X-Cart forums

[jeeya]

I am monitoring traffic through live help and someone is trying to access administration area, how to block ip??

[Nuked]

This blocks ips from the whole site, put into public_html folder this .htaccess file , whole countries can be blcoked as well. eg
deny from .id .

.htaccess file

AuthName "Blocked Access "
AuthType Basic
<Limit GET POST>
order allow,deny

allow from all


deny from 202.138.224.2
deny from 202.138.225.78
deny from 202.138.226.125
deny from 202.138.227
deny from 202.138.228
deny from 202.138.229
</Limit>

[jeeya]

Great Thanks I don't know but it might be a good idea if xcart puts up some kind of Id blocking mod in administration area to only allow certain ip address or block the ip access for administration area.

[Nuked]

Yes, I think they are doing something for the future.

You should also secure your admin and provider directories through htaccess (with a login).

[leed]

No sooner said than done!!

A very quick & dirty mod, but you're welcome to use it ..although caveat emptor!!

1) back up your admin/auth.php
2) run the following SQL against your My/SQL database (use PhpMyAdmin or similar)

CREATE TABLE xcart_ip (
ipaddress char(16) NOT NULL default '',
PRIMARY KEY (ipaddress)
) TYPE=MyISAM;

INSERT INTO xcart_ip VALUES ('aaa.bbb.ccc.ddd');

changing aaa.bbb.ccc.ddd for your dedicated ip, or your dynamic ip address if you're using an ISP and don't have a dedicated IP address. The code checks for 3rd tier matching as well e.g. aaa.bbb.ccc, so just use the full ip address. NB - if you want to add more than one IP address, just duplicate the insert and change as required

Once SQL has created table and populated it

open admin/auth.php and look for the line reading

require_once $xcart_dir."/config.php";

after this, insert this code

#----------------------------------------------------------------
# IP Controller Mod - Only allow admin access for a certain IP, range of IP addreses
# Webmouster.com 2003 - all rights reserved
# Freely distributable, but credit remains with
# authors - no support offered
#-----------------------------------------------------------------#

#$registered_ip= session_is_registered("iprecorded");
$hosty = gethostbyaddr($REMOTE_ADDR); // Get hostname
$ipaddy = gethostbyname($hosty); // Get IP address from host

$ip10=substr($ipaddy,0,10); // 3rd tier e.g. xxx.yyy.zzz
$ip16=$ipaddy; // 4th Tier e.g. aaa.bbb.ccc.ddd
$ipcount=0;
global $ipadded;
$ipadded = "N";

$dbh="mysqlhost"; // Host name
$dbu="database user"; // MySql user name
$dbp="database password"; // MySql password
$dbt="table name "; // MySql table


$db = mysql_connect($dbh, $dbu, $dbp) or die ("Could not connect to database ...
"); // Establish Mysql connection
mysql_select_db($dbt ,$db) or die ("Could not select table
"); // Select table

$qst="Select * from xcart_ip where ipaddress like '" . $ip10. "%' order by ipaddress"; // Select entries that match, if any

$ipquery = mysql_query($qst) or die("Error on select : " . mysql_error()); // Query it


$access_allowed = "N";
while ($row1 = mysql_fetch_array($ipquery)) {

$currentip = $row1["ipaddress"];
++$ipcount;

if (trim($ip10) == substr($currentip,0,10) || trim($ip16) == $ipaddress) {
echo ("<div align='center'>\n");
echo ("<table width='300' border='0' cellpadding='1' cellspacing='1' bordercolor='#666666'>\n");
echo ("<tr bgcolor=green>\n");
echo ("<td>\n");
echo ("<table width='300' border='0' cellpadding='0' cellspacing='0' bgcolor='white'>\n");
echo ("<tr bgcolor='#CCCCCC'>\n");
echo ("<td><font size='2'><font face='Arial, Helvetica, sans-serif'>Access to admin has been allowed</font></font></td>\n");
echo ("<tr bgcolor=white>\n");
echo ("<td>\n");
echo ("
\n");
echo ("<font size='2'></font></font>\n");
echo ("</td>\n");
echo ("</tr>\n");
echo ("</table>\n");
echo ("</td>\n");
echo ("</tr>\n");
echo ("</table>\n");
echo ("</div>\n");
$access_allowed="Y";
# $iprecorded="Y";
# session_register("iprecorded");
break;
} // End if
} //End while

