Limit access to your sNews CMS login page by IP address
filed under: sNews CMS / Hacks & Mods
Here's a trick I use to provide a little extra security hardening for my sNews installations. You can use this to limit all login attempts from your sNews login form to only one (or more) IP addresses, so if you're like me and you access your sNews admin panel from only a few static IPs, give this a try to shut down any access attempts on your login page from outside your specified IPs. This is not a fool proof method of locking down your form! This is simply an extra layer to deny login attempts at your sNews login page.
This install is extremely simple and painless, you just need to know your IP(s), and as we're changing the code in the source, you need not fear getting "locked out" if your IP changes or you make a mistake, you can always edit the code via FTP, this is simply to prevent web logins from unwanted locations. Take a look at my login page for example.
Step 1) As always, BACK-UP your snews.php file and work off a copy. Now find the function login and paste the following highlighted code in;
// LOGIN
function login() {
$valid_ips = array("111.111.111.111", "123.123.123.123");
if (!in_array($_SERVER['REMOTE_ADDR'],$valid_ips)) {
echo "<p>I'm sorry, you must login from an approved network location</p>";
return;
}
if (!_ADMIN) {
echo '<div class="adminpanel">
That's it, you're done. Oh, and yeah, change the IPs. The IPs are stored in the valid_ips array, so simply add as many as you like, separated by commas, surrounded by quotes.
2 comments
Add a new comment »Categories
Recent Entries
Recent Comments
- Redbeard (I managed to get Vampire: The Masquerade - Bloodlines ...)
- Tina (Installed this today and working like a charm :) Thanks!)
- Tina (Thanks for this great mod :) Working on my site for quite a ...)
- konga (Hi Matt, if you plan to update it, please have a look into ...)
- David (Yo Matt, I have a problem, when I use this mod. ...)
- Dave (Have a Toshiba NB305. Win7 starter would not do screen ...)
- Daichisan (Howdy Matt, I dont really get it, whats ...)
- Matt (Mine is just customized further, that's all :) It just spits ...)
- Matt (David, Do you own or admin the server? Do you have exec ...)
Popular Entries
- Compact archives for sNews 1.7 (5/5)
- Light-weight related articles mod for sNews 1.7 (4.78/5)
- SEF / SEO search for your sNews website (4.75/5)
- 1024x600 netbook wallpapers of Evangeline Lilly (4.67/5)
- Gravatar mod for sNews 1.7 (4.67/5)
- An improved tag cloud for sNews 1.7 (4.67/5)
- Image / math hybrid captcha version 2, vastly improved (4.64/5)
- Command & Conquer Generals, and the Zero Hour expansion on the Acer Aspire One netbook (4.6/5)
- Related Articles mod for sNews CMS, public beta release (4.6/5)
Jun 4th, 2009 at 4:29 pm
Nice one, I however made mine a bit different back when I wanted this feature, I used the .htaccess file using these lines:
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.0*$
RewriteRule ^login[^/]*$ - [F]
127.0.0.1 used as an example, and ofcourse you could add an array like you did in your mod.
My way will then give what ever error page you used
where yours is showing the text specified, however, I like your approach too.
example: http://b0rgs.net/login/
Jun 4th, 2009 at 7:05 pm
Yeah, using .htaccess is easier and cleaner, the main reason I hard-coded it into the snews.php is because I've got the same logic inside the part that actually logs you in,
i.e.
if(isset($_POST['Loginform']) && !_ADMIN) { $valid_ips = array("127.0.0.1", "192.168.0.1"); if(!in_array($_SERVER['REMOTE_ADDR'],$valid_ips)) { // deny login attempt } else { //allow login, do all the login stuff } }also, another trick I've done is to rename the login form elements with an md5 hash.