Restrict IP ranges for admin users

I would think all thats required is a check of the remote ip address.

< 10 lines of bash scripting, and im sure the same for php - as for C I have no idea :D

Chris
 
Matt,

That's exactly what I mean by "a redesign of how DA does logins".

At the moment DA doesn't treat an admin login any differently than it does any other login.

Hence the redesign.

Jeff
 
At least we're thinking along the same lines :)

IMHO, it's hardly a difficult 'redesign' - in fact it's not a redesign at all - merely an additional piece of code.

An advanced PHP version of such code would take me about 20 lines. I'm not a C programmer so I can't comment on that, but it's more of an addition than a redesign.

Failed logins could just be sent to the standard 'invalid username/password' page.

Matt :)
 
ProWebUK said:
What myself (and Matt?) are suggesting has no relation at all with all users, it would not affect anyone at all besides the admin, and the admin has the choice of allowing all ips, or limiting to one ip or a range.
[/B]
Click to expand...

Sounds like an good idea. You can firewall the server, but the controlpannel port will stay open for customers, so I think it is smart to give this option to admins or even to customers and resellers.


An other option is to switch the admin controlpanel port to an other port. This way you could use your firewall to control ip's to that port.
 
I think that's will be good feature.

We will be able to create separate user for API-calls and allow it's access only from server where our software hosted.
 
I think DA should think about that.

It's always risky to use API calls in scripts. We always taking a risk of revealing password of privelleged user. Of course it's completely in our hands, but peoples a making mistakes and someday some little (or big) security hole may appear in script (especially, if it's huge and complicated billing software).
So it will be much more calmy for me, if some critical functions (deleting users, for example) will be restricted and access will be allowed from only one ip.

It's possible to reduce those risks by adding some restrictions for admin users created in DA.

1) Specify IP-range access is allowed from.
2) Specify list of allowed(disallowed?) commands (CMD_ACCOUNT_USER, CMD_API_SHOW_USER_CONFIG, CMD_USER_PASSWD, etc.)

PS: By the way, I recommend NEVER RUN important scripts under mod_php! Your files with chmod 644 can be readed by other users on server in so many ways... (Even if you are using safe_mode/open_basedir, and exec-related functions is disabled, and public_html is user:apache 750, i still know one method to read it ;) So chmod 600 and run your php-scripts under CGI. Yeah, it's slower, but much more secure.
 
Last edited:
You can use IonCube to encode your scripts too, which will hide your passwords if someone hacks one of your servers and goes looking through your scripts :)

Matt
 
Hmm... So simple. I forgot about that :)
But are you sure there is no way to reveal constant strings from encoded script?

Anyway, i think it's TOO dangerous if someone got your scripts even if those scripts are encoded. They can run script and use strace, ltrace, tcpdump, etc to reveal sensitive information from it.
 
Last edited:
I don't think changing it where admin has its own port like CPanel and other control panels is going to help the security for the password. The fact is you need a hard password and be able to restrict certain IPs and hosts or be able to put * in the IP or host so if your IP is dynamic you will not be blocked out. Acourse this will not keep you totally secure so like others said running things like rootkit scanner would help to.
 
You must log in or register to reply here.
Back
Top