How Block IPs Using Windows

eUK-Martin · #1 (**permalink**) 01-11-2007, 15:50

Hello All,

Here is something that I would like to share with every one and quite rare to find out. This tutorial will show how to block IPs on Windows server without firewall using IPSec:

Click 'Start' > 'Run' >type 'MMC' press ok.

In the console click > 'File' > 'Add/Remove Snap in'

In the 'Standalone Tab' click The 'add' button

Seclect 'IP Security Policy Managment' > 'ADD' > 'Local Computer' > 'finish' > 'close' > 'ok'

You should now be back to the console.

In the left frame right click 'IP security policies on local computer' > 'Create IP security policy'

Click Next and then name your policy 'Block IP' and type a description.

Click 'Next' then leave 'activate' ticked then click 'Next'

leave the 'edit properties ticked and click 'Finish'

You should now have the properties window open.

Click 'ADD' then click 'Next' to continue.

Leave 'This rule does not specify a tunnel' selected and click 'next'

Leave 'all network connections' selected and click 'next'

You should now be on the IP filter list. You need to create a new filter, so dont select any of the default ones. Click 'ADD'

Type a Name for your list, call it 'IP block list'
Type a description in, can be same as name.
Click 'ADD' then click 'Next' to continue.

In the description box type a description. As its the first IP you are blocking call it 'IP1' or 'IP Range 1'
Leave ticked the 'Mirrored. Match packets with the exact opposite source and destination addresses'
Click 'Next'

The 'Source address' should be left as 'My IP address' click 'Next'

You can now select 'A Specific IP address' or 'A Specific Subnet' for the Destination address.
Type in the IP address you want to block and if blocking a subnet type in the subnet block. Click 'next'

Leave the protocol type as 'Any' and click 'Next' and then 'Finish'

You have now blocked your first IP or IP range.

One of the eUKhost blogs has this explained in more comprehensive way. Link: ASP SQL Blog

*****UPADTE*****
Now all these has been automated into a script. You do not have to worry about manually blocking IP on Windows server, you can just download the package below, run the setup and you are done. It will scan your server in every 5 mins and block IP address with more than 100 connection. Also it will not block host server IP address as well as those added in whitelist.

Download Link: Browse QaasWall For Windows Files on SourceForge.net

Rock · #2 (**permalink**) 02-11-2007, 01:06

Martin, this is something really wonderful ! This'd turn helpful in terms of our servers getting targeted by a specific IP address or an IP-Range.
Really nice tutorial on blocking IP's using IPSEC for Windows – Packet Filtering

**bradmca** · #3 (**permalink**) 05-02-2008, 10:56

This looks great, so it stops a range of spambots from known IPS from accessing all sites hosted on a VPS Hosting?

eUK-Martin · #4 (**permalink**) 05-02-2008, 12:03

Yes, you can can block any and all IPs that you wish and with different protocols. If you know how to configure this utility then there is no need of a firewall on the server.

**wolverine** · #5 (**permalink**) 03-02-2009, 03:12

Sorry to dig out this old thread but i got a bit confuse and need to confirm something.

After i've done all the setting i exited the console. I opened the "MMC" again and see that the new rule actually "Not assign". Do i need to assign this new rule or it is working already and no need to right click and assign ?

Since i did this on our customer life server remotely so i need to be extra careful.

Btw after i did this on the server i still saw on the event viewer that this ip from italy "82.104.207.137" still trying to use our exchange smtp server but rejected coz' don't have the proper authorization. Possible this ip tried to brute force the password. I saw that this IP is keep trying to penetrate our server.

Currently using Windows 2003 server R2 with exchange 2003

Regards

eUK-Martin · #6 (**permalink**) 03-02-2009, 04:38

Quote:

Originally Posted by wolverine

After i've done all the setting i exited the console. I opened the "MMC" again and see that the new rule actually "Not assign". Do i need to assign this new rule or it is working already and no need to right click and assign ?

Since i did this on our customer life server remotely so i need to be extra careful.

Yes, you will have to assign the rule [Right click and Assign] which means that you have applied the rule to the server. As soon as you assign the rule the brute force attack that you have from the IP should not appear at all.

**wolverine** · #7 (**permalink**) 03-02-2009, 07:53

Wow that was fast, Just now i assigned already the rules to the server
Now need to wait for 1 day and check the event viewer again for this particular stubborn IP.

Btw can i ask why we must use the block IP on the "Destination". Shouldn't we use it on "Source" ?

My noob brain keep thinking that now we are blocking our client server to connect to 80.104.207.137 and not the other way around. Please kindly explain a bit more if you have spare time.

Thank you very much.

eUK-Martin · #8 (**permalink**) 03-02-2009, 08:33

The method that has been used is both way around, means client access to the server as well as server access to the client is blocked. This is because we have chosen "Mirrored. Match packets with the exact opposite source and destination addresses"

If you want to have the rule to be implemented for single direction then you will have to uncheck the Mirror box and specify Source as clients IP and Destination as "My IP Address"

**wolverine** · #9 (**permalink**) 03-02-2009, 09:41

Quote:

Originally Posted by eUK-Martin

The method that has been used is both way around, means client access to the server as well as server access to the client is blocked. This is because we have chosen "Mirrored. Match packets with the exact opposite source and destination addresses"

If you want to have the rule to be implemented for single direction then you will have to uncheck the Mirror box and specify Source as clients IP and Destination as "My IP Address"

Ah thank you for the enlightment. Now i understand.
Btw i changed the setting ,source = 82.104.207.137 and destination = My Ip address. But i still tick "Mirrored. Match packets with the exact opposite source and destination addresses". Should have the same result i think.

Regards

eUK-Martin · #10 (**permalink**) 03-02-2009, 10:20

Quote:

Originally Posted by wolverine

Ah thank you for the enlightment. Now i understand.
Btw i changed the setting ,source = 82.104.207.137 and destination = My Ip address. But i still tick "Mirrored. Match packets with the exact opposite source and destination addresses". Should have the same result i think.

Regards

Yupe, it should give you the same results.

**hanuri** · #11 (**permalink**) 15-03-2009, 12:05

I assume this works on Windows XP Pro aswell? I am not really a customer of yours, I just found this through google and it really helped me out. I got attacked hard from a french IP and I did this on my Windows XP Pro machine, I havent got attacked yet, though. But it should work, right? I did everything as you wrote and added a specific IP.

PS; I put my other computers IP there and tried to access this computers network, it didnt work. What could have I done wrong?

eUK-Martin · #12 (**permalink**) 16-03-2009, 11:20

Quote:

Originally Posted by hanuri

I assume this works on Windows XP Pro aswell?

Yes, it would work on Windows XP professional as well since it includes IP Sec services.

Quote:

Originally Posted by hanuri

PS; I put my other computers IP there and tried to access this computers network, it didnt work. What could have I done wrong?

There are many reasons for it to fail but if you have followed the exact steps in the original post then it should work for sure.

Are the other computers you have added are in private LAN..?

**hanuri** · #13 (**permalink**) 16-03-2009, 15:42

Nope, they arent in private LAN. But when I tried to follow the steps, I got some messages about Kerberos V5. It was some sort of warning. Also, does it have anything to do with these things if I dont have my Windows firewall on. I assume this is a separate function, so windows firewall has nothing to do with it.

eUK-Martin · #14 (**permalink**) 17-03-2009, 12:31

No, Windows firewall has nothing to do with the IP Sec service. It is a stand alone server which hides the inability of Windows firewall to block Single IP address.

There is a link in original post that has images along with the steps to block IP in IP Sec, you can refer the link if you are still facing any difficulties.