Limit access to your sNews CMS login page by IP address

by on

Here's a trick I use to provide a little extra security hardening for my sNews installations. You can use this to limit all login attempts from your sNews login form to only one (or more) IP addresses, so if you're like me and you access your sNews admin panel from only a few static IPs, give this a try to shut down any access attempts on your login page from outside your specified IPs. This is not a fool proof method of locking down your form! This is simply an extra layer to deny login attempts at your sNews login page.

This install is extremely simple and painless, you just need to know your IP(s), and as we're changing the code in the source, you need not fear getting "locked out" if your IP changes or you make a mistake, you can always edit the code via FTP, this is simply to prevent web logins from unwanted locations. Take a look at my login page for example.

Step 1) As always, BACK-UP your snews.php file and work off a copy. Now find the function login and paste the following highlighted code in;

// LOGIN
function login() {
    $valid_ips = array("111.111.111.111", "123.123.123.123");
    if (!in_array($_SERVER['REMOTE_ADDR'],$valid_ips)) {
        echo "<p>I'm sorry, you must login from an approved network location</p>";
        return;
    }
    if (!_ADMIN) {
        echo '<div class="adminpanel">

That's it, you're done. Oh, and yeah, change the IPs. The IPs are stored in the valid_ips array, so simply add as many as you like, separated by commas, surrounded by quotes.

Share or Bookmark This Post:

Comments

RSS Comments Feed

slemborg's Avatar

slemborg

Nice one, I however made mine a bit different back when I wanted this feature, I used the .htaccess file using these lines:

RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.0*$
RewriteRule ^login[^/]*$ - [F]

127.0.0.1 used as an example, and ofcourse you could add an array like you did in your mod.

My way will then give what ever error page you used
where yours is showing the text specified, however, I like your approach too.

example: http://b0rgs.net/login/
Matt's Avatar

Matt

Yeah, using .htaccess is easier and cleaner, the main reason I hard-coded it into the snews.php is because I've got the same logic inside the part that actually logs you in,

i.e.

if(isset($_POST['Loginform']) && !_ADMIN) {
$valid_ips = array("127.0.0.1", "192.168.0.1");
if(!in_array($_SERVER['REMOTE_ADDR'],$valid_ips)) {
// deny login attempt
} else {
//allow login, do all the login stuff
}
}

also, another trick I've done is to rename the login form elements with an md5 hash.




(optional, not publicly displayed)


(optional)

Subscribe

RSS Feed

Archives

More from the archives →

Powered by HTML5

HTML5 Powered with CSS3 / Styling, Multimedia, and Semantics