I'm looking to allow a specific device (in this case one particular iPad) access to XAMPP on a computer on the same LAN. I don't want any other devices besides this one and the server itself to be able to access localhost or anything else though. I'm able to find ways to enable LAN access online but to my understanding this could allow anyone on the same network to access XAMPP if they have the server's IP.
if you are talking about the apache server inside xampp, you can use this kind of solution: https://serverfault.com/questions/776252/allow-access-to-apache-server-from-only-one-ip-address
Similar solution can be found for the integrated tomcat, MySQL, etc...
If you are using Apache 2.4, make sure that you LOAD the authz_core module,
DELETE:
Order allow,deny
Deny from all
Allow from my.ip.add.res
and, in place of the deleted directives,
INSERT:
Require ip xxx.xxx.xxx.xxx
**If you are using Apache 2.2**, make sure that you LOAD the authz_host module,
DELETE:
Order allow,deny
Deny from all
Allow from my.ip.add.res
and, in place of the deleted directives,
INSERT:
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
It is slightly off-topic to what's being requested, but requesting credentials is a simple, effective way to restrict access without worrying about IP addresses or MAC addresses.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
e.g. https://stackoverflow.com/a/44560458/3196753
This may not fulfill certain security requirements (e.g. HIPAA, PCI) but for simply keeping unauthorized people out, it is tremendously simple and effective.
Related
I would like to be able to whitelist certain IPs in my NGINX config file and deny everything else. This way I can be certain that only the IPs I allow can access my website.
I've already done this and it's working. In the /etc/nginx/sites-available/default file, I've added the following:
server {
allow ip address; #comment
allow ip address; #comment
deny all;
}
The problem that we've is we listen to Shopify webhook notifications to our web app to certain URLs and Shopify uses various IP addresses for this, 614 found so far and still counting. Whitelisting these many IP addresses without certainty that there will be no more is not looking like a solution. But if we can keep open the couple of URLs that Shopify sends notification to in our web app, that will solve our problem. This way, we don't have to worry about whitelisting IPs that Shopify uses to send webhook notification.
So what I am looking for is to keep these couple of URLs open to any IPs. Everything else except for the ip we whitelist and the URLs we choose to keep open will be blocked.
If this is not possible and there is alternative solution to this problem, please advise. Thank you.
When restricting access to the Wordpress admin via IP, is it necessary to to include /wp-login.php and /wp-admin?
yes, then only people from that IP will be able to access either of them. Please note restrictions on wp-admin will create havoc with any calls to admin-ajax.php. This can be resolved by whitelisting 127.0.0.1
We have a website deployed on AWS EC2 running on ubuntu,Apache, MYSQL. We have been getting continous requestes from below IP
"195.154.105.219"
"88.150.242.243". Requesting for xmlrpc.php file using POST method. As a result our website has become really slow and our clients work has been effected. As of now we have blocked these IP values by dropping them from iptables. We would like to know how to safegaurd our site from any future attacks like this.
The question is very general, and depending to your application's requirements, your budget and other factors, there are several techniques you can use, separately or together to mitigate DDOS and SPAM attacks.
Use Auto Scaling and an Elastic Load Balancer, to let AWS scale your infrastructure depending on traffic : http://aws.amazon.com/autoscaling/
Use S3 to serve static content. S3 is designed is scaling automatically for incoming traffic. All content served by S3 directly allows to offload your EC2 based web server : http://aws.amazon.com/s3/
Use CloudFront to distribute and server your content from AWS' edge location. This mitigates DDOS by distributing attackers' request to the network of edge locations instead of sending the traffic to your web server : http://aws.amazon.com/cloudfront/
All these three options have a cost associated, be sure to understand the pricing structure before deciding to implement any of these.
If you have a relatively short and stable list of IP addresses you want to block, you can customise either your EC2 instance's Security Group (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html) either your VPC Subnet ACL (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html) to deny traffic from these IP addresses. This approach is not very scalable and, most of the time, you will play a mouse / cat game trying to catchup with whatever new addresses are used by your attackers
Last but not least, using plain old Apache configuration to block certain URL or restrict access to these by IP Addresses is very effective too (http://httpd.apache.org/docs/current/en/mod/mod_authz_core.html#require and File Directive)
Last but not least, I would encourage everyone to watch this re:invent talk about DDOS resiliency for AWS : https://www.youtube.com/watch?v=V7vTPlV8P3U)
Seb
xmlrpc.php is from wordpress. install the Disable xmlrpc pingback plugin, or better yet , in the wordpress site. .htaccess , deny xmlrpc.php file ;). that will fix it. Also checkup the wp-admin/scripts for any wierd script or just . find /var/www/ -type f -mtime -10 , to find the latest modified files.. check for any wierd php script..
I am making a WordPress theme that should be served to mobile users. So far I have been testing it in Chrome using User agent spoofing. Now I would like to try and access it from a real mobile device.
On my PC I access the site using a virtual host that aims a folder on my computer. How do I do this from my phone, where I can't edit hosts file?
I found this tutorial.
Regarding my httpd.conf file, I changed
Listen 80
to
Listen 192.168.xxx.xxx:8081
I also added to <Directory "cgi-bin">
Allow from all
The third thing I did was to open up port 8081.
Now, what I don't know is how to access my WordPress site from my phone, because when I type 192.168.xxx.xxx:8081 into the browser, I get Forbidden.
You can leave Listen 80 as is. Just find out the IP of your machine and type that into your phone. http://192.168.xxx.xxx
Make sure your local machine's firewalls are configured properly to accept these connections.
If you have multiple virtual hosts, you can either make sure the site you are looking to test is listed first, or you may also be able to set DNS entries into your router / gateway if you are lucky.
I am currently building an web app which also utilizes websockets. (Rails for webserver and Nodejs for socket.io)
I have structured my application to use subdomains to separate between connection to the Nodejs server and the Rails webserver. I have "socket.mysite.com" redirected to the Node server and everything else to the webserver.
I am able to test this functionality on localhost. I simply modified my /etc/hosts to include the following:
127.0.0.1 socket.mysite.com
127.0.0.1 mysite.com
I know that on production I simply have to generate a CNAME record for socket.mysite.com and this will also work on my users' computers.
However, I am accustomed to testing my application by passing an IP address around. My team typically set up the server on our own machines and do development. When we want to test our individual servers, we just pass around an IP like "http://123.45.123.45".
With the new subdomain hack, this is no longer possible without modifying each of my tester's /etc/hosts. I honestly don't expect my testers to modify their /etc/hosts on the spot. What I can do is have each member of my team have their own domain and create the appropriate CNAME records for each individual team member.
Is there an easier way to allow me to run my app on an IP and just pass that IP around?
It sounds like your needs have scaled beyond the days of just simply editing a host file. While you could continue to have everyone on your team continue to edit host files, there are two main risks that I see here:
For your idea to just use IP Addresses, you risk missing something in testing that you wouldn't see unless you were on production, as the issue may be dependent on something in the domain configuration.
For using host entries, you introduce a lot of complexity and unnecessary changes to each developer and tester's configuration, which of course leaves the door open for mistakes, and it also takes time that will add-up over the long term.
Setting up a DNS server may be helpful in your case. You could map a set of domains for each developer that match a certain pattern so that your application will still run correctly. This would allow you to share the URLS without having to constantly reconfigure each person's computer. Additionally, marketing and sales stakeholders can easily view product demos as well, without needing to learn what the elusive host file is for.
If you have an IT department, they can help you setup the DNS. However, if you are a small team without a real IT department, some users have found success using DNS systems designed for home or small office networks.