View Issue Details

This bug affects 1 person(s).
 268
IDProjectCategoryView StatusLast Update
09373Feature requestsSecuritypublic2024-11-05 00:28
Reporterhtwsaar Assigned Toollehar  
PrioritynormalSeverityfeature 
Status feedbackResolutionopen 
Summary09373: Prevent people from login into administration from everywhere
Description

It would be great for security reasons if the administration view could be hid from people outside - or the other way round - one could set individual IP addresses, IP ranges, DNS names, or parts of DNS names (like *.mydomain.tld) that are allowed to get access to the admin view.

The German Office for data security wants us to do so.

.htaccess is not the way.

TagsNo tags attached.
Bug heat268
Story point estimate0
Users affected %10

Users monitoring this issue

ritapas, Steki

Activities

DenisChenu

DenisChenu

2014-11-26 10:58

developer   ~31101

Last edited: 2014-11-26 11:00

And why .htaccess is not the way ?

I really think it must be done via htaccess or external plugin, not in LS core.

PS: try with beforeLogin event : http://manual.limesurvey.org/BeforeLogin#beforeLogin

PS: restrict by IP is not a security .... you don't know IP spoofing ?

htwsaar

htwsaar

2014-11-26 18:02

reporter   ~31111

.htaccess doesn't prevent someone from login in to the admin area from outside your LAN, actually!

This just keeps people from getting the index file from example.tld/admin/ directory.

If someone knows that this will be reinterpreted to http://example.tld/index.php/admin/authentication/sa/login instantly, he can still log in to your limesurvey administration.

This isn't better than .htaccess in the ../admin/ folder with 'deny all'.

I know IP spoofing. but no one will be able to pretend using a just local usable RFC address from the outside. This address will not be routed.

Therefor IP filter is a propriate way to secure against attempts from outside.

How does the 'beforeLogin' work? I'm no php developer.
Would be fine if that would be part of the Administration GUI.

DenisChenu

DenisChenu

2014-11-26 18:34

developer   ~31112

With htaccess and rewrite condition:
RewriteCond %(REMOTE_ADDR) !^192.168.0
RewriteCond %{REQUEST_URI} admin
RewriteRule .* index.php

Not tested

Usage of plugin:
beforeLogin : https://gitorious.org/ls-authwpbydb/ls-authwpbydb/source/e7f52e2ac206333ba5fc79bc2ecd3a8b79d3bf96:AuthWPbyDB.php#L96
You can surely use a redirect here or throw a 401 error.

If you need help for PHP dev: http://www.limesurvey.com/

htwsaar

htwsaar

2014-11-26 18:54

reporter   ~31113

While LS uses the same index.php for all reasons, by usage of .htaccess you will keep everyone from outside using everything in LS (also surveys).
Thats not what most of users want.

I looked through your wordpress login script but I cants see how I would find out the remote IP address and filter it.

Could you explain?

Thank you.

htwsaar

htwsaar

2014-11-26 18:56

reporter   ~31114

Oops, forgot to mention:

RewriteCond isn't allowed on our webserver.

DenisChenu

DenisChenu

2014-11-26 19:33

developer   ~31115

Please : http://www.giyf.com/ : php find remote IP address

ANd again : need PHP dev for LimeSurvey : http://www.limesurvey.com/

htwsaar

htwsaar

2014-12-04 12:44

reporter   ~31164

I found a way that fits my requirements for now.

My solution is made with php. I just need to check the changes after every update.

For my opinion it still would be greate if that option would come into the standard GUI to set easyly for everyone.

jelo

jelo

2014-12-05 17:35

partner   ~31184

To disable the "password forgotten" lnk function would be a good idea too.
When we talk about spoofing we have to think about sniffing too.

Mazi

Mazi

2018-12-03 17:20

updater   ~49861

@htwsaar, can you outline your solution in more details so others can benefit from it as well?

htwsaar

htwsaar

2018-12-04 11:02

reporter   ~49873

Here is the simple way I did it:

You need to change your /application/controllers/admin/authentication.php
using the following lines (i.e.):

$IPRANGE = substr ($_SERVER['REMOTE_ADDR'],0,7);
switch ($IPRANGE) {
case "XXX.XX.":
break;
case "YYY.YY.":
break;
default:
die ('Administrative GUI only available within the local network!
');
}

where XXX.XX. and YYY.YY. are the first characters of your internal IP-ranges (LANs).
If you have just 1 LAN (like 192.168.xxx.xxx) just use one case. If you have more, use more.

