Aramaech Posted December 29, 2020 Share Posted December 29, 2020 (edited) Hi all, I have my live dev build running on a subdomain. I just noticed this morning there are 12 guests browsing the dev build. I'm wondering what is the recommended way to prevent other people from accessing it is. I have the Guests' group setting "can access site" turned to off, along with all groups other than admins. I have the site set to offline. Somehow they're still browsing, as shown in the admin cp, the "Whos Online" widget, and the Online Users page. Unfortunately WayBackMachine apparently allows access to an older version of the dev version. If they were browsing an archived version of the dev version, would it show up in those places as them currently browsing the current dev version? How do I prevent this? Should I blacklist all IP addresses and whitelist my own in the htaccess file? Is there something on my hosts side I should do? Cloudflare maybe? Any help would be appreciated. ------------------------------------------------------------------------------------------------------- UPDATE 1 As of now I've rewritten the dev site's root folder's .htaccess file to the following: <RequireAll> Require ip xx.xx.xx.xx #<--my IP </RequireAll> There are still at least 2 guests who seem to be managing to bypass this somehow. Despite that, it still doesn't seem like this should be necessary. Like if the site is set to offline, guests group permissions for "can access site" are set to off, guests permissions to "can access site while offline" are set to off, how are they getting on there??? It doesn't seem like I should have to resort to whitelisting my IP and blocking all others. Surely there are many admins who wouldn't know to do that, and would just be stuck allowing guests to wander their dev build. I also like using VPN while browsing, and this prevents me from being able to do so on my own site, without even solving the problem completely. To boot, I can't even get the guests' IP to block them specifically. ------------------------------------------------------------------------------------------------------- UPDATE 2 There is currently one guest online, and their IP address is showing up as the same as my own. Which means somehow they're mirroring my IP. I don't know how this is possible. Does that mean they have access to the admin cp? Or the .htaccess file? ------------------------------------------------------------------------------------------------------- UPDATE 3 I still don't know how they're using the same IP address as me. I added the following Cloudflare rules for all traffic on my dev subdomain: • Security settings to I'm Under Attack, which presents a Javascript challenge to the browser. • Set Cache Deception Armor to on. • Add IP Geolocation header to on. My browser automatically uses a VPN. So I have to ask google what my IP is every so often to update the .htaccess file... The instant I update the .htaccess file to a new IP, the guest's IP changes with it. Although it then shows a second guest still logged in with the previous IP address... How are they using the ONLY IP allowed to access the site?? Edited December 29, 2020 by RobotMonkeyHæd Link to comment Share on other sites More sharing options...
CoffeeCake Posted December 29, 2020 Share Posted December 29, 2020 Aramaech 1 Link to comment Share on other sites More sharing options...
Aramaech Posted December 29, 2020 Author Share Posted December 29, 2020 Update. I changed the .htaccess file to deny all IP, and left it that way for a couple hours. Apache should've been denying all access during that time. After a couple hours I then switch it to only accept my IP, and logged in immediately. Upon doing so, then going to online users, it showed me, a guest with my IP and a 2nd guest who had been logged in for 10 minutes... Link to comment Share on other sites More sharing options...
CoffeeCake Posted December 29, 2020 Share Posted December 29, 2020 A better approach may be to use basic authentication to access the development site in addition to (or instead of) the IP address restrictions you have in place. See: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html You might search for htpasswd + apache for quick how tos. Aramaech 1 Link to comment Share on other sites More sharing options...
Morrigan Posted December 29, 2020 Share Posted December 29, 2020 Guests "browsing" is not likely if your site is offline. If an IP hits the site it will log it as "browsing". If I knew where your dev build was I could load the front page and be marked as a guest and as browsing even though all I'm seeing is an access denied or login page. This is just IPS saying that it see's someone actively touched your site within the last X minutes. Aramaech 1 Link to comment Share on other sites More sharing options...
Aramaech Posted January 19, 2021 Author Share Posted January 19, 2021 On 12/29/2020 at 2:44 PM, Paul E. said: A better approach may be to use basic authentication to access the development site in addition to (or instead of) the IP address restrictions you have in place. See: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html You might search for htpasswd + apache for quick how tos. Thank you for that. I'll try implementing it, see how it goes. On 12/29/2020 at 4:48 PM, Morrigan said: Guests "browsing" is not likely if your site is offline. If an IP hits the site it will log it as "browsing". If I knew where your dev build was I could load the front page and be marked as a guest and as browsing even though all I'm seeing is an access denied or login page. This is just IPS saying that it see's someone actively touched your site within the last X minutes. I get that. However the "online users" page shows what page the user is on, and some of the users were browsing specific pages. Given that admins and moderators are the only groups set to have access to the site when its offline, and the site is offline, this shouldn't have been possible. __________ After some messing around there are now almost always 5 other users present on the site, but I'm just hoping they're cloudflare's cdn network caching data. Link to comment Share on other sites More sharing options...
Morrigan Posted January 19, 2021 Share Posted January 19, 2021 1 hour ago, RobotMonkeyHæd said: I get that. However the "online users" page shows what page the user is on, and some of the users were browsing specific pages. Given that admins and moderators are the only groups set to have access to the site when its offline, and the site is offline, this shouldn't have been possible. Even if they are getting an error on that page it will show that they are on that page. Its actually standard. IPS tracks the page they are on (and thus the error they are getting) so it serves to reason that the "online" page is going to reflect this as well. Its not going to say "Guest is on error on page X" its just going to show that "guest is on Page X" whether or not they are getting a permission denied error. Link to comment Share on other sites More sharing options...
Recommended Posts