Restrict IP ranges for admin users

[thoroughfare]

Hi,

Can you please add a feature to restrict access to the DA admin panel to only certain IP ranges? Perhaps you could add this to all user levels... it'd help security for sure.

Thanks,
Matt

 

[thoroughfare]

*bump*

Matt

 

[nobaloney]

While helping security, it might make it impossible for your clients to access their control panel from their ISP if their ISP uses dynamic IP allocation, and certainly while travelling.

Jeff

 

[thoroughfare]

True, but at least an admin feature would be good And they'd be able to set it themselves... so if they were going to travel they could edit the settings (as they'd be optional and turned off by default).

I have a dynamic IP, although it only changes when I reset my router. My IP block is always constant though.

Matt

 

[nobaloney]

True, but at least an admin feature would be good

You can certainly set it up yourself using KISS or some other firewall.

And they'd be able to set it themselves... so if they were going to travel they could edit the settings (as they'd be optional and turned off by default).

Giving them yet something else to forget to do before leaving home.

I have a dynamic IP, although it only changes when I reset my router. My IP block is always constant though.

Will your provider guarantee either of these?

Note that I'm not disagreeing with your premise, just pointing out some problems I forsee.

If your "people" always carry their own systems with them, then perhaps they could set up some kind of backdoor using a key pair kept on their laptop (for example for ssh).

Jeff

 

[thoroughfare]

How could I set up a firewall-based IP restriction for the admin login in DA?

Matt

 

[ProWebUK]

You can certainly set it up yourself using KISS or some other firewall.

Actually, that would be impossible for the admin level only, since it uses the same port as all user levels.

Chris

 

[thoroughfare]

That was what I thought..?

Matt

 

[blacknight]

It would be impractical to implement something like this unless all your users are on fixed IPs.
Security is always a matter of concern for admins, but should be addressed at the OS and daemon level.

 

[ProWebUK]

It would be impractical to implement something like this unless all your users are on fixed IPs.
Security is always a matter of concern for admins, but should be addressed at the OS and daemon level.

I actually think its a fair request (for the admin level) since theres often only 1 admin.

It of course, would have to be an option, all IP addresses are allowed access unless the admin specifies to only allow ip xxx.xxx.xxx.xxx.

Chris

 

[blacknight]

I disagree entirely

If you want to worry about security issues then the introduction of some security checks via the control panel, such as those available on cpanel servers, would make some sense.

From previous experience with remote admin for client companies this kind of IP based system is both illconceived and impractical. The ill conception stems from a misplaced belief that security at the application level is going to compensate for a potentiall misconfigured operating system.

 

[ProWebUK]

I disagree entirely

If you want to worry about security issues then the introduction of some security checks via the control panel, such as those available on cpanel servers, would make some sense.

From previous experience with remote admin for client companies this kind of IP based system is both illconceived and impractical. The ill conception stems from a misplaced belief that security at the application level is going to compensate for a potentiall misconfigured operating system.

Feel free to explain this concept used on CPanel systems... what security checks via the control panel? thats what we are talking about implementing..

If I may quote your last post:

It would be impractical to implement something like this unless all your users are on fixed IPs.
Security is always a matter of concern for admins, but should be addressed at the OS and daemon level.

What myself (and Matt?) are suggesting has no relation at all with all users, it would not affect anyone at all besides the admin, and the admin has the choice of allowing all ips, or limiting to one ip or a range.

If you dont want to make use of this feature, you could simply just leave it so its accessable by all IPs, if you want the feature, you can configure it as you want.

I'm sure if its objected by one, and wanted by a couple it could be left as a directadmin.conf option to keep it totally out of the panel if not wanted.

Ill be honest and say im not to worried if its there or not, but I fully understand where Matt is coming from

Chris

 

[blacknight]

Cpanel has a number of integrated security checks that the admin user can run on the local filesystem. These include rootkit checks and other utilities.

