ASP.NET WebService deny remote access.

Question

I've created an ASP.NET WebService that is to be consumed using ASP.NET Ajax. The WebService is located on the same box and same web application that it is to be used by, so I do not want to allow remote access to this webservice, but have it only respond to requests from localhost.

The Web.Config DOES NOT have a configuration section and therfore does not have httpPost and httpGet turned on. This is fine. However, if I navigate directly to the WebService URL from a remote machine, it still loads and shows me a list of methods. Clicking on the method does give me a message stating that the testing form is not available to remote machines (as intended), but it does list information on how to issue a Soap Request and handle a Soap Response.

Additionally, I believe I'm being scraped by a bot of some sort of just a curious user, because I'm now getting error message in my log such as this...

System.InvalidOperationException: Request format is unrecognized for URL
unexpectedly ending in '/ValidateUsername'.

This happens if you try to issue a GET request (by manipulating the query string) against the service remotely. I'm glad that it's not handling the request as I don't want remote users access to this service, but I would prefer it not throw an error.

How can I lock down the webservice so that it is not available to remote machine, but still available to the local machine as a ScriptService consumably by ASP.NET Ajax?

UPDATE: Okay, here is workable example of what is happening.

WebSite: http://so.weirdwes.dyndns.org/default.aspx

WebService: http://so.weirdwes.dyndns.org/services/services.asmx

Web.Config:

<webServices>
  <protocols>
    <remove name="HttpGet"/>
    <remove name="HttpPost"/>
  </protocols>
</webServices>

The website is consuming the WebService using a ScriptManager tag and ScriptReference. You'll note if you click the button, the web service is called and everything works, even though Post and Get have been removed. This is fine as this is how we want it to work. The issue is this.... http://so.weirdwes.dyndns.org/services/services.asmx/GetRemoteAddr

Server Error in '/' Application.
--------------------------------------------------------------------------------

Request format is unrecognized for URL unexpectedly ending in '/GetRemoteAddr'.

A bot or something is scraping this URL and it's generating errors that we're get notified of. I want to supress this error or block it entirely. If I alter the Web.Config and add the Get and Post protocols back in, this error goes away - but then it allows access to the web service remotely using Get which we don't want.

Answer 1

Test against the ip address
Request.ServerVariables ["REMOTE_ADDR"]

Answer 2

IIS lets you white/black list IP groups in its configuration. Use that to lock it down to localhost. You can also configure your firewall to prevent anyone from hitting that port from outside.

Answer 3

I am kinda confused here.

Is this going to be called by the browser? if it will be, then you should allow remote access.