Caution: Check authentication.php after every update if it got exchanged by the update. You may have to customize it again.

Mazi

Mazi

2018-12-04 11:08

updater   ~49874

@htwsaar: Thanks a lot for your feedback!

Just a short recommendation: When switching to a newer Limesurvey versions it makes sense to create a plugin for such features. That way you are future safe when updating later and do not have to edit the source code files.

htwsaar

htwsaar

2018-12-04 11:12

reporter   ~49875

@Mazi: Thanks for that idea with a plugin.
Actually I don't know about plugins. How would I manage that? Is there au manual on how to use plugins?

DenisChenu

DenisChenu

2018-12-04 11:56

developer   ~49876

See https://gitlab.com/SondagesPro/ExportAndStats/quickStatAdminParticipationAndStat/blob/master/quickStatAdminParticipationAndStat.php#L428

For a simple example of action done only for admin page

htwsaar

htwsaar

2018-12-04 14:43

reporter   ~49878

@DenisChenu. For my opinion this is not what we wanted to have as result.
We don't want people from outside the LAN (IP based) to be able to see the admin login page and log in.

DenisChenu

DenisChenu

2018-12-04 16:03

developer   ~49880

I only give sample …

    public function beforeControllerAction()
    {
        if(($this->event->get('controller')=='admin' && $this->event->get('action')!='authentication'))
        {
            if(!$this->_yourFunctionToTest() {
                Yii::app()->controller->redirect(array('surveys/index');
            }
        }
    }

I don't say : do it like this …

ymca

ymca

2020-04-27 18:37

reporter   ~57399

I'm using .htaccess for the whole site so users that don't have the user and password will not see anything.
Now I want to remove it from the homepage, and just leave it in the admin login with the .htaccess password.
Which directory do I need to protect?

Mazi

Mazi

2020-04-27 20:11

updater   ~57401

We can provide a plugin similar to this one (https://www.limesurvey.org/limestore/extensiondetails/40/plugin/limesurvey-%E2%80%9Cip-range-survey%E2%80%9D-plugin) but for the admin backend.
Would that help? Then please write to me at marcel.minke@survey-consulting.com

ymca

ymca

2020-04-27 21:11

reporter   ~57404

I prefer to use simple thing, like protecting just the directory this link is coming from "https://mysite.com/index.php/admin/"
or
"https://mysite.com/index.php/admin/authentication/sa/login".

ymca

ymca

2020-05-11 10:04

reporter   ~57659

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mysite.com/$1 [R,L]

AuthType Basic
AuthName "Access to /mysite/"
AuthUserFile /directory of htpasswd
Require user Jd4g5G

AuthGroupFile /dev/null

SetEnvIf Request_URI .* noauth
SetEnvIf Request_URI index.php/admin/authentication/sa/login !noauth
SetEnvIf Request_URI index.php !noauth

<RequireAny>
Require env noauth
Require valid-user
</RequireAny>

Mazi

Mazi

2020-07-06 14:37

updater   ~58722

Since this feature request is still marked "new" but there seems to be a need for tools to restrict access to Limesurvey, we have now made our "IP range login" Limesurvey plugin available at https://survey-consulting.com/product/limesurvey-plugin-ip-range-login/

ymca

ymca

2020-07-06 16:06

reporter   ~58725

I use this one for redirecting users to a message page of "site in maintenance" and I can continue in admin area:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yoursite.com/$1 [R,L]

AuthType Basic
AuthName "Access to /yoursite/"
AuthUserFile /xxxxxx/htpasswd
Require user xxxxxx

AuthGroupFile /dev/null

SetEnvIf Request_URI .* noauth
SetEnvIf Request_URI index.php/admin/authentication/sa/login !noauth
#SetEnvIf Request_URI index.php !noauth

<RequireAny>
Require env noauth
Require valid-user
</RequireAny>

#change to my ip & remove "#" from "deny from all"
ErrorDocument 403 http://updating.yoursite.com/
Order deny,allow
#Deny from all
#your ip
Allow from xxx.xxx.xxx.xxx

#Prevent viewing of .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

#Prevent directory listings
Options All -Indexes

ollehar

ollehar

2023-02-03 17:27

administrator   ~73659

Last edited: 2023-02-03 17:28

Since this is an advanced feature I'm setting user value (users affected) to 10%.

