Results 1 to 4 of 4
  1. #1
    Join Date
    Jan 2007
    Location
    UK
    Posts
    59
    Plugin Contributions
    0

    Default Restrict acces to admin by IP

    I recently upgraded my site from 1.3.7 to 1.5.0 and everything seems to be working well.

    One thing I did notice is that I used to restrict access to the admin area to just my IP by a mod in the admin .htaccess
    Code:
    # Restrict IP for admin logon
    <Limit GET POST>
    order deny,allow
    deny from all
    allow from xxx.xxx.xxx.xxx
    </Limit>
    If I add this now, it doesn't work properly, presumably as there have been mods to the standard admin .htaccess (probably at 1.3.9).
    In the new file, searching the forums gives a suggestion of changing:
    Code:
    # but now allow just *certain* necessary files:
    <FilesMatch "(^$|^favicon.ico$|.*\.(php|js|css|jpg|gif|png)$)">
      Order Allow,Deny
      Allow from all
    </FilesMatch>
    to
    Code:
    # but now allow just *certain* necessary files:
    <FilesMatch "(^$|^favicon.ico$|.*\.(php|js|css|jpg|gif|png)$)">
      Order Allow,Deny
      Allow from xxx.xxx.xxx.xxx
    </FilesMatch>
    This does seem to work ok, but is it likely to cause any issues to the normal running of ZC. I am just trying to tighten security, but if it's likely to cause problems, or have no real benefit, then I may be better leaving it standard.

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Restrict acces to admin by IP

    Quote Originally Posted by dab View Post
    If I add this now, it doesn't work properly
    It's really hard to tell what you mean by "it doesn't work properly".
    WHAT doesn't work properly? What do you mean by "it"?
    What were you expecting "it" to do?
    What DOES happen?
    Does it make funny sounds and display animated cartoons on the screen or something?

    The point: using the word "it" as the ONLY description of your problem is really just a waste of time.

    I must assume that by "it" you're referring to attempts to login to your Admin. But you're not even explaining what is vs isn't happening, compared to your expectations.

    Quote Originally Posted by dab View Post
    Code:
      Allow from xxx.xxx.xxx.xxx
    </FilesMatch>
    This does seem to work ok, but is it likely to cause any issues to the normal running of ZC.
    That should be fine, assuming it's the only change you're making to the file. If you are making other changes to the file too, or if you're adding mods that require changes to the file, then there could be more involved in establishing a secure setup.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Jan 2007
    Location
    UK
    Posts
    59
    Plugin Contributions
    0

    Default Re: Restrict acces to admin by IP

    Thanks for the reply, it was getting late and I should have included more detail.
    What I am trying to achieve is to increase security by restricting the IP addresses that can access the admin section to just my static IP.
    This seems to me a reasonable thing to do, as I assume it will make it harder for any potential hacker if they are unable to access any of the admin files, and get a 403 forbidden error. I don't need to logon to the admin area from other locations.
    I am not making any changes to the zc 1.5.0 admin .htaccess other than the one I mentioned.

    The problem with using the previous limit method on ZC 1.5.0 is that it doesn't work the way it did on 1.3.7 - it now allows access to the admin from a restricted IP. If I use a URL of ...mysite/renamed_admin then I do get a 403 error, but if I put ...mysite/renamed_admin/login.php then the logon page comes up, and I can log in, and go anywhere in the admin.

    Making the change to the filesmatch section on the new .htaccess file
    Code:
    <FilesMatch "(^$|^favicon.ico$|.*\.(php|js|css|jpg|gif|png)$)">
      Order Allow,Deny
      Allow from xxx.xxx.xxx.xxx
    </FilesMatch>
    (obviously changing the xxx's to my IP) seems to have the desired effect - lets me logon to admin from my IP, and gives a 403 forbidden error from other IP's. I was just concerned that doing this may break something else, hence the question.

  4. #4
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Restrict acces to admin by IP

    Quote Originally Posted by dab View Post
    The problem with using the previous limit method is that it doesn't work the way it did on 1.3.7 - it now allows access to the admin from a restricted IP. If I use a URL of ...mysite/renamed_admin then I do get a 403 error, but if I put ...mysite/renamed_admin/login.php then the logon page comes up, and I can log in
    That was the main information that was missing in your prior post.

    And yes, the changes you made by specifying your single IP address instead of "all" should accomplish the desired result with no undesired side effects.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. v150 admin acces after upgrade on offline suse server
    By stantcb in forum Basic Configuration
    Replies: 2
    Last Post: 25 Nov 2012, 06:24 AM
  2. v150 illegal acces to admin
    By katchar in forum General Questions
    Replies: 1
    Last Post: 19 Feb 2012, 04:59 PM
  3. Unable to acces admin page
    By krish in forum Installing on a Linux/Unix Server
    Replies: 11
    Last Post: 28 Jun 2007, 04:01 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR