1

Is it is a good idea to restrict access to the admin-login-page-url of a website, by making a .htaccess rule that only allows access to the dedicated VPN IP?

If so, is it recommended to just buy the dedicated IP from popular VPN providers?

My goal is that only people having access to this VPN IP can reach the URL.

So far I've found similar approaches but haven't found a confirmation for this specific approach.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Andy Markow
  • 11
  • 1
  • 1
    There is no single answer to this question. It depends on your own risk tolerance and how much time you're willing to spend on security. I've had plenty of admin portals that are wide open to access from anywhere (of course you still need a valid username and password). However, if your admin portal is used to launch a preemptive nuclear strike, then requiring you to be on a VPN to access it is likely a woefully *inadequate* security measure. – Conor Mancone Jul 21 '20 at 18:26
  • 2
    Or, in other words, [what is your threat model?](https://security.stackexchange.com/questions/225012/what-is-a-threat-model-and-how-do-i-make-one) – Conor Mancone Jul 21 '20 at 18:26
  • The targets range from SAAS, E-Commerce to Online Course Websites. – Andy Markow Jul 21 '20 at 18:29
  • That doesn't really change my comment: only you can decide if this is a reasonable step for you. Restricting access to the VPN has the benefit of stopping *some* potential threat vectors (mainly just password brute force, also some classes of application vulnerabilities in the admin portal if you are running software with known vulnerabilities). However these can also be mitigated in other ways, and it has a disadvantage of being more difficult to access from anywhere (I left my laptop at home and my phone isn't connected to the VPN!) – Conor Mancone Jul 21 '20 at 18:41
  • Whether or not the benefits outweigh the costs is something that only you can decide depending on what you consider to be acceptable risks. – Conor Mancone Jul 21 '20 at 18:42
  • Thanks for your answer. Are there different ways to approach this problem with the same/lower costs of a dedicated ip? – Andy Markow Jul 21 '20 at 18:55
  • In most practical situations along these lines, the office has a static IP address (or close enough anyway - not a big deal if you have to update your IP whitelist once a year). Therefore people would just VPN into the office network (you'd have to host a VPN in your office network, assuming your office router can't fulfill this functionality) and whitelist your office IP address. – Conor Mancone Jul 21 '20 at 18:57
  • This way you wouldn't necessarily have to purchase a VPN service. Of course then you have to manage your own VPN service, which may not actually be cheaper in the long run. So... I don't know! – Conor Mancone Jul 21 '20 at 18:59
  • Fair enough. Thanks again for taking time to answer my question! – Andy Markow Jul 21 '20 at 23:09

1 Answers1

2

In addition to the excellent suggestions by Conor Mancone in the comments, you might want to consider the following:

Is the protected admin URL within the domain of a larger website that is open to the public (e.g. https://www.yoursite.com/admin)? If so, you may want to make the admin site entirely separate from the public site, with a different subdomain for the admin site (e.g. https://admin.yoursite.com/ as opposed to https://www.yoursite.com/admin).

This has several security advantages:

  1. The admin site will benefit from same origin policy (SOP) to protect against CSRF and XSS attacks possibly launched from the user site, being that the sites will have different origins.

  2. By making the admin site separate from your user site in your web server configuration, you may be able to configure a higher level or SSL/TLS security for the admin site than that of the user site. This also gives you the option to deploy client certificates for the admin site, as an another layer of security in addition to IP whitelisting.

mti2935
  • 19,868
  • 2
  • 45
  • 64