Add to Favourites Add to Favourites    Print this Article Print this Article

I only want my IP to be able to execute Admin level commands

Since the number of Admin's on a server is usually limited to a small handful, limiting the access to Admin accounts to the IPs of those people might be something an Admin would want to do, in case the password fell into the wrong hands.

To do this, we can use the all_pre.sh in order to check the IP of the caller to ensure they're allowed to be logged in.
Also, it would be recommended to enable the all_pre.sh on HTM files, not just as CMD files.

Create /usr/local/directadmin/scripts/custom/all_pre.sh, and in it, add the code

#!/bin/sh
USERTYPE=`grep usertype= /usr/local/directadmin/data/users/${username}/user.conf | cut -d= -f2`

if [ "${USERTYPE}" = "admin" ]; then
   if [ "$caller_ip" = "1.2.3.4" ]; then
       exit 0;
   fi

   if [ "$caller_ip" = "5.6.7.8" ]; then
       exit 0;
   fi

   #repeat the check on the IP as many times as desired.

   echo "IP $caller_ip is not allowed to be logged in as an Admin";
   exit 1;
fi
exit 0;

where 1.2.3.4 and 5.6.7.8 would be IPs that you want to allow to login as an Admin.
You can add more checks for more IPs as needed.
Chmod the all_pre.sh to 700.

Note, if your IP changes, you must edit this file to add your new IP to the list or you won't be able to login as the Admin.

The same guide could be modified in many other ways, such as blocking all access to DirectAdmin, except to specific IPs.
This can be done by simply removing the "if" statement that checks the USERTYPE, so that the IP check applies to all usertypes.


Note that there is also the custom script login_pre.sh if you actually wish to block the accepted login from a specific IP.  This would be a block at the login level (would be the same as wrong password), versus the all_pre.sh which simply restricts running any command *after* a login was successful, and session file created.

Was this answer helpful?

Also Read