Hello I am gonna share with you my app for ASP Classic and personal use.
There is some people do not have access to a server, or like me they arenot satisfacted by the Dynamic IP restriction, so i have made a script for asp classic. You can place it on the webpage you want (homepage and/or internal). It use a Mysql DB (i guess you could use another db provider). In the example i have set a ban for each ip loading 3 webpage in 3 seconds (that is not a normal activity). I just wana looking to block every flooding, aspiration script, ddos, bot or annoying access to my website, and for my case it works great !
It could be also inserted on a "404 Not Found" personalized webpage to stop and track web app/spammy attacks who generate 404 error. If your website is entire using .asp you can do a test like "honeypot" and ban IP when someone try accessing to .php because it could be a signal of a scanning vulnerabilty. You will save CPU & bandwith in the meanwhile.
Hope this will help !
- YOU NEED TO CREATE A (MY)SQL DATABASE :
CREATE TABLE `banip` (
`id` int(11) NOT NULL auto_increment,
`IP` char(15) default NULL,
`dtime` time default NULL,
PRIMARY KEY (`id`),
KEY `IP` (`IP`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;YOU NEED TO PUT THE ASP CODE WHERE IS NEEDED
PLUS A TINY ADMIN WEBPAGE mybanipadm.asp (can change the filename)
- Recaptcha.asp webpage if you enabled this option
ASP CLASSIC CODE :
<%' ***PUT THIS CODE AT THE TOP OF YOUR WEBPAGE YOU WANT TO PROTECT*** ' COULD BE HOME PAGE AND/OR INTERNAL PAGE' THE BAN IS PERSISTANT UNTIL THE SERVER RESTART response.buffer = true IP = Request.ServerVariables("REMOTE_ADDR") 'IP WHITELIST - SEPARATE EACH IP WITH A | IPWL ="127.0.0.1|"if instr(IPWL,IP)then'do nothing the ip is whitelisted else 'CHECK IF THERE IS A BAN THAT MATCH THE CURRENT IPifApplication("mybanip")<>""thenif instr(Application("mybanip"),IP)then' RESPONSE EXAMPLE WHEN ACCESS DENIED (CHOOSE ONE OR MAKE YOUR) 'Response.Status="403 Forbidden"'Response.Status = "404 Not Found" 'response.redirect "banned.html" response.write "You are going too fast !"
'Recaptcha support (uncomment for activation and insert your site key)
'response.write "<html><head><title>You are going too fast !</title><script src=""https://www.google.com/recaptcha/api.js"" async defer></script></head><body>"
'response.write "<h1>Please confirm that you are not a robot !</h1>"
'response.write "<form action=""recaptcha.asp"" method=""POST""><div class=""g-recaptcha"" data-sitekey=""YOUR_SITE_KEY""></div>"
'response.write "<br/><input type=""submit"" value=""Submit""></form></body></html>"
session.abandon response.endendifendif' THE TIME NOW dtime = FormatDateTime(now(),3) 'we can decide to run it at speficied time'if dtime >= "00:00:00" and dtime < "05:00:00" then ' PREPARE TO CHECK DATABASE FOR THE LAST 3 SECONDS ACTIVITY secfrom =DateAdd("s",-3,now())'value you can change is -3 (seconds) secfrom = FormatDateTime(secfrom,3) '***OPEN THE CONNEXION STRING (USE YOUR ONE OR MODIFY THIS)***Set conn =Server.CreateObject("ADODB.Connection") conn.Open"DRIVER={MySQL ODBC 3.51 Driver};server=127.0.0.1;uid=LOGIN;pwd=PSW;Database=DBNAME;"' ***EVERYTHING BELOW MUST BE PUT AFTER THE CONNEXION STRING OPENED*** ' POPULATE DATABASE WHIS THE CURRENT IP AND TIME SQL ="INSERT INTO BANIP (IP,DTIME) values('"& IP &"','"& dtime &"')" conn.execute(SQL)' CHECK IF THERE IS A SPAM ACTIVITY FOR THE CURRENT IP SQL = "SELECT COUNT(IP) as nbfound FROM BANIP WHERE IP='" & IP & "' AND dtime BETWEEN '" & secfrom & "' AND '" & dtime & "'" set rsIPCount = conn.Execute(SQL) if not rsIPCount.Eof then ipcount = clng(rsIPCount("nbfound")) else ipcount = "0" end if rsIPCount.Close set rsIPCount = nothing ' IF THERE IS AT LEAST 3 WEBPAGE LOADED IN 3 SECONDS ACTIVITY THEN SET A BANif ipcount >=3then'value you can change is 3 (webpage) application.lock Application("mybanip") = Application("mybanip") & IP & "|" application.unlock end if ' DELETE ALL ENTRY EVERY 2 MINUTES FOR PERFORMANCEifApplication("mybanipdel")=""thenApplication("mybanipdel")= dtime elseif datediff("n",Application("mybanipdel"), dtime)>=2or datediff("n",Application("mybanipdel"), dtime)<0then'value you can change is 2 (minutes) conn.execute "DELETE FROM BANIP" Application("mybanipdel") = FormatDateTime(now(),3) end if SQL = "" IP = "" end if%>
admin page mybanipadm.asp
<html><head><title>My admin</title></head><body><%if request.querystring("disconnect")="yes"then
session("adm")=""
elseif request.querystring("clear")="yes"thenApplication("mybanip")=""endif' ***CHANGE THIS VALUES***
login = "login"
passw = "pass"
if request.form("LogMe")<>"" and (request.form("login")=login and request.form("passw")=passw) then
session("adm") = "loggued"
elseif session("adm") = "" then
response.write "<p>Please log-in :</p> <form method=""post""><input type=""text"" size=""15"" name=""login"" placeholder=""login""> <input type=""password"" size=""15"" name=""passw"" placeholder=""password""><input type=""submit"" name=""LogMe""></form>"
response.end
end if
response.write "<p><a href=""?disconnect=yes"">Disconnect from the admin</a> - <a href=""?clear=yes"">Clear all ip</a></p>"
if request.form("unban")<>"" and request.form("ipban")<>"" then
application.lock
Application("mybanip") = replace(Application("mybanip"),request.form("ipban") & "|","")
application.unlock
response.write "<p>IP : <b>" & request.form("ipban") & "</b> has been unbanned !</p>"
end if
response.write "Unban this IP : <form method=""post""><input type=""text"" size=""15"" maxlenght=""15"" name=""ipban"" placeholder=""000.000.000.000""> <input type=""submit"" name=""Unban"" value=""Unban""></form>"
response.write "<p>IP CURRENTLY BANNED</p>" & replace(Application("mybanip"),"|","<br>")%></body></html>
'script for recaptcha.asp if enabled<%
If Request.ServerVariables("REQUEST_METHOD") = "POST" Then
Dim recaptcha_secret, sendstring, objXML
recaptcha_secret = "YOUR_SECRET_KEY"
sendstring = "https://www.google.com/recaptcha/api/siteverify?secret=" & recaptcha_secret & "&response=" & Request.form("g-recaptcha-response")
Set objXML = Server.CreateObject("MSXML2.ServerXMLHTTP")
objXML.Open "GET", sendstring, False
objXML.Send
if instr(objXML.responseText,"success"": true") then
Application("mybanip") = replace(Application("mybanip"), Request.ServerVariables("REMOTE_ADDR") & "|","")
response.redirect "https://www.Yourwebsite.com"
else
response.write "Incorrect response"
end if
Set objXML = Nothing
response.end
End If
%>