This evening I noticed a brute force attack attempt from the same IP address on several of our websites hosted on the same IP address. The attempt was to exploit a bunch of php-related vulnerabilities.

As I get notifications on all of these, I simply added the incoming IP address in IIS Manager/IP Address and Domain Restrictions – set to deny, then left it.

No more notifications, so I figured everything was good.

Later when I attempted to access any of our websites, I got a 403 access denied error from any IP address I tried to access these sites from. I do have one site that I have explicit allow rules set for other IP addresses, which I was able to access, however all the other sites do not have this special rule.

To get all the sites working again, I added an Allow rule where I added an IP address range is the web server’s IP address, and Mask or Prefix = “(1)”.

Here are the settings in IP Address and Domain Restrictions:

Mode: Allow
Requestor: ([my server's IP address])(1)
Entry Type: Local

So what I’d like to know is why this is now allowing access to the rest of my sites. Did I mistakenly delete a value that should have been there before?