How to restrict system administrator login to specific IP Addresses

Issue

Generally authoring instance is usually located behind a company's firewall that provides full protection. For external access OR to improve the authoring performance the instance may be exposed through webserver using dispatcher module [0] to external world.  How to restrict system-level access to a single IP or a range of IP addresses for increased security?

Solution

Using a ModSecurity [1] rule is one of the option to limit the use of the "admin" login via certain IPs. The steps are

  1. Install the plugin mod_security
  2. Load/Enable the mod_security & unique_id_module in httpd.conf
  3. Configure a security rules  & for more details refer[2]. 

An sample httpd.conf for apache (Steps 2 & 3 above) to allow system admin login only from ip 172.16.208.11 is shown below

.
.
.

LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

.
.
.

<IfModule mod_security2.c>
 SecRuleEngine On
 SecRequestBodyAccess On
 SecResponseBodyAccess Off
</IfModule>

.
.
.

<LocationMatch /libs/cq/core/content/login.html/j_security_check>
 SecRule REMOTE_ADDR "!@ipMatch 172.16.208.11" "id:'23000',chain,deny,log"
 SecRule ARGS:j_username "admin" "t:lowercase"
</LocationMatch>
Note:

Same can be applied to webserver configured for publish instance.

Reference

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online