Hi all.
Figured this might be helpful to others. In attempting to lock down all our systems as much as possible, and in seeing many old exploits being attempted in our log files, I decided to only allow MODx /manager/ access to approved IPs. A simple "deny from all" worked, but it broke CAPTCHA on our eforms, since the veriword.php is in the /manager/includes/ path.
So... mod rewrite to the rescue. If anybody sees any issues with this code or the approach in general I’d love to know. We plan on extending/reworking this to tie into our system-wide port knocking, but that’ll be down the road.
# =====================================================
# Allow manager access to specific IPs only
Options +FollowSymlinks
RewriteEngine On
# Deny by IP
RewriteCond %{REMOTE_ADDR} !^(123\.123\.123\.123)$
RewriteCond %{REQUEST_FILENAME} !/includes/veriword\.php$
RewriteRule ^(.*)$ ../index.php?q=$1 [L,QSA]
# =====================================================
Just replace the RewriteEnging Off line with this bit. It seems to work well in my testing so far, but if I’ve missed anything please let me know.