 

[thoroughfare]

It would be impractical to implement something like this unless all your users are on fixed IPs.
Security is always a matter of concern for admins, but should be addressed at the OS and daemon level.

Did you bother to read my post? We could restrict it to IP *ranges* - which in fact I would need since I use a dynamic IP.

I agree security should be addressed at the OS and daemon level - and indeed, my administration company and myself have secured our box as tightly as we can. We're implementing an ACL over the kernel soon using LIDS.

My point is that security is a muti-layered process. No box is 100% secure... but by creating as many barriers (layers) as possible, it makes it more and more difficult to break into a box.

Thanks,
Matt

 

[thoroughfare]

The ill conception stems from a misplaced belief that security at the application level is going to compensate for a potentiall misconfigured operating system.

Please read my above post - in fact, please reread the thread.

Matt

 

[blacknight]

Did you bother to read my post? We could restrict it to IP *ranges* - which in fact I would need since I use a dynamic IP.

I did read your post, but I still disagree with you.

I agree security should be addressed at the OS and daemon level - and indeed, my administration company and myself have secured our box as tightly as we can. We're implementing an ACL over the kernel soon using LIDS.

My point is that security is a muti-layered process. No box is 100% secure... but by creating as many barriers (layers) as possible, it makes it more and more difficult to break into a box.

Fair enough, however I would see a problem with more inexperienced admins seeing such an implementation as being a "silver bullet" solution.

Our network, for example, is completely protected by hardware firewalls, so even if there is an issue at the server level, be it OS or software, the damage can be limited to some degree.

 

[thoroughfare]

Cpanel has a number of integrated security checks that the admin user can run on the local filesystem. These include rootkit checks and other utilities.

DA users can run rootkit checkers anyway. I run two - chkrootkit and rookit hunter. DirectAdmin is intended not to be bloatware (please, someone tell me if I'm wrong) - so such extra features are left to the admin to configure as they please.

Introducing things such as rookkit checks into DA would simply make it less flexible and would leave less time for DA's developers to concentrate on what DA is really about.

Restricting IP ranges is just an extra security measure - similar to restricting the IPs which can access SSH.

Thanks,
Matt

 

[thoroughfare]

Fair enough, however I would see a problem with more inexperienced admins seeing such an implementation as being a "silver bullet" solution.

Indeed, some admins may think that. But that's their fault - if they're not experienced enough to know that, then they shouldn't be adminning servers. I don't mean to sound harsh - I'm not an expert at server administration by any stretch of the imagination - but that's why I hire professionals. Why should we suffer at the ignorance of the inexperienced?

Our network, for example, is completely protected by hardware firewalls, so even if there is an issue at the server level, be it OS or software, the damage can be limited to some degree.

No offence intended, it seems as though you regard your firewall as "a 'silver bullet' solution". One port is all it takes, combined with a software exploit. Firewalls don't limit damage once a cracker has broken into the box - they simply slow down a cracker, and possibly prevent him from breaking in in the first place. Inexperienced admins may see firewalls as a 'silver bullet' solution too... does that mean we shouldn't use firewalls?

Best regards,
Matt

 

[nobaloney]

Anyone here seen the movie "Runaway Jury"?

It's my impression this has become a runaway thread.

Let's go back to this question:

Since "admin" logins are handled by DA on the same port as the other user logins, restricting IP ranges for admin users is neither trivial nor easy.

It can be done by a redesign of how DA does logins.

is the additional security worth the redesign?

Jeff

 

[thoroughfare]

To me, what's important is that any IPs trying to access the admin panel which shouldn't be can't get access and are recorded.

For example, if an IP outside of a specified IP block tries to gain access, their IP is emailed to the admin user and they are blocked access to the admin panel.

I don't see why it would require such a redesign as you suggest - surely the DA login page could detect the IP being used to send requests to login as admin and deny users that use a wrong IP.

Where's the big redesign there?

Matt