What's the maximum size/length of the BannedIpList?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
300 entries, at least per the command itself (I had a list MUCH longer....). This REALLY needs to be longer. Like 5 digits longer.
I agree, we need much more than 300 entries.
Nick42 were you using a script to read from a file containing your 300+ banned IP list?
No. I made a ridiculously long powershell script that added each one with a separate command (in an attempt to see if it was a batch thing, or ...)
More than 300?!?!?!
FYI, this is how I went through automating adding banned IPs to ADFS.
We have a list of banned IP addresses that gets updated from our PaloAlto to a CSV file.
I created the following powershell script to pull the IPs from the CSV and then add those IPs to the ADFS bannedip list:
$BNPBannedIPs = Get-Content C:ScriptsADFSTest.csv
Set-AdfsProperties -AddBannedIps $BNPBannedIPs
Since the CSV file that contains the banned IPs gets updated daily from our PaloAlto,
I created a scheduled task to have the powershell script run daily.
Hope this helps
So I'm curious what happens once you hit 301 entries...
I will let you know if and once I get there :)
I hit the 300 limit fairly quickly. I created a powershell script to automatically ban IPs found in brute force password spray attacks in ADFS and I reached the 300 limit. It simply will not increment higher than 300.
Since I'm still fairly new with this, when I run get-adfsproperties I see 4 banned ips followed with an ellipses. Does anyone know how to view all of the banned ips that have been set?
get-adfsproperties | select bann* -expandproperty bann*
I didn't confirm this, but I think it's correct.
On Thu, Oct 25, 2018 at 9:56 AM leohoknows notifications@github.com wrote:
Since I'm still fairly new with this, when I run get-adfsproperties I see
4 banned ips followed with an ellipses. Does anyone know how to view all of
the banned ips that have been set?—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windowsserverdocs/issues/1257#issuecomment-433060823,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFgpleY4ih3kiQrO5MzcskxVdNTzcIUiks5uocL2gaJpZM4Vmb1C
.
Hey Bob, do you happen to know how to remove an ip from a user's list of familiarips?
Please vote on this topic here:
I can't imagine any organization that is small enough to think 300 is adequate while also being large enough to deploy ADFS in the first place.
EDIT: If you are attempting to block IPs for use with Office 365 federation, you can do this directly in the tenant via Set-OrganizationConfig -IPListBlocked. In my testing, I was able to add ~1173 entries. Listed IP addresses will not be proxied to AD FS for authentication.
ref: https://www.slideshare.net/AndresCanello/azure-ad-password-attacks-logging-and-protections
Arrgh... just came across the same issue.
I was in the process of implementing a rotating block list (of known recent brute force attacks), and reached the 300 limit sigh
To assume there are only 300 “bad” IP’s out there in the big wide world is delusional.
I totally agree, and hope the limit is increased! :)
Cheers, Kurt.
Leeharrison,
You can view the entire list this way:
get-adfsproperties | select bann* -expandproperty bann*
On Tue, Apr 9, 2019 at 9:29 AM leeharrison notifications@github.com wrote:
Hi all, I have been adding banned IP's, but when I run Get-AdfsProperties
it only returns the first 3 entries. How can I see the full list, I have
entered 100+ CIDR blocks in there.Cheers,
Lee
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windowsserverdocs/issues/1257#issuecomment-481251962,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFgplZEY8PksyjDjO-s1cdEn_pY8eIDfks5vfJXLgaJpZM4Vmb1C
.
The field accepts CIDR notated ranges. So try getting more spread by blocking large blocks of IPs that are your largest offenders.
You can use tools below to identify appropriate CIDR notation and what IP spaces are owned by who to help identify appropriately what you want to block.
https://www.ipaddressguide.com/cidr and
https://wq.apnic.net/static/search.html
Still need more entries than the system allows for, since the address spaces are not congruent.
-----Original Message-----
From: reevesjeremy notifications@github.com
Sent: Tuesday, June 18, 2019 9:02 AM
To: MicrosoftDocs/windowsserverdocs windowsserverdocs@noreply.github.com
Cc: Antone, Nick NAntone@ESNCC.com; Comment comment@noreply.github.com
Subject: Re: [MicrosoftDocs/windowsserverdocs] Maximum size/length of BannedIpList (#1257)
The field accepts ranges and CIDR notation. So try getting more spread by blocking large blocks of IPS that are your largest offenders.
You can use tools below to identify appropriate CIDR notation and what IP spaces are owned by who to help identify appropriately what you want to block.
https://www.ipaddressguide.com/cidr and
https://wq.apnic.net/static/search.html
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/windowsserverdocs/issues/1257?email_source=notifications&email_token=ACF3K4KUZVBC4O652QQFX6DP3EBJFA5CNFSM4FMZXVBKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODX7D6UY#issuecomment-503201619 , or mute the thread https://github.com/notifications/unsubscribe-auth/ACF3K4JBAQC3GYQVQ6ABWDTP3EBJFANCNFSM4FMZXVBA . https://github.com/notifications/beacon/ACF3K4MLQVZOMWDZQJLLQETP3EBJFA5CNFSM4FMZXVBKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODX7D6UY.gif
Still need more entries than the system allows for, since the address spaces are not congruent.
@Nick42- I use Splunk to create a report with all Class B subnets generating excessive EventCode=516, filtered by foreign IPs using Geo location. Sorting by highest count, I check the Class b subnet to ensure the entire net is "owned/operated" by the same foreign entity. Assuming I know that our org does not have affiliates regularly in that geographical location (or require them to VPN if they are), I'll block that entire Subnet range using CIDR. We have 164 ranges covering about 1200 Class Bs. I havn't done a count, but I venture to say that we're blocking millions of IP hosts this way. This reduced our EventsCode=516 from a daily range of 37,000 to 70,000, down to an average of 4,000. Coincidently, most of them are internal now, due to password changes!
If your people are geographically located in places you know, it could be beneficial to block all the other offending geo locations.
Hopefully that helps. If not, sorry! Maybe it could improve but not completely eliminate... I review the splunk alert periodically and tweak a little here and there.
Most helpful comment
300 entries, at least per the command itself (I had a list MUCH longer....). This REALLY needs to be longer. Like 5 digits longer.