Topic: denying all web access to specific server web ibays by ip address

[purvis]

I want to allow only specific ip address locations to access webpages on the sme server.
I have not found any documentation on the forums that would be a how to.
So basically I want a hidden webpage for certain locations to access web pages that have php scripting code.

Even if I used a password protected web page, I want to restrict the pages by ip address also.
Many of you have seen security problems to websites. I am going to try and protect sensitive data in any way possible
and I like a lot of others are either worried or concerned about possible break ins to data.
So i have an ear for any educated thoughts on this as well.

I have tinkered a lot with the server that I use to test on and really because of the way sme server is setup,
I am wandering my way through how to do this with out hurting or breaking something else.

From what I have done, right or wrong here it is and I really need somebody to look over my back on this.

so here is what i have done

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
nano /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/99SecureIbayWithIP

192.168.9.  is my local network
inserted into the file 99SecureIbayWithIP

Code: [Select]

<Location /webibayname>
  Order deny,allow
  Deny from all
  Allow from 127.0.0.1 192.168.9.0/255.255.255.0
  Allow from localhost
  Allow from xxx.xxx.xxx.xx0
  Allow from xxx.xxx.xxx.xx1
  Allow from xxx.xxx.xxx.xx2
  Allow from xxx.xxx.xxx.xx3
  Allow from xxx.xxx.xxx.xx4
  Allow from urlweblocationa.com
  Allow from urlweblocationb.com
  Allow from urlweblocationc.com
  Allow from urlweblocationd.com
  Allow from urlweblocatione.com
 </Location>


Code: [Select]

expand-template /etc/httpd/conf/httpd.conf
/etc/init.d/httpd-e-smith restart

I am not sure if I have the right file name or if there is more than one file to use

In my testing, the results seem to work but not on a ibay you have password protected.
The password dialog in a browser does not even popup.

Maybe somebody can straighten me out on how this works to get sme server do what i would like to do.
Thanks in advance.

I am not sure whether the locations of 127.0.0.1 and localhost are even needed to be listed.

[purvis]

After finding the httpd.conf file in the /etc/httpd/conf directory and reviewing the httpd.conf file that sme generates.
I renamed the file that I was using in the /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf directory
to 99SecureIbayWithIP so my edits would end up on the bottom of the httpd.conf that sme generated.
Now everything seems to be working as it should from my testing including the webpage password dialog
for entering a password in to access the webpage.

For those wanting to check the returned client ip address from the webpage on the sme server,
here is a little php script that I was using.
ipaddress.php

Code: [Select]

<html>
<body>
<?
$ipaddress = getenv('REMOTE_ADDR');
echo "Your IP address is : $ipaddress";
?>
</body>
</html>


[purvis]

I did not have much knowledge of apache server software and many of the tweaks you can do such as creating a .htaccess that creates some charactistics of how web pages are servered.
Found this helpful https://wiki.contribs.org/Htaccess on the contribs  wiki that helpful,but not worked with yet on the suggestions.
 
I found some helpful info off the Internet at
 http://www.besthostratings.com/articles/block-users-by-ip.html

From using sme server and it's control panels in the server-manager web pages and then looking at the httpd.conf file in the /etc/httpd/conf directory of the sme server. Things are becoming much more clearer to me.

As far as the suggest of keeping some info in the /etc directory, such as a pssword file, in the contribs.org wiki,file. It would make more sense to me to create an ibay and limit the access to it so that you could back up the information and maintain the passwords and users that are being used with either a .htaccess file or some kind of templates-custom approach Which the contribs wiki page suggested. Well with having security there is not doubt a pain in the butt comes with it.

[janet]

purvis

To avoid line wrapping (which can prevent code from running correctly), use

nano -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/99SecureIbayWithIP

Also there is documentation here about blocking access to the whole server using db commands & while not exactly what you wanted, may be useful.

https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section05

[CharlieBrady]

Note that these:

  Allow from urlweblocationa.com
  Allow from urlweblocationb.com
  Allow from urlweblocationc.com
  Allow from urlweblocationd.com
  Allow from urlweblocatione.com

aren't trustworthy. Anyone who has control over the reverse DNS  of their IP address (i.e. of d.c.b.a.in-addr.arpa for a.b.c.d) can get access by putting, say, urlweblocationa.com, in their PTR record.

Make sure that you are forcing to https.

[purvis]

Thanks Janet for the link. I have trouble at time finding details and other write ups.
Thanks Charlie.
I intended to remove them but I am glad that I put up that example where a person like you could comment on positive or negative effects.
I had read yesterday something from the internet about using urls has some kind of effect on the logs too, but i cannot find what I had read a second time.
I am hoping to find the webpage that mentioned somekind of negative side effect on the logs.
The reason I put the urls in is encase I could no longer make changes due to health or even death and the ip addresses changed.