Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
X-Cart Home FAQ Forum rules Calendar User manuals Login  

Limit ADMIN Login to a Geographical Area!

 
Reply
   X-Cart forums > X-Cart 4 > Dev Questions
 
Thread Tools Search this Thread
  #1  
Old 12-08-2012, 05:47 PM
  Mish's Avatar 
Mish Mish is offline
 

Advanced Member
   
Join Date: Feb 2008
Posts: 92
 
Thumbs up Limit ADMIN Login to a Geographical Area!
Hi everyone,

(Verified to work on Version 4.4.5)

This will allow you to lock your admin area down so that it can only be accessed from IP Addresses located in a specfied geographic area. It's great if you have a dynamic IP address, or need to allow access from an entire city (i.e. you're on the move and using wireless technology).

This modication will
  • Email you as soon as someone logs in (valid geographic location)
  • Automatically block access to the admin directory if someone attempts to login from outside the defined geographic area (and email you that a ban has been implemented)
Note that this modification requires the Anti-Fraud service available through QTMSoft (log in to your account at QTMSoft, Click Communications Centre, then click Anti-Fraud service).

This modication will automatically BAN the IP address from accessing the /admin directory the second they try and log in.

If you manage to ban yourself (you won't be able to get to the logon page anymore, it will behave as if the page is missing), edit /admin/.htaccess and delete the "DENY FROM <your ip address>"

Here is the modification. Feel free to post any improvements...

1> Edit admin/login.php
2> below line 48 which says require './auth.php'

Paste the following:

Code:
/* Admin IP Address distance modification */
/* This modification requires subscription to the Anti-Fraud service offered through QTMSoft */
/* Modification by Hinderwell Holdings Pty Ltd (Australia) */
/* POC: Mish [on X-Cart Forums] */
$address = array(
        'city' => "Houston",
        'state' =>  "TX",
        'country' => "US",
        'zipcode' => "77040"
    );
$maximum_distance = 100;
$ip = $_SERVER['REMOTE_ADDR'];
$result = '';
$proxy_ip = false;
// Contact Geo_IP database lookup server
$result = func_check_ip_at_af($ip,$proxy_ip, $address);
$myFile = "access37.log";
$fh = fopen($myFile, 'a');
fwrite($fh, date("Y-m-d H:i:s") .  " IP: " . $ip . " - " . $result['data']['city'] . ", " . $result['data']['country_name'] . "\n");
fclose($fh);
/* Send an e-mail with the IP addres and City/Country of person trying to login */
mail("youremail@yourdomain.com","Admin Login"," IP: " . $ip . " - " . $result['data']['city'] . ", " . $result['data']['country_name'] . "\n");
$distance = $result['data']['distance'];

if (($distance === null) || ($distance > $maximum_distance))
{
    echo "<B>SITE ACCESS DENIED</b> - ";
    echo "Access request traced to <b>{$result['data']['city']}, {$result['data']['country_name']}</b>!<br />";  
    /* Block the IP address from accessing the admin directory */
    $myfiletwo = ".htaccess";
    $fhtwo = fopen($myfiletwo, 'a');
    fwrite($fhtwo, "# This IP address was automatically added to the deny list on " . date("Y-m-d H:i:s") . "\n");
    fwrite($fhtwo, "DENY FROM " . $ip . "\n");
    fclose($fhtwo);
    mail("youremail@yourdomain.com","Banned Admin Login","IP: " . $ip . " - " . $result['data']['city'] . ", " . $result['data']['country_name'] . " has been automatically banned.\n");
    /* End of automatic IP address block */
    sleep(1);
    die();
}
/* End of IP Address distance modification */

Notes:
1> Edit $maximum_distance = 100 to a value you find appropriate. Please note the Geographic IP lookup isn't exact. Right now it says I'm 27 miles from my actual location. Perhaps start with a small number and increase until it doesn't deny you access.
2> Change the city name, state, country and Zip/Post code to your location. Note that the country codes in use are 2 letter diagraphs. If you aren't sure, try looking your country up here
3> This modification is particularly good if you don't want to whitelist (i.e. specify an exact IP address).
4> Make sure you edit the email address (two entries) to ensure it emails you).

