Restrict acces to admin by IP

[dab]

I recently upgraded my site from 1.3.7 to 1.5.0 and everything seems to be working well.

One thing I did notice is that I used to restrict access to the admin area to just my IP by a mod in the admin .htaccess

Code:

# Restrict IP for admin logon
<Limit GET POST>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Limit>

If I add this now, it doesn't work properly, presumably as there have been mods to the standard admin .htaccess (probably at 1.3.9).
In the new file, searching the forums gives a suggestion of changing:

Code:

# but now allow just *certain* necessary files:
<FilesMatch "(^$|^favicon.ico$|.*\.(php|js|css|jpg|gif|png)$)">
  Order Allow,Deny
  Allow from all
</FilesMatch>

to

Code:

# but now allow just *certain* necessary files:
<FilesMatch "(^$|^favicon.ico$|.*\.(php|js|css|jpg|gif|png)$)">
  Order Allow,Deny
  Allow from xxx.xxx.xxx.xxx
</FilesMatch>

This does seem to work ok, but is it likely to cause any issues to the normal running of ZC. I am just trying to tighten security, but if it's likely to cause problems, or have no real benefit, then I may be better leaving it standard.

[DrByte]

If I add this now, it doesn't work properly

It's really hard to tell what you mean by "it doesn't work properly".
WHAT doesn't work properly? What do you mean by "it"?
What were you expecting "it" to do?
What DOES happen?
Does it make funny sounds and display animated cartoons on the screen or something?

The point: using the word "it" as the ONLY description of your problem is really just a waste of time.

I must assume that by "it" you're referring to attempts to login to your Admin. But you're not even explaining what is vs isn't happening, compared to your expectations.

Code:

  Allow from xxx.xxx.xxx.xxx
</FilesMatch>

This does seem to work ok, but is it likely to cause any issues to the normal running of ZC.

That should be fine, assuming it's the only change you're making to the file. If you are making other changes to the file too, or if you're adding mods that require changes to the file, then there could be more involved in establishing a secure setup.

[dab]

Thanks for the reply, it was getting late and I should have included more detail.
What I am trying to achieve is to increase security by restricting the IP addresses that can access the admin section to just my static IP.
This seems to me a reasonable thing to do, as I assume it will make it harder for any potential hacker if they are unable to access any of the admin files, and get a 403 forbidden error. I don't need to logon to the admin area from other locations.
I am not making any changes to the zc 1.5.0 admin .htaccess other than the one I mentioned.

The problem with using the previous limit method on ZC 1.5.0 is that it doesn't work the way it did on 1.3.7 - it now allows access to the admin from a restricted IP. If I use a URL of ...mysite/renamed_admin then I do get a 403 error, but if I put ...mysite/renamed_admin/login.php then the logon page comes up, and I can log in, and go anywhere in the admin.

Making the change to the filesmatch section on the new .htaccess file

Code:

<FilesMatch "(^$|^favicon.ico$|.*\.(php|js|css|jpg|gif|png)$)">
  Order Allow,Deny
  Allow from xxx.xxx.xxx.xxx
</FilesMatch>

(obviously changing the xxx's to my IP) seems to have the desired effect - lets me logon to admin from my IP, and gives a 403 forbidden error from other IP's. I was just concerned that doing this may break something else, hence the question.

[DrByte]

The problem with using the previous limit method is that it doesn't work the way it did on 1.3.7 - it now allows access to the admin from a restricted IP. If I use a URL of ...mysite/renamed_admin then I do get a 403 error, but if I put ...mysite/renamed_admin/login.php then the logon page comes up, and I can log in

That was the main information that was missing in your prior post.

And yes, the changes you made by specifying your single IP address instead of "all" should accomplish the desired result with no undesired side effects.