Request Filtering on IIS8 - Microsoft IIS Web Server and ASP.NET forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Request Filtering on IIS8

filtering headers does not work

dstiles

8:48 pm on Sep 25, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I've spent some time on this. Every site going tells you how to use Filtering Rules but no one actually tells you how to really do it. I'm probably missing something but...

I'm trying to establish a server-wide rule to avoid having to add and maintain a common denial of access. Sites and general usage are Classic ASP but .NET is enabled (and required, I think, for general server setup).

Under the Server in the IIS manager I have opened the Request Filtering option. I then added a new Rule, named it and entered a Header under Scan Headers. I specifically entered HTTP_REFERER (tried variations with and without HTTP but no difference).

Under File Extensions I tried ASP and blank.

Under Deny Strings I entered: *example.com*

Restarted IIS.

The intention was to prevent bots with Referers containing example.com from accessing any of the sites on the server. I still get the accesses in the logs. I know the bots are loading web pages because other logs say so.

I accept I'm probably doing something wrong, but what?

Ocean10000

12:40 am on Sep 26, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Try the following. (I only removed the *stars*) which worked on my test machine when I set the referrer to "http://example.com/Links/"


 <security>
 <requestFiltering>
 <filteringRules>
  <filteringRule name="Example.com" scanUrl="false" scanQueryString="false">
  <scanHeaders>
  <add requestHeader="Referer" />
  </scanHeaders>
  <denyStrings>
  <add string="example.com" />
  </denyStrings>
  </filteringRule>
 </filteringRules>
 </requestFiltering>
 </security>

dstiles

6:38 pm on Sep 26, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Thanks.

That is a direct editing of a file, but which file? If it's web.config then that is site-only, not server-wide. I'm trying to avoid the addition and maintenance of several dozen site files by pushing the test to the server, which should work.

I've looked at the file altered by Request Filtering - applicationHost.config - and get the following:

<filteringRules>
<filteringRule name="Block Referer" scanUrl="false" scanQueryString="false">
<scanHeaders>
<clear />
<add requestHeader="HTTP_REFERER" />
</scanHeaders>
<denyStrings>
<clear />
<add string="*example.com*" />
</denyStrings>
<appliesTo>
<clear />
</appliesTo>
</filteringRule>
</filteringRules>

Ocean10000

6:46 pm on Sep 26, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

applicationHost.config <-- applies to all websites hosted on that server, correct. I included more in my cut and paste to make it easier for you to find where to inert the change.

swap
<add requestHeader="HTTP_REFERER" />
with
<add requestHeader="Referer" />

and swap
<add string="*example.com*" />
with
<add string="example.com" />

in your applicationHost.config, and it should work for you.

dstiles

7:31 pm on Sep 26, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Hmm. I tried "Referer" but kept the *s which seemed reasonable. But I keep forgetting it's not linux. :)

I'll give it a try. Could be a few days before it strikes again. Thanks for the input. :)

To be on the safe side I restarted the server, though I think that should be unnecessary.

Ocean10000

9:28 pm on Sep 26, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Glad to be of help.

Microsoft just assumes the * around them automatically.

dstiles

7:25 pm on Sep 27, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

My imperative for the asterisks was info gleaned from several sites that showed how to add Headers processing on a per-site basis.

I'll try to remember to post back the results of this.

dstiles

8:06 pm on Sep 30, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Thanks for the help, Ocean. No hits logged for the offending referer since I last posted so either the bot has coincidentally stopped or the fix works. :)

Ocean10000

9:51 pm on Sep 30, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Glad I could be of help. I know how annoying some bots can be. Especially the ones looking to spam your logs with fake referrers.