if ($access_allowed != "Y") {
echo ("<div align='center'>\n");
echo ("<table width='300' border='0' cellpadding='1' cellspacing='1' bordercolor='#666666'>\n");
echo ("<tr bgcolor=red>\n");
echo ("<td>\n");
echo ("<table width='300' border='0' cellpadding='0' cellspacing='0' bgcolor='white'>\n");
echo ("<tr bgcolor='#CCCCCC'>\n");
echo ("<td><font size='2'><font face='Arial, Helvetica, sans-serif'>Access Denied!!</font></font></td>\n");
echo ("</tr>\n");
echo ("<tr bgcolor=white>\n");
echo ("<td>\n");
echo ("
\n");
echo ("<font size='2'></font></font>\n");
echo ("</td>\n");
echo ("</tr>\n");
echo ("</table>\n");
echo ("</td>\n");
echo ("</tr>\n");
echo ("</table>\n");
echo ("</div>\n");
exit();
}

#
# --------------- End IP controller mod
#

This code requires your Mysql login details (host, database, password, table) (look for the code lines)

$dbh="mysqlhost"; // Host name
$dbu="database user"; // MySql user name
$dbp="database password"; // MySql password
$dbt="table name "; // MySql table

Change to suit

Then upload the modified auth.php

If the IP you're coming in from doesnt match that in the table, the page just terminates with a message. If it does, then you're into the admin!

A couple of notes.
1) Because a lot of people don't have dedicated IP addresses, I've made the code a little loose in that it will allow access on a 3rd tier IP address e.g. 123.456.789. Theoretically someone else with the same IP address (3rd tier) on your ISP could gain access to the cart admin page but , they've still got to know the username/password for the Cart admin, and the chances of someone else on your ISP attempting to access your cart with the same 3rd tier IP address is very small).

2) Ensure that you
- have htpassword protection for admin
- change password for admin regularly, as well as the htaccess/htpassword
- apply regular security patches when issued by Qualiteam

It's not perfect code, as it may be possible to use ipspoofing etc, but it's one more step they've got to crack. Until the Qualiteam guys come up with the pro version , it's something you may want to use.

Have Fun!!

[ronp]

Leed, thanks for the script! It's just what I've been looking for. However, I get "Access Denied" when running it. I've entered into the db and tried both my full ip and even just 3 tier but neither works. Connect info is correct and I'm getting your coded Access Denied message. Running x-cart 3.5.1 - any ideas?

[Konig]

You may want to add an .htaccess file like this to the directory as well to prevent people from accessing vital areas of your store. Good luck!

Code:

# .htaccess by Konig (06/07/2004) 

Options -Indexes 
DirectoryIndex index.php 

# block all files in uppercase letters (i.e. VERSION) 
RedirectMatch gone ^/[A-Z].+$ 

# block all smarty templates 
RedirectMatch gone ^/.*\.tpl$ 

# block all .php and .pl files in the root directory except for index.php 
# remove |pl if you want to execute patch.pl, otherwise, leave alone 
# example: install.php, config.php just in case if there is an exploit someday 
# which can reveal the source code of php files 
RedirectMatch gone ^/[^/]*([^index])\.(php|pl)$ 

# block the entire log directory 
ReDirect gone /log 

# block all .log (log files), .sql (sql dump/export) and .conf (config files) files 
# in case some day these files move to another directory 
RedirectMatch gone ^.*\.(sql|log|conf)$ 

# block access to the 'Smarty-*' directory 
RedirectMatch gone ^.*Smarty.*$ 

# block access to /upgrade 
Redirect gone /upgrade 

# block access to /skin1_original 
Redirect gone /skin1_original 

# block access to the /sql directory 
Redirect gone /sql 

# block access to the /shipping directory 
Redirect gone /shipping 

# block access to the pgp directories 
Redirect gone /.pgp 
Redirect gone /.pgp.def