Restrict IP ranges for admin users
- Thread starter thoroughfare
- Start date
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Matt,
That's exactly what I mean by "a redesign of how DA does logins".
At the moment DA doesn't treat an admin login any differently than it does any other login.
Hence the redesign.
Jeff
That's exactly what I mean by "a redesign of how DA does logins".
At the moment DA doesn't treat an admin login any differently than it does any other login.
Hence the redesign.
Jeff
thoroughfare
Verified User
- Joined
- Aug 11, 2003
- Messages
- 543
At least we're thinking along the same lines 
IMHO, it's hardly a difficult 'redesign' - in fact it's not a redesign at all - merely an additional piece of code.
An advanced PHP version of such code would take me about 20 lines. I'm not a C programmer so I can't comment on that, but it's more of an addition than a redesign.
Failed logins could just be sent to the standard 'invalid username/password' page.
Matt
IMHO, it's hardly a difficult 'redesign' - in fact it's not a redesign at all - merely an additional piece of code.
An advanced PHP version of such code would take me about 20 lines. I'm not a C programmer so I can't comment on that, but it's more of an addition than a redesign.
Failed logins could just be sent to the standard 'invalid username/password' page.
Matt
ProWebUK said:
Sounds like an good idea. You can firewall the server, but the controlpannel port will stay open for customers, so I think it is smart to give this option to admins or even to customers and resellers.
An other option is to switch the admin controlpanel port to an other port. This way you could use your firewall to control ip's to that port.
ClayRabbit
Verified User
I think that's will be good feature.
We will be able to create separate user for API-calls and allow it's access only from server where our software hosted.
We will be able to create separate user for API-calls and allow it's access only from server where our software hosted.
ClayRabbit
Verified User
I think DA should think about that.
It's always risky to use API calls in scripts. We always taking a risk of revealing password of privelleged user. Of course it's completely in our hands, but peoples a making mistakes and someday some little (or big) security hole may appear in script (especially, if it's huge and complicated billing software).
So it will be much more calmy for me, if some critical functions (deleting users, for example) will be restricted and access will be allowed from only one ip.
It's possible to reduce those risks by adding some restrictions for admin users created in DA.
1) Specify IP-range access is allowed from.
2) Specify list of allowed(disallowed?) commands (CMD_ACCOUNT_USER, CMD_API_SHOW_USER_CONFIG, CMD_USER_PASSWD, etc.)
PS: By the way, I recommend NEVER RUN important scripts under mod_php! Your files with chmod 644 can be readed by other users on server in so many ways... (Even if you are using safe_mode/open_basedir, and exec-related functions is disabled, and public_html is user:apache 750, i still know one method to read it
So chmod 600 and run your php-scripts under CGI. Yeah, it's slower, but much more secure.
It's always risky to use API calls in scripts. We always taking a risk of revealing password of privelleged user. Of course it's completely in our hands, but peoples a making mistakes and someday some little (or big) security hole may appear in script (especially, if it's huge and complicated billing software).
So it will be much more calmy for me, if some critical functions (deleting users, for example) will be restricted and access will be allowed from only one ip.
It's possible to reduce those risks by adding some restrictions for admin users created in DA.
1) Specify IP-range access is allowed from.
2) Specify list of allowed(disallowed?) commands (CMD_ACCOUNT_USER, CMD_API_SHOW_USER_CONFIG, CMD_USER_PASSWD, etc.)
PS: By the way, I recommend NEVER RUN important scripts under mod_php! Your files with chmod 644 can be readed by other users on server in so many ways... (Even if you are using safe_mode/open_basedir, and exec-related functions is disabled, and public_html is user:apache 750, i still know one method to read it
So chmod 600 and run your php-scripts under CGI. Yeah, it's slower, but much more secure.
Last edited:
thoroughfare
Verified User
- Joined
- Aug 11, 2003
- Messages
- 543
ClayRabbit
Verified User
Hmm... So simple. I forgot about that
But are you sure there is no way to reveal constant strings from encoded script?
Anyway, i think it's TOO dangerous if someone got your scripts even if those scripts are encoded. They can run script and use strace, ltrace, tcpdump, etc to reveal sensitive information from it.
But are you sure there is no way to reveal constant strings from encoded script?
Anyway, i think it's TOO dangerous if someone got your scripts even if those scripts are encoded. They can run script and use strace, ltrace, tcpdump, etc to reveal sensitive information from it.
Last edited:
ProHS
Verified User
I don't think changing it where admin has its own port like CPanel and other control panels is going to help the security for the password. The fact is you need a hard password and be able to restrict certain IPs and hosts or be able to put * in the IP or host so if your IP is dynamic you will not be blocked out. Acourse this will not keep you totally secure so like others said running things like rootkit scanner would help to.
aitorserra
Verified User
- Joined
- Jul 4, 2019
- Messages
- 28
Here my vote for this feature too. It could be as easy as:
admin_ip=x.x.x.x
admin_ip=x.x.x.x