Web Connection
Web Connect Admin Page IP Blacklisting
Gravatar is a globally recognized avatar based on your email address. Web Connect Admin Page IP Blacklisting
  Scott R
  All
  Feb 18, 2019 @ 07:06am

Rick,

I couldn't see anything in the docs, but is there any way to have web connect blacklist an IP after say 3 (or preferably a variable I can set) failed login attempts to the admin page(s)? It would then 'un-blacklist' after say 24-48 hours.

Since we are using your 'auto-update' (upload exe and then hotswap the exes) to apply updates I'd like to make sure people can't force their way into our servers and put a malicious exe on the box and swap it out. Yes, I know they'd have to know all of the URLs, etc. but would still like this ability.

That being said, we'd also need a way to whitelist IP's so if I mistype the password, I don't black list our office Public IP (which is static) on the server.

Is there anything like this in web connect already that I'm missing as I read through your docs online?

Thanks,

Scott

Gravatar is a globally recognized avatar based on your email address. re: Web Connect Admin Page IP Blacklisting
  Harvey Mushman
  Scott R
  Feb 18, 2019 @ 10:39am

I think you have to handle this sort of behavior yourself. Rick might have a better suggestion but it is my understanding you could use the wwRequest class function GetIpAddress

Because it sounds from your writing the user to black list of white list is entering their data into a form you present, I would think the session might be a place to track the failed attempts and reset after timeout has passed.

Gravatar is a globally recognized avatar based on your email address. re: Web Connect Admin Page IP Blacklisting
  Scott R
  Harvey Mushman
  Feb 18, 2019 @ 11:58am

Harvey,

Normally I would agree with your response and I have no problem handling it myself. However, what I'm talking about is the admin pages / functions built in to web connect that I have no control over. i.e. mydomain.com/admin/admin.aspx

As far I know these are handled via .Net side / Rick and not something I can change / enhance.

Thanks,

Scott

Gravatar is a globally recognized avatar based on your email address. re: Web Connect Admin Page IP Blacklisting
  Rick Strahl
  Scott R
  Feb 18, 2019 @ 01:44pm

There's no support for that built-in. The admin links use Windows Authentication and the authentication itself can't be intercepted. Only the result after wards.

The problem in the Web Connection core is that it itself doesn't have any data storage that is used so tracking logins and lists adds a bunch of overhead that Web COnnection as a system component does not have at the moment.

I suspect if you look around you can probably find an IIS Administration add on that provides that functionality globally to IIS.

But... I wouldn't count on that working. If there's organized hacking to attack your site requests will almost certainly be coming from different IP addresses for each request. Spoofed attacks or server farms never use the same address or at least not for more than a few requests.

Ultimately the best way to address this is with a solid password policy - long, cryptic passwords that are rotated on a regular basis.

+++ Rick ---

© 1996-2019