Difference between revisions of "drupal disabling user login by .htaccess"

From thelinuxwiki
Jump to: navigation, search
(Created page with "==description== If you are using drupal to server up a website but have no need for users on the public Internet to login to you site, then you can disable access to the login...")
 
(solution)
 
(4 intermediate revisions by one user not shown)
Line 6: Line 6:
 
Example: only allow access to user login from your private IP address range
 
Example: only allow access to user login from your private IP address range
  
Add the foilowing lines to you .htaccess file in the root of your drupal site folder.   
+
Add the foilowing lines to the apache server definition in httpd.conf of other file where the site is defined.   
  
 
  <Location /user/login>
 
  <Location /user/login>
 
   Order allow,deny
 
   Order allow,deny
   Allow from 192.168.1.0/24
+
   allow from 192.168.1.0/24
   Allow from 127
+
   allow from 127
 
  </Location>
 
  </Location>
  
 
==logs==
 
==logs==
  
==> error_log <==
+
By default, my apached logs the access attempt and errors as follows..
[Thu Sep 01 11:06:19 2016] [alert] [client 40.77.167.34] /var/www/example123.com/htdocs/.htaccess: <Location not allowed here
+
 
 +
 +
$ '''tail -f access_log error_log'''
 +
<nowiki>==> error_log <==</nowiki>
 +
[Thu Sep 01 11:33:57 2016] [error] [client 188.72.99.71] client denied by server configuration: /var/www/example123.com/htdocs/user
 +
<br><nowiki>==> access_log <==</nowiki>
 +
188.72.99.71 188.72.99.71 - - [01/Sep/2016:11:33:57 -0500] "GET /user/login HTTP/1.1" 403 279
 +
 
  
==> access_log <==
 
40.77.167.34 40.77.167.34 - - [01/Sep/2016:11:06:19 -0500] "GET /user/login HTTP/1.1" 500 605
 
  
 
[[category:drupal]]
 
[[category:drupal]]
 
[[category:apache]]
 
[[category:apache]]

Latest revision as of 16:37, 1 September 2016

description

If you are using drupal to server up a website but have no need for users on the public Internet to login to you site, then you can disable access to the login form or page. This will aid in preventing hackers from logging in as admin.

solution

Example: only allow access to user login from your private IP address range

Add the foilowing lines to the apache server definition in httpd.conf of other file where the site is defined.

<Location /user/login>
  Order allow,deny
  allow from 192.168.1.0/24
  allow from 127
</Location>

logs

By default, my apached logs the access attempt and errors as follows..


$ tail -f access_log error_log 
==> error_log <==
[Thu Sep 01 11:33:57 2016] [error] [client 188.72.99.71] client denied by server configuration: /var/www/example123.com/htdocs/user

==> access_log <== 188.72.99.71 188.72.99.71 - - [01/Sep/2016:11:33:57 -0500] "GET /user/login HTTP/1.1" 403 279