Block IP Addresses In HttpModule

Question

I have taken over a domain that had was running an old version of Community Server. Needless to say the bots are spamming me trying to find holes.

I'd like to block entire IP blocks before System.Web.HttpRequest.ValidateInputIfRequiredByConfig() is fired. I have a IHttpModule that I have tried but I assume it's getting called after because HealthMonitoring is catching the Exceptions. Here is the module:

 public class IpBlockerModule : IHttpModule
{
    private static readonly string[] Hacks = new[]
                                                 {
                                                     "60.169.73.",
                                                     "60.169.75.",
                                                     "61.160.232.",
                                                     "61.160.207.",
                                                     "92.85.161."
                                                 };

    public void Dispose()
    {

    }

    public void Init(HttpApplication context)
    {
        context.BeginRequest += (Application_BeginRequest);
    }

    private void Application_BeginRequest(object source, EventArgs e)
    {
        var context = ((HttpApplication) source).Context;
        var ipAddress = context.Request.UserHostAddress;

        if (!IsHackIpAddress(ipAddress))
        {
            context.Response.StatusCode = 403; // (Forbidden)
        }
    }

    private static bool IsHackIpAddress(string ip)
    {
        if (ip == null) return true;

        return Hacks.Any(x => x.StartsWith(ip));
    }
}

And the relevent web.config sections:

<system.web>
    <httpModules>
      <add name="IpBlockerModule" type="MyNameSpace.IpBlockerModule" />
    </httpModules>    
</system.web>

<system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <modules runAllManagedModulesForAllRequests="true" >
      <add name="IpBlockerModule" type="MyNameSpace.IpBlockerModule" preCondition="" />
    </modules>   
</system.webServer>

The reasoning behind this is my inbox is getting spammed from all the

A potentially dangerous Request.Path value was detected from the
client

and

 A potentially dangerous Request.Form value was detected from the client

notifications. Is something wrong with my Module, or am I correct in assuming modules don't get fired until after the fact?

Answer 1

As an alternative solution have you considered letting IIS do the work for you? This way the request never makes it to your application. You can do this via the web.config and there's an article detailing the process located here. The following example is copied directly from that article and would be placed inside the <system.webServer> section of your web.config:

<security>
    <ipSecurity allowUnlisted="true">    <!-- this line allows everybody, except those listed below -->            
       <clear/>     <!-- removes all upstream restrictions -->                
       <add ipAddress="83.116.19.53"/>     <!-- blocks the specific IP of 83.116.19.53  -->                
       <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>     <!--blocks network 83.116.119.0 to 83.116.119.255-->                
       <add ipAddress="83.116.0.0" subnetMask="255.255.0.0"/>     <!--blocks network 83.116.0.0 to 83.116.255.255-->                
       <add ipAddress="83.0.0.0" subnetMask="255.0.0.0"/>     <!--blocks entire /8 network of 83.0.0.0 to 83.255.255.255-->                
   </ipSecurity>
</security>

Answer 2

You can also add the ability to get and log IP addresses so as to identify and block only the spammy ones.

Here's C# code to get IP addresses

string ipadd;
ipadd = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
if (ipadd == "" || ipaddress == null)
    ipadd = Request.ServerVariables["REMOTE_ADDR"];

I noticed that the link in the answer above is dead, so use this well-detailed article here