login_pre.sh

Version 1.39

Feature
Finished

Extra layer of security, should you wish to use it. A strong password is good, but a strong password from approved IPs is better. Integrated right into the user/pass authentication code, this new script allows the server admin to check the remote ip, user, password, referer of the connection. If the script exists, it will be called for all requests, since authentication is done for each request (even with sessions). The script will enable the server admin to allow or deny a request based on any criteria they wish. For example, if you know that admin should only be logging in from a specific range of IPs, you can write code to check the IP, compare it to the list, and appove/deny the request. The benefit of this method of filtering is that if you deny the request (exit with a non-zero result) the standard login errors will appear. The person attempting to login will assume they've got an invalid password, and not realize they may be filtered based on their IP. Any non-zero exit code here will count against the brute-force check, even if the correct password is passed. For non-zero exit code will add an entry into your error.log with any text you echo. This is run before any passwords are even checked. This is run before the demo accounts are checked, so if you use a demo, ensure to allow demo_user, demo_admin, demo_reseller before you do your normal checks. Sample /usr/local/directadmin/scripts/custom/login_pre.sh script: #!/usr/local/bin/php <?php $user = getenv('username'); $ip = getenv('ip'); $my_ip = "1.2.3.4"; if ($user == 'demo_user' || $user == 'demo_reseller' || $user == 'demo_admin') { //not worried about demos exit(0); } if ($ip != "1.2.3.4") { echo "Invalid IP"; exit(1); } exit(0); ?>

Interested to try DirectAdmin? Get a 30-day Free Trial!