18.3. IP Restrictions
While the username and password system provides a decent level
of security, it is not fool-proof. If your computer is lost or stolen,
or some spyware passes your access details to a potential attacker,
then an attacker could use your details to access your site. An
attacker may also attempt a brute force attack - repeated trial and
error attempts and logging in.
Since the number of admin users is typically quite small, and they will normally access from one or two locations (e.g. office or home), then it is possible to apply extra security to the back end in the form of an IP address restriction. For this to work, you must have a fixed IP (or one within a relatively narrow range).
Open up the web.config file in the root of the web, and find this tag:
Since the number of admin users is typically quite small, and they will normally access from one or two locations (e.g. office or home), then it is possible to apply extra security to the back end in the form of an IP address restriction. For this to work, you must have a fixed IP (or one within a relatively narrow range).
Open up the web.config file in the root of the web, and find this tag:
<add key="BackEndIpLock" value=""></add>Into the value, add your IP address, or part of your address.
Separate multiple values with a comma. For
example:
000.000.000.000,111.111.111
(the first number is a single IP address, the second is a partial IP address)
000.000.000.000,111.111.111
(the first number is a single IP address, the second is a partial IP address)
If you have your own server or virtual server, and have admin
access to the IIS web server, you can restrict access to the back end
through this.
In IIS 6, the ability to limit access by IP is built in. In IIS 7, you might have to activate this feature separately.
Using IIS to enforce security in this way adds an additional level of security because it is completely independent of Kartris. Anyone trying to access the Kartris back end will be turned away unless their IP address matches one of those you have expressly authorized. Kartris pages won't even get run.
You can also ban particular IP addresses and ranges (although it is far better from a security perspective to 'deny all' and then allow specific addresses rather than try to ban problem IPs and ranges).
In IIS 6, the ability to limit access by IP is built in. In IIS 7, you might have to activate this feature separately.
Using IIS to enforce security in this way adds an additional level of security because it is completely independent of Kartris. Anyone trying to access the Kartris back end will be turned away unless their IP address matches one of those you have expressly authorized. Kartris pages won't even get run.
You can also ban particular IP addresses and ranges (although it is far better from a security perspective to 'deny all' and then allow specific addresses rather than try to ban problem IPs and ranges).
PLEASE NOTE: When Cloudflare or a similar system is turned on (with config setting general.security.ssl set to "e") the site would generally see Cloudflare IPs rather than the end user IP. This would stop the BackEndIpLock from working, as all requests come from Cloudflare IPs.
However, we have considered this and adapted the functionality. When your site is using Cloudflare, we instead check user IPs in the HTTP_CF_CONNECTING_IP or HTTP_X_FORWARDED_FOR server variables that Cloudflare passes through with each request, rather than the actual IP.
What this means is that you can use Cloudflare to protect your site, and still use this IP block feature in your web.config to allow access to the back end only by permitted IPs or ranges.