And why .htaccess is not the way ?

I really think it must be done via htaccess or external plugin, not in LS core.

PS: try with beforeLogin event : http://manual.limesurvey.org/BeforeLogin#beforeLogin

PS: restrict by IP is not a security .... you don't know IP spoofing ?

.htaccess doesn't prevent someone from login in to the admin area from outside your LAN, actually!

This just keeps people from getting the index file from example.tld/admin/ directory.

If someone knows that this will be reinterpreted to http://example.tld/index.php/admin/authentication/sa/login instantly, he can still log in to your limesurvey administration.

This isn't better than .htaccess in the ../admin/ folder with 'deny all'.

I know IP spoofing. but no one will be able to pretend using a just local usable RFC address from the outside. This address will not be routed.

Therefor IP filter is a propriate way to secure against attempts from outside.

How does the 'beforeLogin' work? I'm no php developer.
Would be fine if that would be part of the Administration GUI.

With htaccess and rewrite condition:
RewriteCond %(REMOTE_ADDR) !^192.168.0
RewriteCond %{REQUEST_URI} admin
RewriteRule .* index.php

Not tested

Usage of plugin:
beforeLogin : https://gitorious.org/ls-authwpbydb/ls-authwpbydb/source/e7f52e2ac206333ba5fc79bc2ecd3a8b79d3bf96:AuthWPbyDB.php#L96
You can surely use a redirect here or throw a 401 error.

If you need help for PHP dev: http://www.limesurvey.com/

While LS uses the same index.php for all reasons, by usage of .htaccess you will keep everyone from outside using everything in LS (also surveys).
Thats not what most of users want.

I looked through your wordpress login script but I cants see how I would find out the remote IP address and filter it.

Could you explain?

Thank you.

Oops, forgot to mention:

RewriteCond isn't allowed on our webserver.

Please : http://www.giyf.com/ : php find remote IP address

ANd again : need PHP dev for LimeSurvey : http://www.limesurvey.com/

I found a way that fits my requirements for now.

My solution is made with php. I just need to check the changes after every update.

For my opinion it still would be greate if that option would come into the standard GUI to set easyly for everyone.

To disable the "password forgotten" lnk function would be a good idea too.
When we talk about spoofing we have to think about sniffing too.

@htwsaar, can you outline your solution in more details so others can benefit from it as well?

Here is the simple way I did it:

You need to change your /application/controllers/admin/authentication.php
using the following lines (i.e.):

$IPRANGE = substr ($_SERVER['REMOTE_ADDR'],0,7);
switch ($IPRANGE) {
case "XXX.XX.":
break;
case "YYY.YY.":
break;
default:
die ('Administrative GUI only available within the local network!
');
}

where XXX.XX. and YYY.YY. are the first characters of your internal IP-ranges (LANs).
If you have just 1 LAN (like 192.168.xxx.xxx) just use one case. If you have more, use more.

Caution: Check authentication.php after every update if it got exchanged by the update. You may have to customize it again.

@htwsaar: Thanks a lot for your feedback!

Just a short recommendation: When switching to a newer Limesurvey versions it makes sense to create a plugin for such features. That way you are future safe when updating later and do not have to edit the source code files.

@Mazi: Thanks for that idea with a plugin.
Actually I don't know about plugins. How would I manage that? Is there au manual on how to use plugins?

See https://gitlab.com/SondagesPro/ExportAndStats/quickStatAdminParticipationAndStat/blob/master/quickStatAdminParticipationAndStat.php#L428

For a simple example of action done only for admin page

@DenisChenu. For my opinion this is not what we wanted to have as result.
We don't want people from outside the LAN (IP based) to be able to see the admin login page and log in.

I only give sample …

    public function beforeControllerAction()
    {
        if(($this->event->get('controller')=='admin' && $this->event->get('action')!='authentication'))
        {
            if(!$this->_yourFunctionToTest() {
                Yii::app()->controller->redirect(array('surveys/index');
            }
        }
    }

I don't say : do it like this …

I'm using .htaccess for the whole site so users that don't have the user and password will not see anything.
Now I want to remove it from the homepage, and just leave it in the admin login with the .htaccess password.
Which directory do I need to protect?

We can provide a plugin similar to this one (https://www.limesurvey.org/limestore/extensiondetails/40/plugin/limesurvey-%E2%80%9Cip-range-survey%E2%80%9D-plugin) but for the admin backend.
Would that help? Then please write to me at marcel.minke@survey-consulting.com

I prefer to use simple thing, like protecting just the directory this link is coming from "https://mysite.com/index.php/admin/"
or
"https://mysite.com/index.php/admin/authentication/sa/login".

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mysite.com/$1 [R,L]

AuthType Basic
AuthName "Access to /mysite/"
AuthUserFile /directory of htpasswd
Require user Jd4g5G

AuthGroupFile /dev/null

SetEnvIf Request_URI .* noauth
SetEnvIf Request_URI index.php/admin/authentication/sa/login !noauth
SetEnvIf Request_URI index.php !noauth

<RequireAny>
Require env noauth
Require valid-user
</RequireAny>

Since this feature request is still marked "new" but there seems to be a need for tools to restrict access to Limesurvey, we have now made our "IP range login" Limesurvey plugin available at https://survey-consulting.com/product/limesurvey-plugin-ip-range-login/

I use this one for redirecting users to a message page of "site in maintenance" and I can continue in admin area:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yoursite.com/$1 [R,L]

AuthType Basic
AuthName "Access to /yoursite/"
AuthUserFile /xxxxxx/htpasswd
Require user xxxxxx

AuthGroupFile /dev/null

SetEnvIf Request_URI .* noauth
SetEnvIf Request_URI index.php/admin/authentication/sa/login !noauth
#SetEnvIf Request_URI index.php !noauth

<RequireAny>
Require env noauth
Require valid-user
</RequireAny>

#change to my ip & remove "#" from "deny from all"
ErrorDocument 403 http://updating.yoursite.com/
Order deny,allow
#Deny from all
#your ip
Allow from xxx.xxx.xxx.xxx

#Prevent viewing of .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

#Prevent directory listings
Options All -Indexes

Since this is an advanced feature I'm setting user value (users affected) to 10%.

Also, maybe close this if Mazi has a plugin already?

Last question : @Mazi : your plugin license is ? (i don't ask free distribution to be clear, just license after buying).

There are two versions if our IP range plugins:

1. The "IP Range Survey" plugin restricts access to surveys. It is free and can be downloaded from https://account.limesurvey.org/limestore/extensiondetails/40/plugin/limesurvey-%E2%80%9Cip-range-survey%E2%80%9D-plugin. There are no restrictions by the license, you can use it and adjust it as needed.

2. For restricting access to the Limesurvey admin backend, you can download this plugin (https://survey-consulting.com/product/limesurvey-plugin-ip-range-login/). You can use it within your company/organisation on various systems but it is not allowed to re-distribuite it or make it available for free.

You can use it within your company/organisation on various systems

You can use and adapt it within your company/organisation on various systems

PS : i have a access to GPLv3 plugin from LimeSurvey GMBH, it still not pubic.

Needed it myself, done this plugin, it limits all logins to the ip whitelist you configure,
there's no admin distinction, it will block anyone from login (beforeLogin) so feel free to modify if required (and give code back for everyone)
https://github.com/r4dius/LimeSurvey/tree/master/plugins/LoginWhitelist