DokuWiki

It's better when it's simple

User Tools

Site Tools

Trace: ipv6
plugin:abortlogin:ipv6

Table of Contents

⇐ abortlogin

Installation

URL: https://github.com/turnermm/abortlogin/archive/ipv62.zip

Install using the manual tab of the Extension Manager or manually from the command line. Refer to Plugins

This plugin supports both IPv6 and IPv4.

Usage

This plugin works entirely through settings in the Configuration Manager. You enter a list of IP addresses which are allowed to login to the wiki. All other IP addresses are blocked from logging in. It is useful only in a restricted environment or where there are relatively few users who are allowed login privileges. A restricted environment would, for instance, be a LAN or an office which has its own domain.

Caution

Ideally the admin should have access to the server with permission to make changes to local.php, where blocked IP's can, if needed, be removed, to prevent the admin's being locked out. But see initializing for more information about this topic.

Please report back if there are problems, either to the forum or the abortlogin issues on github

Configuration and Settings

Option Description Default
allowed Comma separated list of allowed ip addresses
test Comma separated list of ip addresses to test; testing limited to admins only
log Keep a log of failed login attempts false
enable_test Enable ip testing. When checked, the test IPs incoming login attempts are tested against the allowed list and their status reported, but login attempts are not blocked false
  • allowed: Any IP address included in this list will be allowed access to the login form. If an IP address is not included in this list, access will be denied and a 403 error message will be displayed instead of the login form.
  • test: IP addresses included in this list will be tested against the allowed list. The results of these tests will be printed to the screen as Dokuwiki notifications when an adminstrator is logged in and enable_test has been set to true. To remove these notifications, the list must be removed or enable_test must re- set to false.
  • log: If set to true, a log of all rejected IP addresses will be kept in: data/meta/abortlogin/aborted_ip.log If you choose to log failed login attempts, it's a good practice to delete the log periodically, since thousands of ip addresses can potentially be logged.
  • enable_test: This has two functions:
    1. Unless this is set to false, the test notifications will be printed to the browser whenever an administrator is logged in and with every change of page.
    2. This setting is important when initializing the allowed list. When checked (true), the test IPs and most incoming login attempts are tested against the <allowed> list and their status reported. When not checked, login attempts are not blocked. It default to false; as a practical matter, this gives the admin a chance to set up an initial allowed list without being blocked.

In the case of IPv4 addresses, allowed IP addresses need not be complete addresses. For instance, if on your internal LAN, you have multiple users with IPs beginning with 192.168.1, you can include 192.168.1. in your allowed list. In the case of IPv6 addresses you can include a CIDR modified address for your local network. For instance: CIDR range: fe80::19c9:eb59:c1c7:fbcc/64. All IPs on your LAN will then be able to login.

IPv4 addresses
Please note the period after the 1. If the address is on the open Internet, without it, IPs with numbers matching 192.168.<n>.<n> could be allowed login privileges.
IPv6 addresses
Using CIDR notation should give you the same protection as noted above for IPv4.

Be sure to test your own IP against the allowed list before logging out the first time, as described under initializing in so that you don't accidentally lock yourself out.

Initializing

Abortlogin provides a technique for initializing and testing the administrator's IP address. The following three conditions must be met:

  1. the administrator's IP must appear in the allowed list
  2. the test list must be left empty
  3. enable_test must be set to true

When the administrator logs in, a notification will be printed to the screen indicating whether or not the IP entered for the administrator is correct. The administrator will not be locked out if the administrator's IP, as set in the allowed list, is incorrect.

!! Important !!
After the admin's IP has been correctly set, enable_test must be turned off and turned on only when some test IPs have been placed in the test list. Otherwise, anyone coming to the wiki will have access to the login screen. After the initialization, this feature does not have to be turned back on to test IPs. You can do that using the ip validation plugin which is bundled with abortlogin.

Abortlogin IP Validation Plugin

Abortlogin comes with an administration plugin which you can access from the Additional Plugins section of the Administration page. Once you have done your initialization, you can use the “Abortlogin IP Validation” plugin for all of your testing. You must still, however, place all of your approved IPs in the allowed IPs of the Configuration Manager.

plugin/abortlogin/ipv6.txt · Last modified: 2020-07-04 15:39 by turnermm
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

Global DokuWiki Links