Maximum size/length of BannedIpList #1257
Comments
|
300 entries, at least per the command itself (I had a list MUCH longer....). This REALLY needs to be longer. Like 5 digits longer. |
|
I agree, we need much more than 300 entries. |
|
Nick42 were you using a script to read from a file containing your 300+ banned IP list? |
|
No. I made a ridiculously long powershell script that added each one with a separate command (in an attempt to see if it was a batch thing, or ...)
|
|
More than 300?!?!?!
|
|
FYI, this is how I went through automating adding banned IPs to ADFS. We have a list of banned IP addresses that gets updated from our PaloAlto to a CSV file. I created the following powershell script to pull the IPs from the CSV and then add those IPs to the ADFS bannedip list: Since the CSV file that contains the banned IPs gets updated daily from our PaloAlto, Hope this helps |
|
So I'm curious what happens once you hit 301 entries...
|
|
I will let you know if and once I get there :) |
|
I hit the 300 limit fairly quickly. I created a powershell script to automatically ban IPs found in brute force password spray attacks in ADFS and I reached the 300 limit. It simply will not increment higher than 300. |
|
Since I'm still fairly new with this, when I run get-adfsproperties I see 4 banned ips followed with an ellipses. Does anyone know how to view all of the banned ips that have been set? |
|
get-adfsproperties | select bann* -expandproperty bann*
I didn't confirm this, but I think it's correct.
…On Thu, Oct 25, 2018 at 9:56 AM leohoknows ***@***.***> wrote:
Since I'm still fairly new with this, when I run get-adfsproperties I see
4 banned ips followed with an ellipses. Does anyone know how to view all of
the banned ips that have been set?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1257 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFgpleY4ih3kiQrO5MzcskxVdNTzcIUiks5uocL2gaJpZM4Vmb1C>
.
|
|
Hey Bob, do you happen to know how to remove an ip from a user's list of familiarips? |
|
Please vote on this topic here: I can't imagine any organization that is small enough to think 300 is adequate while also being large enough to deploy ADFS in the first place. EDIT: If you are attempting to block IPs for use with Office 365 federation, you can do this directly in the tenant via Set-OrganizationConfig -IPListBlocked. In my testing, I was able to add ~1173 entries. Listed IP addresses will not be proxied to AD FS for authentication. |
|
Arrgh... just came across the same issue. To assume there are only 300 “bad” IP’s out there in the big wide world is delusional. Cheers, Kurt. |
|
Leeharrison,
You can view the entire list this way:
get-adfsproperties | select bann* -expandproperty bann*
…On Tue, Apr 9, 2019 at 9:29 AM leeharrison ***@***.***> wrote:
Hi all, I have been adding banned IP's, but when I run Get-AdfsProperties
it only returns the first 3 entries. How can I see the full list, I have
entered 100+ CIDR blocks in there.
Cheers,
Lee
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1257 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFgplZEY8PksyjDjO-s1cdEn_pY8eIDfks5vfJXLgaJpZM4Vmb1C>
.
|
|
The field accepts CIDR notated ranges. So try getting more spread by blocking large blocks of IPs that are your largest offenders. You can use tools below to identify appropriate CIDR notation and what IP spaces are owned by who to help identify appropriately what you want to block. https://www.ipaddressguide.com/cidr and |
|
Still need more entries than the system allows for, since the address spaces are not congruent.
…-----Original Message-----
From: reevesjeremy <notifications@github.com>
Sent: Tuesday, June 18, 2019 9:02 AM
To: MicrosoftDocs/windowsserverdocs <windowsserverdocs@noreply.github.com>
Cc: Antone, Nick <NAntone@ESNCC.com>; Comment <comment@noreply.github.com>
Subject: Re: [MicrosoftDocs/windowsserverdocs] Maximum size/length of BannedIpList (#1257)
The field accepts ranges and CIDR notation. So try getting more spread by blocking large blocks of IPS that are your largest offenders.
You can use tools below to identify appropriate CIDR notation and what IP spaces are owned by who to help identify appropriately what you want to block.
https://www.ipaddressguide.com/cidr and
https://wq.apnic.net/static/search.html
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#1257?email_source=notifications&email_token=ACF3K4KUZVBC4O652QQFX6DP3EBJFA5CNFSM4FMZXVBKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODX7D6UY#issuecomment-503201619> , or mute the thread <https://github.com/notifications/unsubscribe-auth/ACF3K4JBAQC3GYQVQ6ABWDTP3EBJFANCNFSM4FMZXVBA> . <https://github.com/notifications/beacon/ACF3K4MLQVZOMWDZQJLLQETP3EBJFA5CNFSM4FMZXVBKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODX7D6UY.gif>
|
@Nick42- I use Splunk to create a report with all Class B subnets generating excessive EventCode=516, filtered by foreign IPs using Geo location. Sorting by highest count, I check the Class b subnet to ensure the entire net is "owned/operated" by the same foreign entity. Assuming I know that our org does not have affiliates regularly in that geographical location (or require them to VPN if they are), I'll block that entire Subnet range using CIDR. We have 164 ranges covering about 1200 Class Bs. I havn't done a count, but I venture to say that we're blocking millions of IP hosts this way. This reduced our EventsCode=516 from a daily range of 37,000 to 70,000, down to an average of 4,000. Coincidently, most of them are internal now, due to password changes! If your people are geographically located in places you know, it could be beneficial to block all the other offending geo locations. Hopefully that helps. If not, sorry! Maybe it could improve but not completely eliminate... I review the splunk alert periodically and tweak a little here and there. |
|
#please-close |
|
Curious as to why this is closed?!?!?! I'd venture to say that it's not stale, it's just that everyone is waiting for MS to fix it. |
|
#assign:IngridAtMicrosoft |
|
#assign:IngridAtMicrosoft |
1 similar comment
|
#assign:IngridAtMicrosoft |
|
Old convo, but for my own tracking, if nothing else, you can add your own IP list with a plugin like IPBlockPlugin, demonstrated here:
The source code however evaluates single IP addresses: So, if you wanted to use this for ranges or CIDR, you'd have to add that to the UserRiskAnalyzer.cs code. |
What's the maximum size/length of the BannedIpList?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: