Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 226
  • Last Modified:

Domain or Password access

What would I need to do to set up a page that can be accessed by anyone from a certain set of IP address without a password but if coming from an IP outside of this group would require a password to be entered? I am giving 100 points for this because I need a detailed answer, I have not done any CGI programming, but do have a programming background in C, Pascal, and Cobol, have also done some basic HTML coding just to give ya an idea of how detailed ya have to be.
0
chrissimpson
Asked:
chrissimpson
  • 7
  • 5
  • 3
1 Solution
 
WileyKatCommented:
A CGI for this would have to:

Check the evironment variable REMOTE_ADDR (getenv(REMOTE_ADDR); in C, $ENV{'REMOTE_ADDR'} in Perl).
See if that IP is in it's approved list.
If so, just directly output the page needed.
If not, ask for password and verify it.

More detailed:

The environment variable REMOTE_ADDR holds the IP of the browser accessing the CGI.
Checking if the IP is in the approved list requires having the list in a file, reading the file, and checking the IP against all the entries in the file.
Asking for the password involves outputting a forms HTML page with a submit button that leads back to the CGI, which then verifies the password.

I can write this script for you if you want, or just give you a more code-like explanation. Let me know.
0
 
chrissimpsonAuthor Commented:
if ya could write the script it would be appreciated, I will add points if you do.
0
 
chrissimpsonAuthor Commented:
if ya could write the script it would be appreciated, I will add points if you do.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
WileyKatCommented:
I'll get it to you ASAP.
0
 
mouattsCommented:
The proper way of restrict access to certain IP addresses is via the server. All servers have configuration items that allow you to do this.

This is a much safer way of doing things as if you are running a CGI then people have already accessed your site and not just your server.

In addition some servers cannot have a CGI as the default page and therefore you need to direct them on the CGI with an HTML page. In addition you site is still not safe as any other pages or CGIs wil still be accessible unless you undertake a further check. (IE no HTML pages at all)

Let me know which server you are using and I maybe able to help further.

Steve
0
 
chrissimpsonAuthor Commented:
The server is running LInux RH5.0, I don't want to restrict any IP address, but if it is certain ones I want them to be granted access without having to enter a password. If outside this group of allowed IP's I want it to prompt the user with a request for a password. This will not be my home page, but a page linked to by the home page.
0
 
WileyKatCommented:
Steve: read the question more carefully. He does not want to restrict certain IPs, he wants to allow certain IPs. Furthermore, he does not want to completely deny all but the allowed IPs, just require a password from them. I know of no server that does this automatically, and a CGI makes modifying the allowed IP list much simpler.
0
 
mouattsCommented:
A combination of IP/Domain based security and Basic/Digest security may work depending on the Web Server.

With the Oracle Web Server one would set up those that are not required to have a password as permissable IP addresses with an entry like 195.10.* (ie all those with subnet of 195.10 allowed) and then set up username and passwords for those who must log in. Then within the protection setting you would specifiy that you want to use ip OR basic security.

This way the user is only prompted if they are not from the correct IP address. I haven't looked but I think Netscape and Apache work the same way. IIS 3 doesn't and I'm not sure about IIS 4.

As no programming is required I would suggest that this is the simplest approach!


0
 
WileyKatCommented:
Again, I state that using a CGI makes it simpler to modify the allowed IPs list. And who said that chrissimpson has access to the settings of the server he is running on? Without that access, the entire point is moot and a CGI is the only way.
0
 
chrissimpsonAuthor Commented:
I do have admin access to the server, WileyKat, I still want to know how to do this with a CGI script but would also like to know how to do this the way mouatts described, ie. restrict ips at server level but allow them if they can log in. I am using RH Linux v.5.0 and apache web server, not sure which version but if it is important I can check it out. What are they logging into in this case, the server itself? or is there a way to put a password on the Apache Web server? I guess I am a little confused. Mouatts if you can or I guess anyone else who could leave a comment stating it and I will post the question for points.
0
 
WileyKatCommented:
I'll post the CGI script as an answer to this question sometime this week and you can ask the server stuff as another question. That way we all learn both methods :-)
0
 
mouattsCommented:
I'm no expert when it comes to configuring Apache but looking through the manual that I have does seem to imply that both basic and digest security is supported.

