Restricting access to your website admin by IP address

WEBBY STUFF , Windows 2008 Server Add comments

Whether you are using a CMS or blogging app such as WordPress, Joomla, Drupal, or even a custom built app, then you likely have an admin system to manage your website and its content.

The problem is that hackers know this too, and they know that in most cases your admin will reside in www.yoursite.com/admin and they regularly try to hack this URL with brute force password attacks or a bit of SQL injection, and unless you have any logs you regularly monitor or a failed login notification system, then you will be completely oblivious to this, many people get hacked and do not realise until months later that malware has been inserted into their site and is trying to infect all their website visitors, and worse that their site has been blacklisted/blocked as a malware site or that all their customer data has also been stolen.

Now at least with off the shelf open source apps like Wordpress et al you have the advantage that you can easily update to the latest version and thus plug any known security issues or vulnerabilities that arise, but with a custom built app you do not have this luxury and you will remain oblivious of any security holes in your app until it is too late.

The best solution is to add IP address restrictions to your admin folder so that only authorised people can access it.

With Apache

How to do this with apache is pretty common knowledge, you simply use your .htaccess file, so I wont bother covering that here, for those that do not know here are a couple of links showing you how to get it done.

With Microsoft IIS

However doing this with Microsoft IIS is less common knowledge and if you are on shared hosting you likely have no idea how to do it at all and probably do not have access either.

By default on IIS, IP Address restrictions must be done via the IIS Management interface, and you need to install the "IP Security" feature, instructions on how to do that can be found HERE, if you are on a shared host you may need to ask them if they have this installed, and if not ask them to install it.
But even with this installed you are still restricted to doing the IP Address restrictions via the MMC (see previous link), which means you need direct access to the server, and one thing this lacks is the ability to add comments to specify who the IP address belongs to, which is very important if you want to allow an IP address temporarily or want to keep track what who each IP belongs to.

What you really want to do is be able to add these IP restrictions in your web.config, so you can also add comments next to each entry and so that you do not have to login to the server and use the MMC, ala apache .htaccess style.
The good news is that you can do this, all you have to do is enable IPSecurity override in your ApplicationHost.config. For those that do not know, ApplicationHost.config is where IIS stores its global settings (such as default documents and handlers) and those which are not managed via the web.config by default.

To edit this file go to C:\Windows\System32\inetsrv\config and open applicationhost.config in your favourite text editor.

NOTE: You need to be using a 64bit text editor on a 64bit OS otherwise it will not be able to open the 64bit version of this file, and instead opens an alternate version of this file, which is not the one in use. I discovered this after many hours of head scratching as I always used Notepad++ by default, which is only a 32bit editor.

 

Now find the following section:-

<section name="ipSecurity" overrideModeDefault="Deny" />

And change the "Deny" to "Allow". If you are on a shared host, you will need to ask them to make this change, there is really no reason for them to not allow this.

You can now use your web.config file to manage IP address restrictions.

How it's done
Example IP address restrictions. Comments are enclosed in <!-- --> and are not required, but I suggest you use them to record what IP is there for what reason.

  • Allow all, but block specific IPs or networks
    <security>
       <ipSecurity allowUnlisted="true">    <!-- this line allows everybody, except those listed below -->            
           <clear/>     <!—removes all parent restrictions -->                
           <add ipAddress="83.116.19.53"/>     <!-- blocks the specific IP of 83.116.19.53  -->                
           <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>     <!--blocks network 83.116.119.0 to 83.116.119.255-->                
           <add ipAddress="83.116.0.0" subnetMask="255.255.0.0"/>     <!--blocks network 83.116.0.0 to 83.116.255.255-->                
           <add ipAddress="83.0.0.0" subnetMask="255.0.0.0"/>     <!--blocks entire /8 network of 83.0.0.0 to 83.255.255.255-->                
       </ipSecurity>
    </security>
  • Deny all, but allow specific IPs or networks
    <security>
        <ipSecurity allowUnlisted="false">    <!-- this line blocks everybody, except those listed below -->                
            <clear/> <!—removes all parent restrictions -->
            <add ipAddress="127.0.0.1" allowed="true"/>    <!-- allow requests from the local machine -->
            <add ipAddress="83.116.19.53" allowed="true"/>   <!-- allow the specific IP of 83.116.19.53  -->                
            <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>   <!--allow network 83.116.119.0 to 83.116.119.255-->                
            <add ipAddress="83.116.0.0" subnetMask="255.255.0.0" allowed="true"/>   <!--allow network 83.116.0.0 to 83.116.255.255-->                
            <add ipAddress="83.0.0.0" subnetMask="255.0.0.0" allowed="true"/>   <!--allow entire /8 network of 83.0.0.0 to 83.255.255.255-->                
        </ipSecurity>
    </security>

Using IP Address Restrictions
  • Use a text editor to create a file named web.config
  • Save the web.config file with the appropriate content
  • Place the web.config file in the directory that you wish to protect

Detailed web.config content
  • If there isn't an existing web.config in the directory, your new web.config should look something like this
    <?xml version="1.0"?>
    <configuration>
       <system.webServer>
          <security>
            <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
               <clear/> <!—removes all parent restrictions -->
               <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
               <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
            </ipSecurity>
          </security>
       </system.webServer>
    </configuration>
  • If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this
    <?xml version="1.0"?>
    <configuration>
       <system.web>
         .. existing text ..
         .. existing text ..
       </system.web>
       <system.webServer>
          <security>
            <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
               <clear/> <!—removes all parent restrictions -->
               <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
               <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
            </ipSecurity>
          </security>
       </system.webServer>
    </configuration>
  • If your existing web.config already has a <system.webServer> section, just add the <security><ipSecurity> section
    <?xml version="1.0"?>
    <configuration>
       <system.web>
         .. existing text ..
         .. existing text ..
       </system.web>
       <system.webServer>
          <security>
            <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
               <clear/> <!—removes all parent restrictions -->
               <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
               <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
            </ipSecurity>
          </security>
       </system.webServer>
    </configuration>

1 response to “Restricting access to your website admin by IP address”

  1. CFDude Says:
    excellent stuff, very useful, just had to do this.

Leave a Reply

Leave this field empty

Powered by Mango Blog. Design and Icons by N.Design Studio