Hi,

Can you please add a feature to restrict access to the DA admin panel to only certain IP ranges? Perhaps you could add this to all user levels... it'd help security for sure.

Thanks,
Matt :)

*bump*

Matt

While helping security, it might make it impossible for your clients to access their control panel from their ISP if their ISP uses dynamic IP allocation, and certainly while travelling.

Jeff

True, but at least an admin feature would be good :) And they'd be able to set it themselves... so if they were going to travel they could edit the settings (as they'd be optional and turned off by default).

I have a dynamic IP, although it only changes when I reset my router. My IP block is always constant though.

Matt :)

Originally posted by thoroughfare
True, but at least an admin feature would be good :)
You can certainly set it up yourself using KISS or some other firewall.

And they'd be able to set it themselves... so if they were going to travel they could edit the settings (as they'd be optional and turned off by default).
Giving them yet something else to forget to do before leaving home.

I have a dynamic IP, although it only changes when I reset my router. My IP block is always constant though.
Will your provider guarantee either of these?

Note that I'm not disagreeing with your premise, just pointing out some problems I forsee.

If your "people" always carry their own systems with them, then perhaps they could set up some kind of backdoor using a key pair kept on their laptop (for example for ssh).

Jeff

How could I set up a firewall-based IP restriction for the admin login in DA?

Matt :)

Originally posted by jlasman
You can certainly set it up yourself using KISS or some other firewall.

Actually, that would be impossible for the admin level only, since it uses the same port as all user levels.

Chris

That was what I thought..?

Matt

It would be impractical to implement something like this unless all your users are on fixed IPs.
Security is always a matter of concern for admins, but should be addressed at the OS and daemon level.

Originally posted by blacknight
It would be impractical to implement something like this unless all your users are on fixed IPs.
Security is always a matter of concern for admins, but should be addressed at the OS and daemon level.

I actually think its a fair request (for the admin level) since theres often only 1 admin.

It of course, would have to be an option, all IP addresses are allowed access unless the admin specifies to only allow ip xxx.xxx.xxx.xxx.

Chris

I disagree entirely

If you want to worry about security issues then the introduction of some security checks via the control panel, such as those available on cpanel servers, would make some sense.

From previous experience with remote admin for client companies this kind of IP based system is both illconceived and impractical. The ill conception stems from a misplaced belief that security at the application level is going to compensate for a potentiall misconfigured operating system.

Originally posted by blacknight
I disagree entirely

If you want to worry about security issues then the introduction of some security checks via the control panel, such as those available on cpanel servers, would make some sense.

From previous experience with remote admin for client companies this kind of IP based system is both illconceived and impractical. The ill conception stems from a misplaced belief that security at the application level is going to compensate for a potentiall misconfigured operating system.

Feel free to explain this concept used on CPanel systems... what security checks via the control panel? thats what we are talking about implementing..

If I may quote your last post:



It would be impractical to implement something like this unless all your users are on fixed IPs.
Security is always a matter of concern for admins, but should be addressed at the OS and daemon level.


What myself (and Matt?) are suggesting has no relation at all with all users, it would not affect anyone at all besides the admin, and the admin has the choice of allowing all ips, or limiting to one ip or a range.

If you dont want to make use of this feature, you could simply just leave it so its accessable by all IPs, if you want the feature, you can configure it as you want.

I'm sure if its objected by one, and wanted by a couple it could be left as a directadmin.conf option to keep it totally out of the panel if not wanted.

Ill be honest and say im not to worried if its there or not, but I fully understand where Matt is coming from

Chris

Cpanel has a number of integrated security checks that the admin user can run on the local filesystem. These include rootkit checks and other utilities.

Originally posted by blacknight
It would be impractical to implement something like this unless all your users are on fixed IPs.
Security is always a matter of concern for admins, but should be addressed at the OS and daemon level.

Did you bother to read my post? We could restrict it to IP *ranges* - which in fact I would need since I use a dynamic IP.

I agree security should be addressed at the OS and daemon level - and indeed, my administration company and myself have secured our box as tightly as we can. We're implementing an ACL over the kernel soon using LIDS.

My point is that security is a muti-layered process. No box is 100% secure... but by creating as many barriers (layers) as possible, it makes it more and more difficult to break into a box.

Thanks,
Matt :)

Originally posted by blacknight
The ill conception stems from a misplaced belief that security at the application level is going to compensate for a potentiall misconfigured operating system.

Please read my above post - in fact, please reread the thread.

Matt

Originally posted by thoroughfare
Did you bother to read my post? We could restrict it to IP *ranges* - which in fact I would need since I use a dynamic IP.


I did read your post, but I still disagree with you.


Originally posted by thoroughfare

I agree security should be addressed at the OS and daemon level - and indeed, my administration company and myself have secured our box as tightly as we can. We're implementing an ACL over the kernel soon using LIDS.

My point is that security is a muti-layered process. No box is 100% secure... but by creating as many barriers (layers) as possible, it makes it more and more difficult to break into a box.


Fair enough, however I would see a problem with more inexperienced admins seeing such an implementation as being a "silver bullet" solution.

Our network, for example, is completely protected by hardware firewalls, so even if there is an issue at the server level, be it OS or software, the damage can be limited to some degree.

