Since the number of Admin's on a server is usually limited to a small handful, limiting the access to Admin accounts to the IPs of those people might be something an Admin would want to do, in case the password fell into the wrong hands.
To do this, we can use the
all_pre.sh in order to check the IP of the caller to ensure they're allowed to be logged in.
Also, it would be recommended to
enable the all_pre.sh on HTM files, not just as CMD files.
Create /usr/local/directadmin/scripts/custom/all_pre.sh, and in it, add the code
#!/bin/sh
USERTYPE=`grep usertype= /usr/local/directadmin/data/users/${username}/user.conf | cut -d= -f2`
if [ "${USERTYPE}" = "admin" ]; then
if [ "$caller_ip" = "1.2.3.4" ]; then
exit 0;
fi
if [ "$caller_ip" = "5.6.7.8" ]; then
exit 0;
fi
#repeat the check on the IP as many times as desired.
echo "IP $caller_ip is not allowed to be logged in as an Admin";
exit 1;
fi
exit 0;
where
1.2.3.4 and
5.6.7.8 would be IPs that you want to allow to login as an Admin.
You can add more checks for more IPs as needed.
Chmod the all_pre.sh to 700.
Note, if your IP changes, you must edit this file to add your new IP to the list or you won't be able to login as the Admin.
The same guide could be modified in many other ways, such as blocking all access to DirectAdmin, except to specific IPs.
This can be done by simply removing the "if" statement that checks the USERTYPE, so that the IP check applies to all usertypes.
Note that there is also the custom script
login_pre.sh if you actually wish to block the accepted login from a specific IP. This would be a block at the login level (would be the same as wrong password), versus the all_pre.sh which simply restricts running any command *after* a login was successful, and session file created.