Restrict admin access to administrator ip/s

[PauGasol]

Hi,

When you have more than 20+ boxes, you try to use easy passwords but that can be unsecure. I think would be more safe restrict the access to the administrator only to some ips or ranges, only few people need to access as admin DA by that i think shouldnt be open to all ips .

I think with a simply include in the theme to check the ip of visitor will be enought.

Thanks.

Plz if you think that is a good request reply to the thread

 

[PauGasol]

Please i think is an important update . The security is very important

 

[nobaloney]

Just wait until your ISP changes your IP# without warning...

Or even now, if you've got dynamic IP from your ISP... or perhaps from your laptop when you travel.

Jeff

 

[PauGasol]

The are proxys to travel, all the hosting companys have static ips.. even are ripe members. I think is easy hack and optional i dont understand your reply.

Thanks

 

[nobaloney]

You will if it happens to you and you can't get into your server.

So even if DirectAdmin includes it, I wouldn't use it. I use good password protection. I didn't say security is easy. And of course it's full of tradeoffs.

Jeff

 

[ccto]

May I suggest to have a user_login_pre.sh in /usr/local/directadmin/scripts/custom ,
such that we can implement some custom security checking before actual login.

For example, if the login name is admin and the remote_ip is not in selected range, then the custom script exit 1, and let DirectAdmin return errors.

 

[YICHosting]

If this feature was to be implemented, I personally would not use it. Primarily because of what jlasman said, if your IP address was to change, you could potentially lock yourself out..

The best way to secure yourself is to use a sophisticated password. A decent username also aids your security, such as adding a few digits on the end.

 

[PauGasol]

OK but we request an OPTIONAL function , i dont understand the problem of the people with negative answers to this request .

 

[floyd]

all the hosting companys have static ips

So what does that have to do with the ip address that is assigned by your isp? What happens when your isp changes your ip address? Then suddenly you cannot get into DirectAdmin.

 

[floyd]

OK but we request an OPTIONAL function , i dont understand the problem of the people with negative answers to this request .

Because somebody not knowing what they are doing is going to lock themselves out and blame DirectAdmin for it.

 

[PauGasol]

Because somebody not knowing what they are doing is going to lock themselves out and blame DirectAdmin for it.

1 - Disabled by default

2 - Option only for admin level. and if out there are DA admins that lock themselves and dont know why...

 

[floyd]

Ok let's end this discussion here. You can already do this with skins so if you want to do it then nothing prevents you from doing it.

Put this at the top of the header.html skin:

|$/usr/local/bin/php
<?
$ip=getenv(REMOTE_ADDR);
$user="|USERNAME|";

if (($user == "admin")AND($ip != "1.2.3.4")){

        echo "<meta http-equiv=\"refresh\" content=\"0;url=http://www.google.com\">";
}

?>
DONE|

1.2.3.4 is the ip you want admin restricted to.

This way only people who know what they are doing will be able to enable this and if for some reason they get locked out they know how to go in and change it.

Too many times people get VPS's or dedicated servers with DirectAdmin and they think they are admins now but without a clue how to ssh in and fix something. It is those people we want to protect. We don't want to make it easy for somebody to lock themselves out. It should not be as easy as filling out a text box with the ip address. What if they mistype and click submit? Now they are locked out and no way to fix it. It should not be easy to enable a feature such as this.

 

[aleto]

I think its a really good addition to DirectAdmin ! (Plesk already has this)

 

[pkilam]

1 - Disabled by default

2 - Option only for admin level. and if out there are DA admins that lock themselves and dont know why...

If you are at your home and you want to connect to your directadmin server at datacenter, the adsl modem / cable modem at your home will get an dynamic ip address from your isp.

So, if you have a list on your server which only accept a specific ip address to connect, you will be unable to login as admin when your isp change the ip address assigned through your adsl/cable modem. Of course, if your isp assign fixed ip address to your home connection, you will have no problem.

However, if you are travelling and need to use your notebook to connect to the server, you cannot know the ip assigned beforehand, ie you cannot add the ip to the allowed list on the server beforehand and you will become unable to login to the server while travelling.

 

[PauGasol]

If you are at your home and you want to connect to your directadmin server at datacenter, the adsl modem / cable modem at your home will get an dynamic ip address from your isp.

So, if you have a list on your server which only accept a specific ip address to connect, you will be unable to login as admin when your isp change the ip address assigned through your adsl/cable modem. Of course, if your isp assign fixed ip address to your home connection, you will have no problem.

However, if you are travelling and need to use your notebook to connect to the server, you cannot know the ip assigned beforehand, ie you cannot add the ip to the allowed list on the server beforehand and you will become unable to login to the server while travelling.

OPTIONAL OPTIONAL... why plesk have this funtion by example? You can your own proxy server , safe proxy server.. you know applications as ssl explorer ? you always need a brigde into the world and your servers if you are travelling.. for example why have more than 30 servers and the ssh is firewalled to our ips (proxy ip and static ips of workers) .. i prefer more security always

sorry my bad english

 

[floyd]

I already showed you how to do this.

 

[PauGasol]

I already showed you how to do this.

Yes, thanks . I knok i can make my own hack but my request is that was incluided in the gui. if i make my own hack after DA update i need rehack the code.

 

[floyd]

if i make my own hack after DA update i need rehack the code.

I see what you mean. Copying and pasting a few lines of code into one file every time there is an update is a real pain.

 

[PauGasol]

I see what you mean. Copying and pasting a few lines of code into one file every time there is an update is a real pain.

If you have more than 20+ Licenses...

 

[floyd]

Run this as a cron job every day on each of your servers and you never have to worry about it again. Use at your own risk. Good idea to back up header.html. Change 1.2.3.4 to the ip you really want to have admin access. This is just one example of how to do it. I am sure there are many more ways.

#!/usr/bin/perl

@file = `cat /usr/local/directadmin/data/skins/enhanced/header.html`;
chomp(@file);

if ($file[0] !~ /Begin admin ip restriction/){

        open (FILE, "> /usr/local/directadmin/data/skins/enhanced/header.html");

        print FILE "<!-- Begin admin ip restriction -->
|\$/usr/local/bin/php
<?
\$ip=getenv(REMOTE_ADDR);
\$user=\"|USERNAME|\";

if ((\$user == \"admin\")AND(\$ip != \"1.2.3.4\")){

        echo \"<meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http://www.google.com\\\">\";
}

?>
DONE|
\n";


foreach $file(@file){

        print FILE "$file\n";

}

print FILE "\n\n";

}

There is always a way to do whatever you want. You just have to figure it out.