that for awhile, Justin. Does it work after a reboot or a restart?

    Chrissy

  3. Kai Robinson says:

    Thanks for this! It stopped two people from hammering my server, neither of which had the address given to them by me! They’re still hammering it at 3 second intervals, but get denied..the IIS logs are going to be rather large….

  4. Justin says:

    I ended up buying Bullet Proof FTP server and replaced IIS FTP service with it. This script would have been the key but I couldn’t risk restarting the IIS FTP service every time someone decided to hack. We use FTP’d files to automate importing from other systems and I didn’t want to risk dropping the service when another legitimate system was on.

    Bottom line I invested the $39 bucks for a license and problem solved. Well worth it.

    :)

  5. Steven S says:

    Does anyone know if these scripts work with the large banning script Chrissy published. Example, I run the large banning script and it bans an IP. Will the showban script here show this as banned? I will admit I am very illiterate to scripts, but catching up fast.

    I am using Win XP pro IIS 5.1 and wondering if these scripts work with the large script that does things automatically. IIS 5.1 FTP in win XP pro does not have directory security for ftp’s. I would like to see if any get banned. Is there a way to do this?

    I am forever indebted to the person who published this! My site was being hammered from locations in China frequently until I found this.

    As for Justin’s comment on the /root thing. I get errors! But, when following Chrissy’s directions at the end all worked great!

    Later

  6. Theo says:

    Hi Chrissy, I’ve been using the ban script for 7 months now on XP with IIS. I’m very very happy with it! I’ve gotta question about the Ban-a-rama. I was wondering if it is possible to ban whole ip-ranges with Ban-a-rama? (like whole china, heheh… :)

    Thnx again for your wonderfull script!

  7. Steven S says:

    After some time running the banftpips.vbs in win XP pro IIS 5.1 it stopped a hacker ip after the second try. Awesome.

    To show the banned ips I had to use the script posted in the banftpips script replies April 6th, 2007 at 8:51 am. Only difference between that vbs and the one above is the one above has a /1 after the msftpsvc. Not sure what the diff. is?
    Maybe someone can tell me.

    Excellent, Excellent, Excellent! five stars.

    Later Steven

  8. jessica_love says:

    i have a problem…can u help me pls….can someone ban a site with a vbs file….someone send me a vbs file and y just double click`it …nothing is happend….but now i cannot access a site….the site is http://www.silkroadonline.net i can access anything…but this site no…when i enter this site it say`s something like…”the page cannot be displayed…or …Network failure” … if u know something please help me….send me a e-mail….thanks!!!

  9. Les F. says:

    These work great but I was wondering if anyone has been able to get equivalent scripts written in Perl? The Windows Server Cookbook has a similar Perl script but it does not work for some reason.

  10. Zaw says:

    I tried to use “mass unban” and “Unban One IP” but not working on my Windows 2003 server standard edition sp1. No errors pop up after executing .vbs. No changes at FTP directory security. Any suggestion will be appreciated!…thanks!!

  11. SeniorTech says:

    Awesome! FINALLY a way to lock out unwanted hits! Very nicely done. Thanks

Add Comment Register



Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">