Essentially you need to set up a .htaccess file for each directory that you want to protect.

This file will need to contain some thing along the following lines

AuthType Digest
AuthName somedomain
AuthUserFile /web/users_ips
AuthGroupFile /web/groups
AuthType Basic
AuthName somedomain
AuthUserFile /web/users_pw
AuthGroupFile /web/groups

Some domain is just the realm name so that when a password pops up it will say 'enter username password for _somedomain_'

users_ips is a file that contains the valid IP addresses and users_pw contains the usernames/passwords for the other users.

I suggest that you check out the manual on these directives for fuller information.

Steve
0
 
WileyKatCommented:
Well, here's the script:

$grantedpage = "http://www.apple.com/ops.html";      # change this to the access granted page
$pwdchkpage = "http://www.apple.com/login.html"; # change this to the pwdchk page
$deniedpage = "http://www.apple.com/noaccess.html"; # change this to the access denied page

%udata = &User_Data;
&No_SSI(*data_received);

if ($udata{'action'} eq "openpage") {
      $approved = &Check_IP;
      if ($approved eq 1) {
            &Output_Redirect;
      } else {
            &Output_Password_Check;
      }
} else if ($udata{'action'} eq "verpwd") {
      $approved = &Check_Pwd;
      if ($approved eq 1) {
            &Output_Redirect;
      } else {
            &Output_Denied;
      }
}

sub User_Data {
      local (%udata, $ustring, $nvp, @nvps, $name, $value);
      
      if($ENV{'REQUEST_METHOD'} eq "POST") {
            read(STDIN, $ustring, $ENV{'CONTENT_LENGTH'});
      } else {
            $ustring = $ENV{'QUERY_STRING'};
      }
      
      $ustring =~ s/\+/ /g;
      @nvps = split(/&/, $ustring);
      foreach $nvp (@nvps) {
            ($name, $value) = split(/=/, $nvp);
            $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/ge;
            $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/ge;
            if (defined($udata{$name})) {
                  $udata{$name} .= " : " . $value;
            } else {
                  $udata{$name} = $value;
            }
      }
      return %udata;
}

sub No_SSI {
      local (*data) = @_;
      
      foreach $key (sort keys(%data)) {
            $data{$key} =~ s/<!--(.|\n)*-->//g;
      }
}

sub Output_Redirect {
      print "HTTP 302 Redirect\n";
      print "Location: " . $grantedpage . "\n\n";
}

sub Output_Password_Check {
      print "HTTP 302 Redirect\n";
      print "Location: " . $pwdchkpage . "\n\n";
}

sub Check_IP {
      open(APPLIST, "<" . $approvedlistfile);
      @appips = <APPLIST>;
      close(APPLIST);
      $approved = 0;
      foreach $ip (@appips) {
            if ($ENV{'REMOTE_ADDR'} eq $ip) {
                  $approved = 1;
                  last;
            }
      }
      return $approved;
}

sub Check_Pwd {
      open(PWDS, "<" . $pwdfile);
      @pwds = <PWDS>;
      close(PWDS);
      foreach $lp (@pwds) {
            ($login, $pwd) = split(/:::/, $lp);
            $lps{$login} = $pwd;                  # Crypting code for the passwords could go here.
      }
      if ($lps{$udata{'login'}} eq undef) {
            $approved = 0;
      } else {
            if ($udata{'pwd'} ne $lps{$udata{'login'}}) { # another good place for crypting
                  $approved = 0;
            } else {
                  $approved = 1;
            }
      }
      return $approved;
}

sub Output_Denied {
      print "HTTP 302 Redirect\n";
      print "Location: " . $deniedpage . "\n\n";
}

and that's the whole thing. Catch ya later!
0
 
chrissimpsonAuthor Commented:
Thanks WileyKat, appreciate the time you put in. Chris
0
 
WileyKatCommented:
No problem, and you're welcome.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now