On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Hi all.
    Figured this might be helpful to others. In attempting to lock down all our systems as much as possible, and in seeing many old exploits being attempted in our log files, I decided to only allow MODx /manager/ access to approved IPs. A simple "deny from all" worked, but it broke CAPTCHA on our eforms, since the veriword.php is in the /manager/includes/ path.

    So... mod rewrite to the rescue. If anybody sees any issues with this code or the approach in general I’d love to know. We plan on extending/reworking this to tie into our system-wide port knocking, but that’ll be down the road.
    # =====================================================
    # Allow manager access to specific IPs only
    Options +FollowSymlinks
    RewriteEngine On
    
    # Deny by IP
    RewriteCond %{REMOTE_ADDR} !^(123\.123\.123\.123)$
    RewriteCond %{REQUEST_FILENAME} !/includes/veriword\.php$
    RewriteRule ^(.*)$ ../index.php?q=$1 [L,QSA]
    # =====================================================
    


    Just replace the RewriteEnging Off line with this bit. It seems to work well in my testing so far, but if I’ve missed anything please let me know.
      Need MODx Ecommerce? Try FoxyCart!
    • Thank you! cool
        @hawproductions | http://mrhaw.com/

        Infograph: MODX Advanced Install in 7 steps:
        http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

        Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
        http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
      • I’ve had servers that returned 500 errors if RewriteEngine On was duplicated in inner .htaccess files; the one in the outermost directory turns it on for all of its descendants.
          Studying MODX in the desert - http://sottwell.com
          Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
          Join the Slack Community - http://modx.org
        • How do you allow from more than one IP?
          • I worked it out. Just repeat the below line as many time as you need one for each different IP address. Make sure to put those line one after another.

            Example:

            # =====================================================
            # Allow manager access to specific IPs only
            Options +FollowSymlinks
            RewriteEngine On
             
            # Deny by IP
            RewriteCond %{REMOTE_ADDR} !^(123\.123\.123\.123)$
            RewriteCond %{REMOTE_ADDR} !^(124\.124\.124\.124)$
            RewriteCond %{REMOTE_ADDR} !^(125\.125\.125\.125)$
            RewriteCond %{REQUEST_FILENAME} !/includes/veriword\.php$
            RewriteRule ^(.*)$ ../index.php?q=$1 [L,QSA]
            # =====================================================


            Got the info from http://www.netshinesoftware.com/blog/restricting-access-to-a-url-by-ip-address-using-mod-rewrite/