Controlling login permissions and restrictions via Login IP Filtering

Overview

From a security standpoint, it can be important to check the IP address of a login attempt. For instance, if you have an internal-only site you may want to allow logins from only those on a shared office network.

Knowing the steps to set these permissions and restrictions can be critical if there is a security breach and credentials have been exposed. 

Prerequisites

  • Super User/Admin access.

Solution

1. With your Super User/Admin account, log in to your EVOQ instance and use the Persona Bar to select Settings > Security.

securitysettings.jpg 

2. Click on the Member Accounts tab and make sure Enable IP Address Checking is turned on. 

ipaddresschecking.jpg

3. Click on the Login Settings tab.

4. Click on the Login IP Filters sub-tab.

5. Click on Add New Filter

addnewfilter.jpg

6. Enter the necessary information for the permission or restriction. Hover over the info icon for more information about each field. 

NOTE: To validate in step 9, it's advisable first to add the IP address of a user who can help you in testing this change. 

ipsettings.jpg

7. Click save

8. Clear your cache and restart the application

9. Validate the changes have taken effect by advising the user helping to navigate to your DNN site and trying to log in. They should encounter a permissions error when attempting. 

10. Once validated, repeat steps 1 through 7 to add the actual entries to the restrictions or permissions. 

Alternative solution - IIS Rewrite

If you would like to restrict users for particular pages, we could use the IIS rewrite module (https://www.iis.net/downloads/microsoft/url-rewrite) on the server, and add certain rewrite rules to the web.config in order to block requests to specific resources or request types.

As an example, if you would like to block access to a specific page such as the /login one, a rule can be added so that all requests for this page are redirected to the home page.

<system.webServer>
...
<rewrite>
<rules>
<rule name="Block X Page" stopProcessing="true">
      <match url=".*" />
      <conditions>
          <add input="{HTTP_HOST}" pattern="(www.mywebsite.com|mywebsite.com)" />
          <add input="{PATH_INFO}" pattern="/login" />
      </conditions>
      <action type="Redirect" url="https://www.mywebsite.com/" />
</rule>
</rules>
</rewrite>
...
</system.webServer>

Furthermore, we could also change the action to return a 401 Unauthorized response or to abort the request. This should block any IP addresses that are not under the whitelisted comment.

<system.webServer>
...
<rewrite>
<rules>
<rule name="Intranet Rule" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTP_HOST}" pattern="www.website.com" />
<!--Whitelisted IP Addresses Go Here-->
<add input="{REMOTE_ADDR}" pattern="123.456.789.10" negate="true" />
</conditions>
<action type="AbortRequest" />
</rule>
</rules>
</rewrite>
...
</system.webServer>

Comments

0 comments

Please sign in to leave a comment.