Also, maybe close this if Mazi has a plugin already?

DenisChenu

DenisChenu

2023-02-04 11:36

developer   ~73669

Last question : @Mazi : your plugin license is ? (i don't ask free distribution to be clear, just license after buying).

Mazi

Mazi

2023-02-04 15:19

updater   ~73681

There are two versions if our IP range plugins:

  1. The "IP Range Survey" plugin restricts access to surveys. It is free and can be downloaded from https://account.limesurvey.org/limestore/extensiondetails/40/plugin/limesurvey-%E2%80%9Cip-range-survey%E2%80%9D-plugin. There are no restrictions by the license, you can use it and adjust it as needed.

  2. For restricting access to the Limesurvey admin backend, you can download this plugin (https://survey-consulting.com/product/limesurvey-plugin-ip-range-login/). You can use it within your company/organisation on various systems but it is not allowed to re-distribuite it or make it available for free.

DenisChenu

DenisChenu

2023-02-04 15:21

developer   ~73683

You can use it within your company/organisation on various systems

You can use and adapt it within your company/organisation on various systems

PS : i have a access to GPLv3 plugin from LimeSurvey GMBH, it still not pubic.

r4dius

r4dius

2024-11-04 19:55

reporter   ~81337

Needed it myself, done this plugin, it limits all logins to the ip whitelist you configure,
there's no admin distinction, it will block anyone from login (beforeLogin) so feel free to modify if required (and give code back for everyone)
https://github.com/r4dius/LimeSurvey/tree/master/plugins/LoginWhitelist

LoginWhitelist.zip (1,649 bytes)

Issue History

Date Modified Username Field Change
2014-11-25 16:34 htwsaar New Issue
2014-11-26 10:58 DenisChenu Note Added: 31101
2014-11-26 10:59 DenisChenu Note Edited: 31101
2014-11-26 11:00 DenisChenu Note Edited: 31101
2014-11-26 18:02 htwsaar Note Added: 31111
2014-11-26 18:34 DenisChenu Note Added: 31112
2014-11-26 18:54 htwsaar Note Added: 31113
2014-11-26 18:56 htwsaar Note Added: 31114
2014-11-26 19:33 DenisChenu Note Added: 31115
2014-12-04 12:44 htwsaar Note Added: 31164
2014-12-05 17:35 jelo Note Added: 31184
2016-01-29 16:14 Steki Issue Monitored: Steki
2018-12-03 17:20 Mazi Note Added: 49861
2018-12-04 11:02 htwsaar Note Added: 49873
2018-12-04 11:08 Mazi Note Added: 49874
2018-12-04 11:12 htwsaar Note Added: 49875
2018-12-04 11:56 DenisChenu Note Added: 49876
2018-12-04 14:43 htwsaar Note Added: 49878
2018-12-04 16:03 DenisChenu Note Added: 49880
2019-02-06 10:42 ritapas Issue Monitored: ritapas
2020-04-27 18:37 ymca Note Added: 57399
2020-04-27 20:11 Mazi Note Added: 57401
2020-04-27 21:11 ymca Note Added: 57404
2020-05-11 10:04 ymca Note Added: 57659
2020-07-06 14:37 Mazi Note Added: 58722
2020-07-06 16:06 ymca Note Added: 58725
2023-02-03 17:27 ollehar Story point estimate => 0
2023-02-03 17:27 ollehar Users affected % => 10
2023-02-03 17:27 ollehar Note Added: 73659
2023-02-03 17:27 ollehar Bug heat 264 => 266
2023-02-03 17:28 ollehar Note Edited: 73659
2023-02-03 17:28 ollehar Assigned To => ollehar
2023-02-03 17:28 ollehar Status new => feedback
2023-02-04 11:36 DenisChenu Note Added: 73669
2023-02-04 15:19 Mazi Note Added: 73681
2023-02-04 15:21 DenisChenu Note Added: 73683
2024-11-04 19:55 r4dius Note Added: 81337
2024-11-04 19:55 r4dius File Added: LoginWhitelist.zip
2024-11-04 19:55 r4dius Bug heat 266 => 268