Restrict admin access to administrator ip/s

I think it's a reasonable request.

Why not have it off by default (thus the system is no different to what it's like now), however those that want to set it can.

For me, a change of IP isn't a concern, I can ssh in and change the config... yet I'm still protected against bots attempting to hit the http interface.
 
I think it is a good idea to restrict admin access to a certain ip or range of ip's. I think this should be done by somebody who really knows what they are doing. It should require ssh access to do it and not through the panel itself. By requiring it to be done through ssh access the administrator has demonstrated that he knows how to fix it himself before he enables it and gets locked out.
 
Hello,

I would have to agree that people would end up locking themselves out if it was easy to turn on through DA, so it would need to be enabled from ssh.

That being said, you can already do that with the all_pre.sh scripts.
This is a very basic example of what you can do:
http://help.directadmin.com/item.php?id=150

Other examples:
http://help.directadmin.com/?query=all_pre.sh

Note the $caller_ip environmental variable is the IP of the client so you can compare to that.

Something like:
Code: 
#!/bin/sh
if [ "$username" = "admin" ]; then
   if [ "$caller_ip" = "1.2.3.4" ]; then
      exit 0;
   else
      echo "Invalid admin IP";
      exit 1;
   fi
fi
exit 0;
should do the trick.
Change it around as needed for range checks instead of specific IPs.
chmod the all_pre.sh to 755.

Related if you want to block HTM files too:
http://www.directadmin.com/features.php?id=863

John
 
You must log in or register to reply here.
Back
Top