7 replies to this topic

[Carlovski]

HI,
Does anyone know whether it would be possible to restrict logons for Administrators by IP address/range?
What we would like to do is force admins and moderators to access a IPB site via a 2-factor authentication service, and hence would be accessing the site via the proxy server. If we can only allow logins from that address/range then that should do the trick.
Ideally some out of the box solution, or an available plugin, but can write some code if necessary.
Or has anyone got any better ideas?

Regards,

Carl

[omarf]

You could use a .htaccess file to restrict access to files in the admin directory.

[bfarber]

IP.Board does not have a feature to restrict administrator logins via an IP address out of the box, however you could very easily add a .htaccess file to your /admin directory to do this.

order deny,allow
deny from all
allow from 123.45.6.7

Something along those lines.  There are many guides out there to help you understand .htaccess formats.

[themagnet]

If you are using a linux box, you can also set Iptables on it to achieve what you're trying to do.

[Weatherz]

You can use something like this:

<?php $allow = array("127.0.0.1", "127.0.0.1");
if(!in_array($_SERVER['REMOTE_ADDR'], $allow) && !in_array($_SERVER["HTTP_X_FORWARDED_FOR"], $allow)) {
	header("Location: http://redirectedurl.com/");
	exit();
} ?>

Replacing the local host IP addresses with your admin's IP Addresses and redirectedurl.com with the page you would like unauthorized people to see.

To add more IP Addresses, just follow the pattern already made.

This is not recommended if your admins have multiple IP addresses or their IP changes very often. Although you can add IP addresses as you wish.

To use the code, open your index.php file located in your /admin folder and place the code above ALL code.

[Carlovski]

bfarber, on 09 February 2012 - 09:40 AM, said:

IP.Board does not have a feature to restrict administrator logins via an IP address out of the box, however you could very easily add a .htaccess file to your /admin directory to do this.

order deny,allow
deny from all
allow from 123.45.6.7

Something along those lines.  There are many guides out there to help you understand .htaccess formats.

Thanks,
Would that prevent all admin type functions? What about 'inline' type actions on forums etc?

[Carlovski]

Weatherz, on 09 February 2012 - 09:29 PM, said:

You can use something like this:

<?php $allow = array("127.0.0.1", "127.0.0.1");
if(!in_array($_SERVER['REMOTE_ADDR'], $allow) && !in_array($_SERVER["HTTP_X_FORWARDED_FOR"], $allow)) {
	header("Location: http://redirectedurl.com/");
	exit();
} ?>

Replacing the local host IP addresses with your admin's IP Addresses and redirectedurl.com with the page you would like unauthorized people to see.

To add more IP Addresses, just follow the pattern already made.

This is not recommended if your admins have multiple IP addresses or their IP changes very often. Although you can add IP addresses as you wish.

To use the code, open your index.php file located in your /admin folder and place the code above ALL code.

Thanks,
That was the sort of thing I was thinking off, but is there any way to enforce this at logon for the set of admin/moderator users? I don't know IPB at all yet, but I imagine that there is some sort of standard login module that could be extended?

[bfarber]

Carlovski, on 10 February 2012 - 01:12 PM, said:

Thanks,
Would that prevent all admin type functions? What about 'inline' type actions on forums etc?

This would not affect the front end, no.  However, administrative functions are primarily housed in the ACP.

You could use mod_rewrite to redirect users based on certain conditions if they don't have permission, but I think this would get complicated, and should largely be unnecessary.  We do not do anything of this sort on our site.