.htaccess help needed for static IP address

[izzysoup]

Hello, after a few weeks of suspicious activity on my website, my webhost kindly blocked a whole range of IP addresses at their firewall level after they confirmed that there was a consistent probing for Zen Cart vulnerabilities. This stopped all of these attempts and I have seemingly not had any more major probing other than the normal script kiddies/bots etc since. But my webhost also recommended I applied a .htaccess rule to limit access to my shops admin via IP. So, I have had BT change my broadband from a dynamic IP to a static IP and I have added the following rule to my admin's .htaccess file

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx (My static IP)

This seemed to work great and I was a bit more relaxed, as being hack terrifies me as I am new to Zen Cart/selling online, having only taken over this role from a colleague that passed away 9 months ago. So now, when I go to www.mywebshop.com/myadmin outside of work's internet, I am returned with the denied by the server's error page. BUT if I go to www.mywebshop.com/myadmin/index.php I am returned with the admin login screen, I can log in and use the shop admin. Can someone kindly tell me what I have done wrong? How can I still access the shop's Admin, from a different IP address that is allow from xxx.xxx.xxx.xxx (My static IP).

Thank you, Isabella.

[barco57]

you can add another line below that with a new allowed ip address

Code:

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx (My static IP)
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
etc....

[mc12345678]

you can add another line below that with a new allowed ip address

Code:

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx (My static IP)
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
etc....

I think though that this will provide the same result(s) as seen above.

I believe the question is, why is it that someone can reach the admin login screen even though there is something in the .htaccess that seems like it should prevent it? And as a result of being able to access it, what needs to be done to prevent access?

[izzysoup]

Yes. That is correct. I have a rule in place to block access to the admin fold from all but one IP address. But it seems to not work Any ideas why?

[RodG]

Yes. That is correct. I have a rule in place to block access to the admin fold from all but one IP address. But it seems to not work Any ideas why?

Offhand, I can't see why it shouldn't work, but personally I think that there is a better solution anyway.

Log onto your sites Cpanel, and click on the option to "Password Protect Directories", then navigate your way to your admin directory and click on it. This will bring up a page where you van enter a password. Create a new password (different from your store admin password) and save the settings.

Now when people attempt to access you admin folder (from anywhere) they've be greeted with an 'enter password' popup box before they can go any further, and if by some sheer fluke they happen to get passed this password protection they'll still need to kniw the username/password for the admin of your store.

The downside of this is when *you* want to log into the admin of the store you'll need to enter two different passwords.

Just a suggestion.

Cheers
RodG

ps. You could also use

Order Allow,Deny
Allow from xxx.xxx.xxx.xxx


It's more efficient than the Deny,Allow. Anything not specifically allowed is denied.
http://httpd.apache.org/docs/2.2/mod...ost.html#order

[izzysoup]

Many thanks RodG. I have added the password "Password Protect Directories" via the cPanel. I also believe I have solved the IP problem, by adding the following in green. It may seem overkill, but it brings me more peace of mind after the constant and direct probing we were suffering.

# but now allow just *certain* necessary files:
<FilesMatch "(^$|^favicon.ico$|.*\.(php|js|css|jpg|gif|png)$)">
Order deny,allow
Deny from all
Allow from ***.***.***.***
</FilesMatch>

[izzysoup]

Ah yes, I will change to
Order Allow,Deny
Allow from xxx.xxx.xxx.xxx