A
A
Andrey Kamynin2020-03-02 09:09:02
PowerShell
Andrey Kamynin, 2020-03-02 09:09:02

How to block external IP addresses by time in IIS 7.5?

Hello!
Please tell me if there are any tools with which you can solve the problem of blocking external ip addresses in IIS 7.5 in a regular manner in a certain period of time.
So far I see the way to create a task through RequestFiltering / Rules or IP addresses and Domain Restriction (it is possible to specify an ip pool to block). But I can't find a solution for time binding.
For example, does PowerShell have methods for accessing the RequestFiltering/Rules snap-in? Then simply through a sheduler would connect the schedule.
(perhaps the chosen path is fundamentally wrong / suboptimal, so I will be grateful for valuable advice).
Thank you for your attention!
UPD: Many thanks for the advice, I had to listen but look for another solution, because. there are several sites on the host, and I'm not sure that I can correctly solve the problem using WinFirewall. IIS should respond to queries in the future (I don't know how yet).
But the current solution looks like a trace. way for a specific site:

# Добавляем блок. правило разрешающее доступ для сети 10.0.0.0/8
Add-WebConfigurationProperty -Filter 'system.webServer/security/ipSecurity' -PSPath "IIS:\" -Location "test-web" -Name "." -Value @{ipAddress="10.0.0.0";allowed="true";subnetMask="8"} -ErrorAction Stop
# Запрещаем все, что не разрешено
Set-WebConfigurationProperty -Filter 'system.webServer/security/ipSecurity' -Name allowUnlisted -Value False -Location "IIS:\Sites\test-web"
# Дебаг/проверка отработки правила (ждем после применения 5 мин., далее откат)
Wait-Event -Timeout 300
# Удаление разр. правила
Remove-WebConfigurationProperty -Filter 'system.webServer/security/ipSecurity' -PSPath "IIS:\" -Location "test-web" -Name "."
# Смена настройки на разрешено все, что не запрещено.
Set-WebConfigurationProperty -Filter 'system.webServer/security/ipSecurity' -Name allowUnlisted -Value True -Location "IIS:\Sites\test-web"

Clarification: we use the configuration: IP addresses and Domain Restriction, it is necessary to enable the component on the "Add-PSSnapin WebAdministration" server.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
V
Vladimir Korotenko, 2020-03-02
@firedragon

What router do you have? Might be worth it to do it?
https://habr.com/ru/post/81396/
There, in the ACL, you can specify the working time interval
or create rules using the shiduler, see the end of the file
https://docs.microsoft.com/en-us/iis/configuration. ..

X
xmoonlight, 2020-03-02
@xmoonlight

I write the solution in the "forehead" as a last resort.
We put the cron++ program and execute any commands or shell script at the specified time (by events, etc.).
We write firewall rules in two different bat/cmd files and run them when you need to enable or disable access.

A
Alexey Dmitriev, 2020-03-02
@SignFinder

Powershell allows you to manage Windows Firewall.
Accordingly, put scripts in the task scheduler that create or enable and remove or disable the corresponding blocking rules.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question