I have a website which I want to use for administrative purposes. I need to be sure that only people from certain machines can log on. the problem is they are on ISP networks. Will I truely get the correct IP address to use from an ip/ifconfig command, or must I worry about NAT being used by ISP ?

  • You may also want to ask about this on [security.SE] -- "What authentication/protection schemes would you recommend for a website with an administrative interface?" – voretaq7 Feb 12 '14 at 23:01
  • Why not doing what thousands of websites do - rely on a username and password? – TomTom Feb 12 '14 at 23:03
  • @TomTom . . . mainly for the reason I outlined in the last point on my answer: Brute force attacks and lousy passwords. ("Just because `we've always done it this way` doesn't mean it's a good solution" -- Username/Password authentication is pretty awful from a security standpoint) – voretaq7 Feb 12 '14 at 23:04
  • Both problems solves many many many many many years ago. – TomTom Feb 12 '14 at 23:06
  • @TomTom If the problem were really "solved" I'd have a proper two-factor authentication token I could use in addition to my username/password for all the websites I routinely use to pay my bills (bank, phone company, cable company, mortgage company... all rely on a username and a password that often "may not contain the character `%`" -- kill me now!) -- My freakin' Blizzard gaming account is more secure than any of those... – voretaq7 Feb 12 '14 at 23:15

2 Answers2


You're Doing It Wrong my friend.

Aside from both local NAT and "Carrier-Grade NAT" (which mean the information you get from ifconfig on client systems may be a private address that you can't use in your server's access lists), IP-based security is a farce: ISPs may change public network assignments, end-users may be on dynamic IPs, or someone might spoof BGP and lie their way past your security.

If you want to properly secure your site my recommendations would be:

  1. SSL with mutual certificate authentication
    Very secure, supported by pretty much every browser, but a bit of a pain in the butt to administer because you need to issue client certificates to all your users and explain how to install them (and the certs are tied to the machines you install them on so your users may not be able to log in from Grandma's house).
    Totally worth it if you need the security though.

  2. SSL and Two-Factor Authentication
    Using something like Google Authenticator in addition to a username/password, giving your users real Two-Factor authentication (Something you know - Username/Password, and Something you have - the device with Authenticator running on it).
    This may require a little work on your part, either in your app or on the server with something like mod_auth_external, but it's very good security: It doesn't suffer the limitations of mutual certificate authentication, and it's nigh-impossible to brute force.

  3. SSL and Username/Password Authentication
    Only as secure as the username/password, but that's why we have good password policies.
    This is susceptible to brute-force attacks, so mitigation techniques would need to be employed.

  • 79,345
  • 17
  • 128
  • 213

The easiest way to determine this is to run the following on the system you plan to allow access.

lynx ipchicken.com

If it matches your ifconfig you should be good to go. If not and it's a home router you'll be trusting the machines behind the individuals router. Another way you could do this is require vpn with credentials and only make ths site available within your network. Then you could require keys or a certificate.

  • 317
  • 2
  • 11