ANS Documentation

Improve This Doc
  • Cloud
  • Domains and DNS management
  • Backup and High Availability
  • eCommerce Stacks
  • Security
    • DDoSX®
      • Setting up DDoSX®, CDN and WAF using SafeDNS
      • Setting up DDoSX®, CDN and WAF using an ALIAS, ANAME or CNAME
      • Access Controls
      • WAF on DDoSX settings
      • Testing your domain on DDoSX
      • Removing a domain from DDoSX®
      • General information / FAQs
      • Troubleshooting
      • IP Ranges
      • TLS1.0 and TLS1.1 disabled on DDoSX®
      • Global Restrictions
      • DDoSX® HTTP Request and Response Headers
      • Custom Error Pages
    • Web Application Firewall
    • Threat Monitoring and Threat Response
    • McAfee Antivirus
    • Vulnerability Scans
    • ANS MDR
    • Keeping Magento secure
    • Keeping WordPress secure
    • Brute Force Attacks
    • CryptoLocker
    • Dirty COW
    • The Logjam attack
    • Meltdown and Spectre
    • Memcached security concerns and reflection/amplification DDoS attacks
    • Wana Decryptor / Wana Decrypt0r 2.0 / WannaCry
    • Log4J Vulnerability
    • Polkit Security Vulnerability CVE-2021-4034
    • CVE-2022-0847 - Dirty Pipe Vulnerability
  • Email
  • Monitoring and usage management
  • Networking
  • Operating systems
  • Webcelerator
  • MyUKFast
  • Home >
  • Security >
  • DDoSX® >
  • Access Controls

Access Controls¶

You can use DDoSX to control access to your domains and individual URIs. A URI is the part of a URL after the /. For example, in yourdomain.com/admin, admin is the URI).

DDoSX enables you to deny or allow incoming requests based on two filters:

  • Origin IP address or IP range

  • Origin country

This combination allows you to build complex rule sets to meet your individual requirements. Examples of typical rules would be:

Example rules

Use Case

Deny access to your domain from IP address aa.bb.cc.dd

If you’ve experienced frequent attacks from this IP

Only allow access to your admin control panel at yourdomain.com/admin from your office IP range(s)

To prevent access from any other location

Block all access to your domain from country X

If you have no genuine traffic or users in this country and are concerned about malicious threats

Block all access to your domain from country X, but allow access from IP address dd.ee.ff.gg

If you want to block traffic from this country, but have an employee located there who still needs access from their specific IP address

Setting access controls¶

To set access controls, go to the domain in question within the DDoSX area of MyUKFast and click on the Access Control List tab under Configure. You will see a screen as follows:

acl

CLI:

ans ddosx domain acl ip list mydomain.example
ans ddosx domain acl geoip list mydomain.example

IP Access¶

To add rules based on an IP address or range, click +Add Rule; you’ll see an area open up as follows:

add_ip_filter

  • If you want to apply a rule to your domain overall (also known as a global rule), leave the URI field blank

  • If you want to apply the rule to a specific URI then enter this into the URI field (enter the part after the / - for example admin)

  • Enter the Origin IP address or range you wish to filter on. To filter on all IP addresses (for example if you wish to deny requests from all IPs) enter * into the Origin IP Address / Range field

  • Then choose Allow or Deny using the slider.

Note that rules will be applied in a priority order, based on how specific the rule is. The order from least priority to highest is Country -> wildcard -> subnet -> single IPs

CLI:

ans ddosx domain acl ip create mydomain.example --ip "*" --uri "test/" --mode "Allow"
ans ddosx domain acl ip create mydomain.example --ip "8.8.8.0/24" --uri "test/" --mode "Deny"
ans ddosx domain acl ip create mydomain.example --ip "8.8.8.8" --uri "test/" --mode "Allow"

Country Access¶

You can also manage access to your domain based on the country that requests originate from. Country filtering is based on either a “blocklist” or “allow list” approach:

add_country_filter

  • Blocklist approach - set the Default Access to Allow All using the slider, then specify individual countries which you wish to block, or “blocklist”

  • Allow list approach - set Default Access to Block All using the slider, then specify individual countries which you wish to allow, or “allow list”

The country access rules you specify will work in conjunction with your IP access rules; this is how you can build rulesets such as - block all access from country X, but allow access from a specific IP address even though it is within country X.

Once you’ve specified all your IP access and Country access rules, click Apply Changes at the bottom of the screen.

CLI:

ans ddosx domain acl geoip mode update mydomain.example --mode "Blacklist" #Blocklist (Allow All and deny configured Countries)
ans ddosx domain acl geoip create mydomain.example --code "GB" #Deny GB and Allow all other
ans ddosx domain deploy mydomain.example

Note that rules will be applied in a priority order, based on how specific the rule is. The order from least priority to highest is Country -> wildcard -> subnet -> single IP

acl_rules

Your access rules may take a few minutes to propagate out across the DDoSX network. You can check the the status of your domain by returning to the DDoSX Domains List (click <Back to Domains list) - once your changes have been applied you’ll see a green tick in the Status column next to the domain in question.

Next Article > WAF on DDoSX settings

  • Useful Links
  • SMB
  • Enterprise
  • Channel
  • Public Sector
  • ANS Data Centres
  • About ANS
  • Careers
  • Blog
  • Get in touch
  •  
  • Sales 0800 458 4545
  • Support 0800 230 0032
  • Get in touch

© ANS Group Limited | Terms and Conditions | Corporate Guidance | Sitemap
ANS Group Limited, registered in England and Wales, company registration number 03176761, registered office 1 Archway, Birley Fields, Manchester M15 5QJ