Re: ISA - Block External IP from Accessing Server

Tech-Archive recommends: Speed Up your PC by fixing your registry

Dana,

Thanks for the quick reply! This has cut the traffic by a magnatude of over 1,000. Thanks!

While we are on the subject, is there a protocal that can be used to block all incoming requestions from an IP? Under protocols I see an All Outbound and All Out Except, but I don't see a all Inbound. Any suggestions?

Lastly, I agree on the general operation of black listing is a continuously loosing process. I'm just using this for the grosses offenders. Which oddly enough seem to be Linux boxes that the user's haven't set up correctly and got hacked.

Bernie


Hey Bernie,

You just need to build a rule that meets these requirements. Before I
give you instructions on how to do this, I want to remind you that
trying to defend against attackers using blacklisting is not as
effective as whitelisting. In other words, you are better off to block
ALL access to that service except for those people who absolutely need
it. This helps to reduce the attack surface of your server by
eliminating any foreign host from accessing your system unless
explicity allowed. The security principle of least privilege comes
into play here.

With that said, here is what you could do to quickly make a firewall
rule for your needs:

* Open up the ISA Server Management Console

* Select the "Firewall Policy" tree-node on the left side of the
window

* Highlight the first rule in the set of policies

* On the right side of the window under "Firewall Policy Tasks" click
"Create a new Access Rule"

* Enter a friendly name. As an example "Block certain IPs FTP access".
Click Next

* Set the rule action to Deny. Click Next

* Change the drop down to "Selected Protocols".

* Click the Add button. Expand the "All Protocols" tree and select
"FTP". Click Add. Click Next.

* For Access Rule Source, Click Add, and provide the IP addresses of
the sources you wish to block. Normally these would be under the
"Computers" section. When done adding the hosts you want to block,
click Next.

* For Access Rule Destination, Click Add, expand Networks and select
"Local Host". Click Next.

* For User Sets, make sure All users is present. Click Next.

* Verify the final settings, and then hit Finish.

* Hit the Apply button to update the firewall.

There you have it. Because ISA applies its rules in assending order
and the rule is at the top, it will match your attacker quickly and
drop them before any other rule is processed.

Again, I can't stress enough that this isn't as effective a policy as
going the other way. Instead of setting a DENY action, set an ALLOW
action and provide the source IP of those hosts you WANT to access the
FTP server. Then create a second rule right after it that has an
action of DENY and blocks all other connections. In this way... you
prevent all access unless explicity allowed... a much safer firewall
policy.

As a side note, by default there is already an SBS FTP policy. You
could simply change the Source from "External" to a specific set of
IPs and block all other access. Just a thought.

HTH. Good luck.

---
Regards,
Dana Epp [Microsoft Security MVP]
"Bernie Hunt" <bhunt@xxxxxxxxxxxxx> wrote in message
news:5f5eff823c67a8c8f08e87978e63@xxxxxxxxxxxxxxxxxxxxx

I have a SBS server that is being attached from specific external
IPs. What rule do I need to write to block the external access
without shutting down all of the business.

I'd like to be able to block a specific IP from specific ports. For
example, block 123.456.789.123 from getting to the ftp server on port
21.

Thanks for any help you can give.

Bernie



.

Quantcast