Restricting to a set of IP address

svan_rv

This is for my admin portion of the main web site. There are several number of admin users doing their admin activity in one central location and each one has their own tasks.
All the admin users are provided with a login id and password . Here what i want to do is ,
i need to allow them if they access this admin part of the web site only from this central office.

That is if they try to access the site using their login id and password from their home or from any other location they shold n't be allowed to enter.
To do this should i check for the IP which they are coming from?.

Could anyone suggest me the best way to do this?

Thanks

svan

laserlight

Well, one problem would be with dynamic IP addresses.
If your central location has a static IP address which users use, then you could simply compare $_SERVER['REMOTE_ADDR'] with this.

Still, there are ways to forge IP addresses.

cosminb

if you're using apache you could use .htaccess file

laserlight

yes, htaccess would also work

probably something like:

order allow,deny
deny from all
allow from <central location IP>

svan_rv

Thanks all.

I heard that there is a chance that people can forge the IP address as laserlight mentioned. Even i am bit concerned about that.

If people know the IP address they can set the same from the place and they could access.Is that right?
Can we overcome this problem by using .htaccess file?.

If so could you explain me in detail the things i need to specify in that and where should i keep this .htaccess file.
Do i need to have .htaccess file inside the Document Root Directory specified in my httpd.conf file.
I am using apache 1.3.27,PHP4.1 and RedHat Linux.

Thanks

svan

cosminb

I am using apache 1.3.27,PHP4.1 and RedHat Linux.

nice choice

Here is a good tutorial about using the .htaccess file.

hope it helps

ScubaKing22

I know this is not an answer but I also need to learn about the whole .htaccess thing. I'm unclear as to how to make one and what it even does. I figured I'd post here as to not make a duplicate.

ScubaKing22

wo we posted at the same time lol nevermind then

svan_rv

I tried by doing this in my httpd.conf file.

        order allow,deny 
        deny from all 
        allow from 162.30.1.100

The ip address given above belongs to my system ip address. When i tried to connect to the server thru my browser it did n't allow me.

I forgot to remove the deny directive. I 've removed this and it worked .It did n't allow any other ip address other than my ip.

so now i know the ip address which my web server allow to access. What will happen if i access this web area anywhere from outside by fixing that system ip address to 162.30.1.100).
Will the web server allow this. If so how can i restrict this?.

Any help?

Thanks

svan

cosminb

you can request a password beside checking the ip.
my opionion is that if anyone skillfull enough will want to brake into your server he will. these tricks are just for keeping the little hackers of your website.

svan_rv

That is the path where my scripts exist (which i want to protect) can be made as password protected.
For example in my case the path will be www.mydomain.com/admin/

That is i have to create a .htaccess file inside the above admin directory by allowing only specific users inside.
did u mean that?

thanks for your reply.

svan