The Whitelist management page
This page allows you to manage the IP Whitelist, defining the list of IPs or IP blocks which have access to your site's administrator area.
The Edit/Add page looks like this:
The Whitelist editor page
Tip | |
---|---|
You current IP address is displayed right above the edit box. Make sure that is the first to include so that you do not lock yourself out of your site's administrator area! |
In the IP Address Range box you can enter an IP or IP range in one of the following ways:
A single IP, e.g. 192.168.1.1
A human readable block of IPs, e.g. 192.168.1.1-192.168.1.10
An implied IP range, e.g. 192.168.1. for all IPs between 192.168.1.1 and 192.168.1.255, or 192.168. for all IPs between 192.168.0.1 through 192.168.255.255.
A CIDR block, e.g. 192.168.1.1/8. If you don't know what this is, forget about it as you don't need it.
A Subnet Mask notation, e.g. 192.168.1.1/255.255.255.0
A dynamic IPv4 domain name prefixed by the at-sign. This
only applies if you are using a dynamic IP address domain provider
(e.g. DynDNS). For example, if you are using DynDNS and your
dynamic IP address domain name is example.dyndns.info and resolves
to an IPv4 address you can enter
@example.dyndns.info
to whitelist your dynamic
IPv4 address. Be careful to enter the correct domain name or you
may have a delay of up to 30" processing backend login requests
and security exceptions. Please note that using the at-sign method
ONLY works with IPv4 addresses. This is a limitation of PHP
itself.
A dynamic IPv6 domain name prefixed by the hash-sign. This
only applies if you are using a dynamic IP address domain provider
(e.g. DynDNS). For example, if you are using DynDNS and your
dynamic IP address domain name is example.dyndns.info and resolves
to an IPv6 address you can enter
#example.dyndns.info
to whitelist your dynamic
IPv6 address. Be careful to enter the correct domain name or you
may have a delay of up to 30" processing backend login requests
and security exceptions. Please note that using the hash-sign
method ONLY works with IPv6 addresses. This is a limitation of PHP
itself.
Do note that Admin Tools supports IPv4 and IPv6 (if your server supports IPv6) for any form of IP you enter yourself (single IP, human readable block, implied IP range, CIDR block and subnet mask notation).
Please pay attention to the differences between the at-sign and hash-sign notations' meanings. @something is IPv4 (e.g. 192.168.1.4) whereas #something is IPv6 (e.g. ffff::5678:90ab). Do not use the at-sign for domains resolving to an IPv6 address or the hash-sign for domains resolving to an IPv4 address. Mixing this up can lead to long delays in page loads and / or being unable to access your site. Please keep in mind that the two different methods are required due to the way PHP works. They cannot be merged into a single method because that would considerably slow down every page load of your site.
Ideally, you should only use this feature if the IP address you are using to connect to the Internet never, ever changes. This is called a "static IP address" and it's usually an optional, extra cost, feature with most Internet service providers. Please note that having a dynamic DNS service, such as those provided by Dyn.com, is the exact opposite from having a static IP address: dynamic DNS services frequently update a domain name to point to your ever changing IP address.
While Admin Tools makes it possible to use a dynamic DNS for IP whitelisting it may be problematic for two reasons. First, it's terrible for performance as a DNS resolution must be done for every page load of your site where the IP whitelist must be read. This is any attempt to login as a user with administrative / editing privileges and every time there is a security exception raised. If your server does not cache IP resolution locally this can slow your site down considerably.
Furthermore, all dynamic IP providers have a default timeout for the dynamic DNS entries varying from 1 minute to 1 hour. If your IP changes within that period your server might be "blind" to the change. The same thing can happen if your dynamic IP updater (typically running in your router or NAS firmware) fails to update the dynamic DNS provider with your new IP address. At best this will be an inconvenience because you cannot access your site's administration until your dynamic DNS provider is updater and your server "sees" the new IP address for that DNS entry. At worst, this can be initiated by a targeted attack to lock you out of your site while the attacker exploits a different path to gain access to your site, leaving you helpless.
Finally, bear in mind that you should never use this feature if you expect to need to log into your site as a user with editing / administrative privileges from an Internet connection with an unpredictable IP such as a public WiFi hotspot, a satellite Internet connection (e.g. those used in ships, airplanes and remote research stations) or a mobile broadband connection (including mobile-network-assisted Internet routers, even if your ISP is assigning a static IP address to your main, wired, Internet connection). DO NOT, EVER, WHITELIST THE IP ADDRESS OF A PUBLIC, SHARED CONNECTION! YOU WILL GET HACKED!
For the observant reader, we listed mobile broadband connections together with shared connections. This is not an oversight. Mobile Internet connections tend to recycle IP addresses far faster than their fixed (landline, fiber, cable, ...) counterparts. This is largely because of the ephemeral nature of the connection and the frequent hopping between areas of coverage and areas of non-coverage. Because of the fast rate of IP address recycling, using them for whitelisting ranges from very impractical to potentially dangerous (e.g. if an advanced attacker uses a malicious femptocell to launch a man-in-the-middle attack).