Need help on .htaccess

[pratham.gharat200395]

I have been trying to only allow my ip range
Example 122.122.*.*

For this i had used

Order allow,deny
Allow from 122.122.0.0/16
Deny from all

But no matter what i did i could not access the page. I checked my internet ip. Its in that range.


Right now i am only trying to allow myself to allow from this ip. But guess am going wrong somewhere.

What i want to achieve is
If user is from this ip range then ask for username/password (basic auth).
If user is not from this ip range then block him (dont ask for username/pass)

 

[Anna]

Due to the setup with two separate webservers handling the requests for free hosting, this does not work as cPanel would see the incoming IP as beeing that of the webserver and not the end user. This is also why the option to deny IPs was removed from cPanel interface.

Not sure if .htaccess would allow it, but you'd need to catch the http referrer IP and deny on that.

 

[pratham.gharat200395]

Thanks for the prompt reply.

I was beginning to thinks its a server issue or apache not being able to get the IP of the user...
Dont think that would work as what am trying to protect is the wp-admin folder of wordpress...

Is there any anti-bruteforce plugin for BASIC AUTH installed on the server?

 

[misson]

Referer wouldn't work because it would give the address of the page (if any) that linked to the login page. There's the X-Forwarded-For and X-Real-Ip headers, but they can be (partly) spoofed. The load balancing proxy will add the real IP of the client to whichever headers it uses, so you can filter out spoofs, but you will also get false positives if the client is behind a proxy. Also, you'd need to make sure you only use headers that the load balancer uses (it looks like both are currently used; you only need one of them). Any other headers would be from the client, and thus vulnerable to spoofing.

# If the real IP isn't empty or in 122.122.*,
RewriteCond %{HTTP:X-Real-Ip} !^$|^122\.122\.[0-9]+\.[0-9]+$ [OR]
# or the remote IP isn't empty, in 122.122.* or 69\.175.*
RewriteCond %{REMOTE_ADDR} !^$|^(122\.122|69\.175)\.[0-9]+\.[0-9]+$
# then forbid access to anything whose URL begins with 'admin'.
RewriteRule ^/?admin - [L,F] # or [L,R=404]

A better alternative to combat brute force attacks would be to use a plugin such as Login Lockdown, which will lock an account for a configurable period (default: 1 hour) after a configurable number of failed logins (default: 3) within a configurable time (default: 5 minutes) from the IP that originated the login.

Taking a look at the source, Login Lockdown matches IPs based on the first 3 quads (i.e. uses a netmask of 255.255.255.0) of the remote addr. This means it will use the the IP of the load balancer if that's what's in REMOTE_ADDR, effectively removing the IP criterion. That is, Login Lockdown would only consider the number of fails in the given period. If there are three login failures on any account from anywhere within the allotted time, any further login failures on any account from anywhere will be locked down. For example, if Alice, Bob and Carol all try to log in within 5 minutes and fail, then Dave tries to log in within the same 5 minutes and fails, Dave will be locked out. However, experiments on Chopin suggest REMOTE_ADDR is corrected by the time the PHP script executes, so that it reflects the IP of the actual client rather than the proxy. I'm not seeing this in the PHP source, so it might be Apache's doing. X10 might be using a module like mod_rpaf.

 

[descalzo]

Please note. If you are making your website "For your eyes only", you might be violating the T.O.S.