Locking Down Admin Area By Ip

[gutterboy]

I am attempting to lock down our admin area by IP via .htaccess with something like this:

order deny,allow
deny from all
allow from 123.456.78.9

<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>

I have also renamed (or re-routed) our admin directory to another name; in this example let's call it "abc".

 

So because there is no real "/abc/" directory I created one and placed this file inside it; however when I did that going to "/abc/" no longer redirected to "/abc/login/"; I had to manually go there.

 

Is there a way I can protect via IP without affecting anything else?

 

Thanks!

[Michael]

Nope, I've tried, but no-one's going to know your secret admin route, and if you are concerned, do what we do, every so often change it.

[gutterboy]

That's a shame. Don't really wanna leave the admin open like that, like a bit more security than just be obscurity.

[flangefrog]

Try something like the below in your main .htaccess file.

RewriteCond %{REQUEST_URI} ^/admin
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1
RewriteRule .* - [F]

[Blesta Addons]

let me try to see if i can make a plugin for that

[Michael]

It is coming in the future I believe. CORE-1324 But I forgot to mention it as I forgot

[gutterboy]

  On 10/10/2014 at 11:26 AM, flangefrog said:

 

Try something like the below in your main .htaccess file.

RewriteCond %{REQUEST_URI} ^/admin
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1
RewriteRule .* - [F]

 

So I just add each IP I want to allow similar to have how you have added the one there?

[flangefrog]

  On 10/10/2014 at 12:39 PM, gutterboy said:

So I just add each IP I want to allow similar to have how you have added the one there?

 

Yes, by default Apache will add an AND between each condition. You can add [OR] at the end of the condition if you want OR instead.

 

This is regex so you could also add an IP range or whatever you want.

[gutterboy]

  On 10/10/2014 at 1:53 PM, flangefrog said:

Yes, by default Apache will add an AND between each condition. You can add [OR] at the end of the condition if you want OR instead.

 

This is regex so you could also add an IP range or whatever you want.

 

In this situation you would want AND though right!? It's basically saying if it's not that AND not that AND not that then send to forbidden?

 

As for ranges, would this be right?

RewriteCond %{REQUEST_URI} ^/admin
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1
RewriteCond %{REMOTE_ADDR} !^128\.0\.
RewriteRule .* - [F]

[flangefrog]

  On 10/10/2014 at 2:11 PM, gutterboy said:

 

In this situation you would want AND though right!? It's basically saying if it's not that AND not that AND not that then send to forbidden?

 

As for ranges, would this be right?

RewriteCond %{REQUEST_URI} ^/admin
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1
RewriteCond %{REMOTE_ADDR} !^128\.0\.
RewriteRule .* - [F]

 

AND is correct, I just mentioned that in case you wanted to use any other conditions. The IP range looks alright to me

[gutterboy]

Hmmmmmmm....... couldn't get it to work. Oh well, will just wait for the update from Blesta I guess.

[flangefrog]

  On 10/10/2014 at 3:33 PM, gutterboy said:

Hmmmmmmm....... couldn't get it to work. Oh well, will just wait for the update from Blesta I guess.

 

Is your url something like yourdomain.com/blesta/admin? If so you would need to change ^/admin to ^/blesta/admin

[gutterboy]

  On 10/10/2014 at 3:36 PM, flangefrog said:

Is your url something like yourdomain.com/blesta/admin? If so you would need to change ^/admin to ^/blesta/admin

 

Yeah, but I put it inside the blesta .htaccess file.

 

Side question: Noticed in your sig you nave a paypal express checkout on your "todo" list; is that the same as my feature request?

[Paul]

Yup, CORE-1324. I also suggest setting up 2FA for all staff, if you haven't already.

[flangefrog]

  On 10/10/2014 at 3:45 PM, gutterboy said:

Yeah, but I put it inside the blesta .htaccess file.

 

Even if you put it in the Blesta .htaccess it is still going to be running the regex on the full url so ^/admin won't work as ^ denotes the start of the string.

  On 10/10/2014 at 3:45 PM, gutterboy said:

Side question: Noticed in your sig you nave a paypal express checkout on your "todo" list; is that the same as my feature request?

Yes it is, however my priorities have changed so you won't see it within the next few months. I also haven't had a good look at how Blesta handles merchant gateways that only store a token instead of the actual card details. It may not be possible yet without core changes.

[gutterboy]

  On 10/10/2014 at 3:53 PM, flangefrog said:

 

Even if you put it in the Blesta .htaccess it is still going to be running the regex on the full url so ^/admin won't work as ^ denotes the start of the string.

Yes it is, however my priorities have changed so you won't see it within the next few months. I also haven't had a good look at how Blesta handles merchant gateways that only store a token instead of the actual card details. It may not be possible yet without core changes.

 

No worries, thanks for the answer.

[Blesta Addons]

This has been fully added to my next release of "Admin Tools" plugins , now you can set wich IP to access admin area , if not authorized redirect to 404 error page .

 

also i have implemented a new security way , to block access direct link of uninstalled plugins , now if the plugin is not installed no one can access it , i'm working now in modules too , to forbidden access if not installed .

 

need also block access to  client side by IP

 

i will finish the complete rewrite of this plugin and making some tests  and i will make it available next week .

[gutterboy]

  On 10/12/2014 at 2:09 AM, naja7host said:

This has been fully added to my next release of "Admin Tools" plugins , now you can set wich IP to access admin area , if not authorized redirect to 404 error page .

 

also i have implemented a new security way , to block access direct link of uninstalled plugins , now if the plugin is not installed no one can access it , i'm working now in modules too , to forbidden access if not installed .

 

need also block access to  client side by IP

 

i will finish the complete rewrite of this plugin and making some tests  and i will make it available next week .

 

Most excellent!