restricting access by IP address

Hi all how to restrict access for my apps based on IP Address? How to restrict access for only IP address like: 192.168.200.3, 192.168.200.7, 192.168.200.11? It's possible? How? Application.cfm? Thanx for your time. -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm

Hi there, this is usually carried out with the webserver rather than Application.cfm as if you needed to change it you would have to recode it. Having said that you could add something at the top of APplication.cfm along the lines of <cfset lAuthIps = "192.168.200.3,192.168.200.7,192.168.200.11"> <cfif ListFind(lAuthIps , CGI.REMOTE_ADDR) EQ 0> You are not allowed here <cfabort> </cfif> Hope that helps ----- Excess quoted text cut - see Original Post for more -----

Is that easy to go by? is it secure to do that or it would be easy to find a work around? Pat   _____ Sent: June 8, 2004 09:07 To: CF-Talk Subject: Re: restricting access by IP address Hi there, this is usually carried out with the webserver rather than Application.cfm as if you needed to change it you would have to recode it. Having said that you could add something at the top of APplication.cfm along the lines of <cfset lAuthIps = "192.168.200.3,192.168.200.7,192.168.200.11"> <cfif ListFind(lAuthIps , CGI.REMOTE_ADDR) EQ 0> You are not allowed here <cfabort> </cfif> Hope that helps > > Hi all > > how to restrict access for my apps based on IP Address? How to restrict access for only IP address like: 192.168.200.3, 192.168.200.7, 192.168.200.11? It's possible? How? Application.cfm? ----- Excess quoted text cut - see Original Post for more -----   _____  

You could use something like <cfif #CGI.REMOTE_ADDR# is "196.168.0.3"> whatever </cfif> Not exactally how secure that would be..  I'm still learning here..  :) ----- Excess quoted text cut - see Original Post for more -----

you sure could. there are myriad ways to accomplish, prolly a few less ways to get around it or spoof it, but would be a fairly good first layer of sec. is this to protect an intranet or something? tw You could use something like <cfif #CGI.REMOTE_ADDR# is "196.168.0.3"> whatever </cfif> Not exactally how secure that would be..  I'm still learning here..  :) ----- Excess quoted text cut - see Original Post for more -----

IP Spoofing is easy, I would also add a secure login depends on how much effort is required and how sensitive the data is you REALLY could go to town,  I hear there are some nice fingerprint reading tools out there too! Up to you, usually secure enough for most applications Hope that helps! ----- Excess quoted text cut - see Original Post for more -----

> From: Spectrum WebDesign > > how to restrict access for my apps based on IP Address? How > to restrict access for only IP address like: 192.168.200.3, > 192.168.200.7, 192.168.200.11? It's possible? How? > Application.cfm? In Application.cfm you could list all of the relevant IP addresses, then if the current address isn't there, display a "not authorized" and <CFABORT>

My approach was the opposite but the implementation would work. I needed to ban IPs from my blog. <cfquery datasource="#ATTRIBUTES.datasource#" name="qCheckForBannedIPs"> SELECT IP FROM BANNEDLIST WHERE IP = '#CGI.REMOTE_ADDR#' </cfquery> <CFIF qCheckForBannedIPs.Recordcount GT 0> <CFSET VARIABLES.Banned = 1> <CFELSE> <CFSET VARIABLES.Banned = 0> </CFIF>   _____ Sent: Tuesday, June 08, 2004 5:54 AM To: CF-Talk Subject: restricting access by IP address Hi all how to restrict access for my apps based on IP Address? How to restrict access for only IP address like: 192.168.200.3, 192.168.200.7, 192.168.200.11? It's possible? How? Application.cfm? Thanx for your time. -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm   _____  

What webserver is this?  IIS? If you have access to the IIS snapin it is very easy to setup ip address restrictions.  You can even setup an entire subnet.  That would likely be the safest route if security is an issue. -Mike ----- Excess quoted text cut - see Original Post for more -----

> IP Spoofing is easy, I would also add a secure login While I'd recommend a secure login as well, I would take issue with your statement that "IP spoofing is easy". It is not easy, to the best of my knowledge, to send a message to a web server that says you're using one IP address and have it respond to your actual IP address, which would be necessary to circumvent IP address restrictions within your application or within the web server. http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Techni cal/Spoofing/default.htm Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

It is rather hard to spoof an ip address, while it is relatively easy to spoof the domain name you are coming from. This is why you can take out spamers based on the IP addresses they are using to spam you but not the domain names they are using (the use whatever they like all the time). TK   > IP Spoofing is easy, I would also add a secure login   While I'd recommend a secure login as well, I would take issue with your   statement that "IP spoofing is easy". It is not easy, to the best of my   knowledge, to send a message to a web server that says you're using one IP   address and have it respond to your actual IP address, which would be   necessary to circumvent IP address restrictions within your application or   within the web server. http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Techni   cal/Spoofing/default.htm   Dave Watts, CTO, Fig Leaf Software   http://www.figleaf.com/   phone: 202-797-5496   fax: 202-797-5444

IP Spoofing is easy.  I've tested it and spoofed IP's using just CFML as the spoofing client.  You can send a request to a server from your IP and your IP goes into the TCP/IP packet but can send a different IP in the HTTP request as a CGI variable.  None of IIS, iPlanet. or JWS test if the TCP/IP supplied address is the same as the HTTP CGI address. http://www.rewindlife.com/archives/000159.cfm The link you provided talks about router level (tcp/ip) address spoofing but it's sufficient to just provide a CGI variable in the HTTP packet to spoof IP address. IP based security at web server/web app level is not safe (router level is much safer). Best regards, Sam ---------------------------------------------- Blog:  http://www.rewindlife.com Chart: http://www.blinex.com/products/charting ---------------------------------------------- > IP Spoofing is easy, I would also add a secure login While I'd recommend a secure login as well, I would take issue with your statement that "IP spoofing is easy". It is not easy, to the best of my knowledge, to send a message to a web server that says you're using one IP address and have it respond to your actual IP address, which would be necessary to circumvent IP address restrictions within your application or within the web server. http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Techni cal/Spoofing/default.htm Dave Watts, CTO, Fig Leaf Software

----- Excess quoted text cut - see Original Post for more ----- With IIS 6, at least, if you specify an IP address restriction within the IIS management console, IIS will reject requests for CF pages and static files unless they come from that IP address, whether the request has a CGI variable with the allowed address or not. I hadn't really thought about how CF deals with those CGI variables, though, and you're certainly right about that. Out of curiosity, do you know whether that's been submitted as a bug to Macromedia? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

I talked to MM's security people before I blogged this in April.  They said it's not a bug because CF just gets whatever CGI variables are passed from the web server so if the web server isn't passing the right variables it's the web-server's bug.  Can't really argue with that.  A technote would be nice though.. I'll bring it up again with that dept instead of with security dept. They did acknowlege that they could fix the bug in JWS but didn't file a bug report since it's not intended for production use anyways. I never tested with IIS6, only IIS5, and only how CF reacts to the CGI variable not how IIS itself reacts (the discussion on this thread has been mostly around using CF to restrict pages via CGI variables).  I probably should have been clearer. Best regards, Sam ----- Excess quoted text cut - see Original Post for more ----- With IIS 6, at least, if you specify an IP address restriction within the IIS management console, IIS will reject requests for CF pages and static files unless they come from that IP address, whether the request has a CGI variable with the allowed address or not. I hadn't really thought about how CF deals with those CGI variables, though, and you're certainly right about that. Out of curiosity, do you know whether that's been submitted as a bug to Macromedia? Dave Watts, CTO, Fig Leaf Software