Restrict admin user to white-listed IP addresses

Discussion in 'General' started by Mladen, Dec 13, 2018.

  1. Mladen

    Mladen New Member

    Hi all,
    I searched for posts related to this topic, but couldn't find any, so I'm posting a new one.
    Is there any feature in ISPConfig 3, which helps to restrict access to ISPC panel and only allow admin user to login from a specific list of IP addresses? The rest of the ordinary users should be able to log into the ISPC without issues (to manage their accounts).
    If such a feature isn't currently available in ISPC, is there any workaround that could help achieve this?
    Right now, the only thing that comes to my mind is to manually patch the web files to accomplish this, but then I would have to patch it over and over again, each time I upgrade ISPC...
    Any help is really appreciated.
    M

    P.S. Admin, can you please fix the tags for this post, since I did it incorrectly, and later on I couldn't edit/fix it... Thanks :)
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    I don't believe there is a place offhand, and I can't think of a very simple way to do it outside of ispconfig code. I can think of a few ways that aren't exactly simple, but for the amount of work that would take, and compared for you patching the php files yourself, I'd suggest you just implement it "correctly" in ISPConfig and it will be there for all future versions, too.

    The quick and easiest way may be that instead of a hard-coded list of ip addrs in your check, you would save it as a setting in the server.config table, with a field under System > Main Config > Misc (eg. right by the Session Timeout); the template changes and backend code should be pretty straightforward for that. There is a "nameservers" field (under Server Config) which accepts ip addresses and may handle reading/parsing them (or it may just blindly use what's there, I don't really know offhand). This could handle a single ip restriction for admin accounts.

    A more flexible approach would be to add an ip restriction field to all CP Users, exactly how the field works for Remote Users. That would likely require adding another field to the sys_user table, but the code for handling remote_user.remote_ips should be pretty much what you need.

    Either approach is more work than a quick hack to implement a hard-coded list in php, but probably not too bad if you're up for it.
     

Share This Page