Originally posted by blacknight
Cpanel has a number of integrated security checks that the admin user can run on the local filesystem. These include rootkit checks and other utilities.

DA users can run rootkit checkers anyway. I run two - chkrootkit and rookit hunter. DirectAdmin is intended not to be bloatware (please, someone tell me if I'm wrong) - so such extra features are left to the admin to configure as they please.

Introducing things such as rookkit checks into DA would simply make it less flexible and would leave less time for DA's developers to concentrate on what DA is really about.

Restricting IP ranges is just an extra security measure - similar to restricting the IPs which can access SSH.

Thanks,
Matt

Originally posted by blacknight

Fair enough, however I would see a problem with more inexperienced admins seeing such an implementation as being a "silver bullet" solution.

Indeed, some admins may think that. But that's their fault - if they're not experienced enough to know that, then they shouldn't be adminning servers. I don't mean to sound harsh - I'm not an expert at server administration by any stretch of the imagination - but that's why I hire professionals. Why should we suffer at the ignorance of the inexperienced?


Originally posted by blacknight

Our network, for example, is completely protected by hardware firewalls, so even if there is an issue at the server level, be it OS or software, the damage can be limited to some degree.

No offence intended, it seems as though you regard your firewall as "a 'silver bullet' solution". One port is all it takes, combined with a software exploit. Firewalls don't limit damage once a cracker has broken into the box - they simply slow down a cracker, and possibly prevent him from breaking in in the first place. Inexperienced admins may see firewalls as a 'silver bullet' solution too... does that mean we shouldn't use firewalls?

Best regards,
Matt

Anyone here seen the movie "Runaway Jury"?

It's my impression this has become a runaway thread.

Let's go back to this question:

Since "admin" logins are handled by DA on the same port as the other user logins, restricting IP ranges for admin users is neither trivial nor easy.

It can be done by a redesign of how DA does logins.

is the additional security worth the redesign?

Jeff

To me, what's important is that any IPs trying to access the admin panel which shouldn't be can't get access and are recorded.

For example, if an IP outside of a specified IP block tries to gain access, their IP is emailed to the admin user and they are blocked access to the admin panel.

I don't see why it would require such a redesign as you suggest - surely the DA login page could detect the IP being used to send requests to login as admin and deny users that use a wrong IP.

Where's the big redesign there?

Matt :)

I would think all thats required is a check of the remote ip address.

< 10 lines of bash scripting, and im sure the same for php - as for C I have no idea :D

Chris

Matt,

That's exactly what I mean by "a redesign of how DA does logins".

At the moment DA doesn't treat an admin login any differently than it does any other login.

Hence the redesign.

Jeff

At least we're thinking along the same lines :)

IMHO, it's hardly a difficult 'redesign' - in fact it's not a redesign at all - merely an additional piece of code.

An advanced PHP version of such code would take me about 20 lines. I'm not a C programmer so I can't comment on that, but it's more of an addition than a redesign.

Failed logins could just be sent to the standard 'invalid username/password' page.

Matt :)

Originally posted by ProWebUK
What myself (and Matt?) are suggesting has no relation at all with all users, it would not affect anyone at all besides the admin, and the admin has the choice of allowing all ips, or limiting to one ip or a range.
[/B]

Sounds like an good idea. You can firewall the server, but the controlpannel port will stay open for customers, so I think it is smart to give this option to admins or even to customers and resellers.


An other option is to switch the admin controlpanel port to an other port. This way you could use your firewall to control ip's to that port.

I think that's will be good feature.

We will be able to create separate user for API-calls and allow it's access only from server where our software hosted.

I think DA should think about that.

It's always risky to use API calls in scripts. We always taking a risk of revealing password of privelleged user. Of course it's completely in our hands, but peoples a making mistakes and someday some little (or big) security hole may appear in script (especially, if it's huge and complicated billing software).
So it will be much more calmy for me, if some critical functions (deleting users, for example) will be restricted and access will be allowed from only one ip.

It's possible to reduce those risks by adding some restrictions for admin users created in DA.

1) Specify IP-range access is allowed from.
2) Specify list of allowed(disallowed?) commands (CMD_ACCOUNT_USER, CMD_API_SHOW_USER_CONFIG, CMD_USER_PASSWD, etc.)

PS: By the way, I recommend NEVER RUN important scripts under mod_php! Your files with chmod 644 can be readed by other users on server in so many ways... (Even if you are using safe_mode/open_basedir, and exec-related functions is disabled, and public_html is user:apache 750, i still know one method to read it ;) So chmod 600 and run your php-scripts under CGI. Yeah, it's slower, but much more secure.

You can use IonCube (http://www.ioncube.com/) to encode your scripts too, which will hide your passwords if someone hacks one of your servers and goes looking through your scripts :)

Matt

Hmm... So simple. I forgot about that :)
But are you sure there is no way to reveal constant strings from encoded script?

Anyway, i think it's TOO dangerous if someone got your scripts even if those scripts are encoded. They can run script and use strace, ltrace, tcpdump, etc to reveal sensitive information from it.

I don't think changing it where admin has its own port like CPanel and other control panels is going to help the security for the password. The fact is you need a hard password and be able to restrict certain IPs and hosts or be able to put * in the IP or host so if your IP is dynamic you will not be blocked out. Acourse this will not keep you totally secure so like others said running things like rootkit scanner would help to.