X-Cart forums - View Single Post - Limit ADMIN Login to a Geographical Area!

Mish · #1 12-08-2012, 05:47 PM

Hi everyone,

(Verified to work on Version 4.4.5)

This will allow you to lock your admin area down so that it can only be accessed from IP Addresses located in a specfied geographic area. It's great if you have a dynamic IP address, or need to allow access from an entire city (i.e. you're on the move and using wireless technology).

This modication will

Email you as soon as someone logs in (valid geographic location)
Automatically block access to the admin directory if someone attempts to login from outside the defined geographic area (and email you that a ban has been implemented)

Note that this modification requires the Anti-Fraud service available through QTMSoft (log in to your account at QTMSoft, Click Communications Centre, then click Anti-Fraud service).

This modication will automatically BAN the IP address from accessing the /admin directory the second they try and log in.

If you manage to ban yourself (you won't be able to get to the logon page anymore, it will behave as if the page is missing), edit /admin/.htaccess and delete the "DENY FROM <your ip address>"

Here is the modification. Feel free to post any improvements...

1> Edit admin/login.php
2> below line 48 which says require './auth.php'

Paste the following:

Code:

/* Admin IP Address distance modification */
/* This modification requires subscription to the Anti-Fraud service offered through QTMSoft */
/* Modification by Hinderwell Holdings Pty Ltd (Australia) */
/* POC: Mish [on X-Cart Forums] */
$address = array(
        'city' => "Houston",
        'state' =>  "TX",
        'country' => "US",
        'zipcode' => "77040"
    );
$maximum_distance = 100;
$ip = $_SERVER['REMOTE_ADDR'];
$result = '';
$proxy_ip = false;
// Contact Geo_IP database lookup server
$result = func_check_ip_at_af($ip,$proxy_ip, $address);
$myFile = "access37.log";
$fh = fopen($myFile, 'a');
fwrite($fh, date("Y-m-d H:i:s") .  " IP: " . $ip . " - " . $result['data']['city'] . ", " . $result['data']['country_name'] . "\n");
fclose($fh);
/* Send an e-mail with the IP addres and City/Country of person trying to login */
mail("youremail@yourdomain.com","Admin Login"," IP: " . $ip . " - " . $result['data']['city'] . ", " . $result['data']['country_name'] . "\n");
$distance = $result['data']['distance'];

if (($distance === null) || ($distance > $maximum_distance))
{
    echo "<B>SITE ACCESS DENIED</b> - ";
    echo "Access request traced to <b>{$result['data']['city']}, {$result['data']['country_name']}</b>!<br />";  
    /* Block the IP address from accessing the admin directory */
    $myfiletwo = ".htaccess";
    $fhtwo = fopen($myfiletwo, 'a');
    fwrite($fhtwo, "# This IP address was automatically added to the deny list on " . date("Y-m-d H:i:s") . "\n");
    fwrite($fhtwo, "DENY FROM " . $ip . "\n");
    fclose($fhtwo);
    mail("youremail@yourdomain.com","Banned Admin Login","IP: " . $ip . " - " . $result['data']['city'] . ", " . $result['data']['country_name'] . " has been automatically banned.\n");
    /* End of automatic IP address block */
    sleep(1);
    die();
}
/* End of IP Address distance modification */

Notes:
1> Edit $maximum_distance = 100 to a value you find appropriate. Please note the Geographic IP lookup isn't exact. Right now it says I'm 27 miles from my actual location. Perhaps start with a small number and increase until it doesn't deny you access.
2> Change the city name, state, country and Zip/Post code to your location. Note that the country codes in use are 2 letter diagraphs. If you aren't sure, try looking your country up here
3> This modification is particularly good if you don't want to whitelist (i.e. specify an exact IP address).
4> Make sure you edit the email address (two entries) to ensure it emails you).

If you like it, give it a vote / rating