Update IIS 6 IP Restrictions using command line

2019-09-04 03:20发布

问题:

I found the command line below that is used to add IP addresses to restrict in IIS 7

appcmd set config /section:ipsecurity /+"[ipaddress='10.0.0.1',allowed='false']"

Is there an equivalent command for IIS 6?

Thanks!

回答1:

No, there's no built-in Windows command to do it. You can find evidence of scripts that people have written to mitigate for this.

Ultimately, you want to modify a metabase entry called IPSecurity. Here's the thing: this IPSecurity entry can be set up at the top level (W3SVC service) all of the way down to individual files. So, you can define security for any of:

  • Service
  • Site
  • VDir
  • Folder
  • File

The example in your question is service-wide, so you'd want to target IIS://localhost/W3SVC. If you wanted to configure only the default website, you'd target IIS://localhost/W3SVC/1/Root.

Once you know what level you want to modify, you need to identify what the course of action is for a matching IP. You clearly want to block. That means you'll need to modify the IPDeny List.

Now you just need to write a script in the language of your choice that connected to the metabase via ADSI and modifies the IPDeny list to include the additional IP.

I've modified the one from the MSDN page to take an argument:

  Dim SecObj 
  Dim MyIPSec 
  Dim IPList 

  Set SecObj = GetObject("IIS://LocalHost/W3SVC") 
  Set MyIPSec = SecObj.IPSecurity   
  If (FALSE = MyIPSec.GrantByDefault) Then 
     MyIPSec.GrantByDefault = TRUE 
  End If 

  if WScript.Arguments.Count = 0 then
     WScript.Echo "Missing IP Address"
     WScript.Quit(1)
  end if

  ' WScript.Echo "Adding "  & WScript.Arguments(0)

  IPList = MyIPSec.IPDeny 
  Redim Preserve IPList (Ubound(IPList)+1) 
  IPList (Ubound(IPList)) = WScript.Arguments(0)

  MyIPSec.IPDeny = IPList 
  SecObj.IPSecurity = MyIPSec 
  SecObj.Setinfo 

If you save this as blockip.vbs, you can call it with:

wscript blockip.vbs 10.0.0.1

FYI, This works fine with IIS6, but works once, then fails after the list exists, on Win7 (IIS 7.5).