If you like it, give it a vote / rating
__________________
X-Cart Gold 4.6.1
Reply With Quote
The following user thanks Mish for this useful post:
Duramax 6.6L (12-09-2012)
  #2  
Old 12-19-2013, 11:18 PM
  Mish's Avatar 
Mish Mish is offline
 

Advanced Member
   
Join Date: Feb 2008
Posts: 92
 
Default Re: Limit ADMIN Login to a Geographical Area!
Hi everyone,
Code updated to
1> Ensure it doesn't do a check on logout.
2> Let you know how many GeoIP requests you have remaining.
3> Works in 4.6.1
4> Includes an IP whitelist

Same instructions... here is the code. You'll want to change the bits in red.


Code:
// IP Whitelist
$_ips = array("217.107.8.106", "194.84.72.162", "83.234.124.243");

if (!in_array($_SERVER['REMOTE_ADDR'], $_ips) && ($_GET['mode'] != 'logout'))
{
    /* Admin IP Address distance modification */
    /* This modification requires subscription to the Anti-Fraud service offered through QTMSoft */
    /* Modification by Hinderwell Holdings Pty Ltd (Australia) */
    /* POC: Mish [on X-Cart Forums] */
    
    $address = array(
            'city' => "Emerald",
            'state' =>  "VIC",
            'country' => "AU",
            'zipcode' => "3782"
        );
    
    $maximum_distance = 300;
    
    $ip = $_SERVER['REMOTE_ADDR'];
    $result = '';
    $proxy_ip = false;
    
    // Contact Geo_IP database lookup server
    $result = func_check_ip_at_af($ip,$proxy_ip, $address);
    
    $myFile = "access37.log";
    $fh = fopen($myFile, 'a');
    fwrite($fh, date("Y-m-d H:i:s") .  " IP: " . $ip . " - " . $result['data']['city'] . ", " . $result['data']['country'] . "\n");
    fclose($fh);

    /* Send an e-mail with the IP addres and City/Country of person trying to login */

    $remainingRequests = $result['status']['available_request'] - $result['status']['used_request'];
    mail("sales@flightplanning.com.au","Admin Login has just occured from "," IP: " . $ip . " - " . $result['data']['city'] . ", " . $result['data']['country'] . "\n" . "GeoIP requests remaining: " . $remainingRequests );
    
    $distance = $result['data']['distance'];
    
    
    if (($distance === null) || ($distance > $maximum_distance))
    {
    
        echo "<B>SITE ACCESS DENIED</b> - ";
        echo "<B>GEOGRAPHIC TRIPWIRE TRIGGER. YOU HAVE BEEN BANNED FROM ACCESSING THE ADMIN AREA</B>";
        echo "Access request traced to <b>{$result['data']['city']}, {$result['data']['country']}</b>!<br />";
        echo "Should you feel you have received this in error, please contact sales@flightplanning.com.au";
    
        /* Block the IP address from accessing the admin directory */
        $myfiletwo = ".htaccess";
        $fhtwo = fopen($myfiletwo, 'a');
        fwrite($fhtwo, "# This IP address was automatically added to the deny list on " . date("Y-m-d H:i:s") . "\n");
        fwrite($fhtwo, "DENY FROM " . $ip . "\n");
        fclose($fhtwo);
        mail("sales@flightplanning.com.au","Banned Admin Login","IP: " . $ip . " - " . $result['data']['city'] . ", " . $result['data']['country_name'] . " has been automatically banned.\n");
        /* End of automatic IP address block */
        sleep(1);
        die();
    }
    
    /* End of IP Address distance modification */
} /* End of IF statement [IP whitelist]) */
__________________
X-Cart Gold 4.6.1
Reply With Quote
The following user thanks Mish for this useful post:
ADDISON (12-19-2013)
Reply
   X-Cart forums > X-Cart 4 > Dev Questions

« Previous Thread | Next Thread »


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 10:10 AM.

   
 
X-Cart forums © 2001-2020