Manage IP access

The IP Access Control page enables you to restrict access to the appliance based on IP address. You can use this page to perform the following tasks:

  • Block access from a list or range of IP addresses
  • Allow access only from a list or range of IP addresses
Note   The IP Access Control page only restricts access to the Web Administration Interface. To restrict access for ssh, you must modify the hosts.allow and hosts.deny files. For more information, see Manage SSH.

Restrict access based on IP address

By default, the WAI accepts connections from any IP address. Even though the WAI is password-protected, you should limit access to only legitimate client systems if possible, so that an attacker from outside your network can not even attempt to log in. To restrict access based on IP address, perform the following steps:

  1. Click IP Access Control to display the access control page.
  2. In the Allowed IP Addresses field, select the Only allow from listed addresses option.
  3. Enter a list of host names, IP addresses, or networks in the text box. You can enter networks with a netmask (for example, 192.168.1.0/255.255.255.0). You can also enter the subnet in CIDR format (for example, 192.168.1.0/24). You can allow access from an entire DNS domain by entering a value such as *.example.com . However, be aware that this is not totally secure because an attacker can fake reverse DNS results.
  4. Normally, the WAI resolves any host names that you enter only once, when it first starts up. To change this, in the Resolve hostnames on every request field, select Yes. The WAI then converts host names to IP addresses for comparison for every request. This can be useful if the system that you are running a browser on is frequently changing IP address, but can update a DNS record to match. This can happen on a network using DHCP, or if you are connected to an ISP that dynamically assigns addresses.
  5. To also check the TCP-wrappers configuration files (/etc/hosts.allow and /etc/hosts.deny) when deciding whether to allow a client, in the Also check TCP-wrappers hosts.allow and hosts.deny files field, select Yes. The service name to use when editing these files is webmin.
  6. Click Save to activate the new client address restrictions.

Related Links