Posted by & filed under Internet Information Server, Windows / Server.

I recently moved iishacks.com to a dedicated server at a datacentre in Texas. I set it up without defining host headers – something I’ve always done because of a 1-to-1 site-to-IP ratio.

The site has been running on the server for a little over a week and my logs are roughly 17 times the size they were on the old server. Maybe iishacks.com got slashdotted? No. I’d have to say something really bad about Linux for that to happen.

When you provision a server from any datacentre they give you a block of IPs from their address pool – often IPs that have been used (and abused) in the past.

As it turns out, “spam bots” were attempting to login and/or post comments to various default WordPress, Moveable Type, vBulletin and phpBB pages on my IP address. The IP address had once belonged to another site which garnered attention from “spam bots.” Since my site was responding to any host header on the IP address (by default since there are no defined host header values in IIS), it was responding to all these requests. It takes up processor cycles, memory and most importantly bandwidth. It also messes up your logs too.

By adding Host Header values, even when you have a single website on an IP, you deny any malformed and spam requests to your domain (or previous domains pointing to that IP address), and your IP address itself. In the past, IIS6 using SSL and Host Headers would not get along – the SSL site had to be hosted on a different IP than the non-SSL site. Since Windows 2003 SP1 was released it is no longer a problem. So sites with SSL can specify host headers as well.

How to setup Host Headers (bindings) on IIS6

  1. Open Internet Information Services (IIS) Manager.
  2. Expand the left-hand menu under Server Name and “Web Sites.”
  3. Right-click on the website you wish to add a Host Header to and select “Properties.”
  4. Under the “Web Site” tab there will be a “Web Site Identification” header, click on “Advanced.”
  5. Under “Multiple Identities for this web site” click “Add.”
  6. Add “www. yoursite .com” where it says “Host Header Value.”
  7. Add another value with the same port number and IP address without the “www.”

How to setup Host Headers (bindings) on IIS7

  1. Open Internet Information Services (IIS) Manager.
  2. Expand the left-hand menu under the Server Name and “Sites.”
  3. Right-click on the website you wish to add a Host Header to and select “Bindings.”
  4. There will be a default binding on Port 80 with the IP address specified. Highlight it and click “edit.” Add “www. yoursite .com” to the Host Name field.
  5. Add another site binding without the “www” in the Host Name.
  6. For SSL specify HTTPS under “type” and be sure to assign the correct certificate.
(5.00 out of 5)

One Response to “Host Headers vs. Spam and How-to Setup on IIS6 and IIS7”

  1. Sal

    Step 6 above,
    “6.For SSL specify HTTPS under “type” and be sure to assign the correct certificate.”
    can not be done thru UI.
    HTTPS would not allow to add host name, the box is grayed out.
    One has to do it using command line only.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>