Hey Guys (and girls),
What is the best way to make Nextcloud accessible only for two ip addresses without tinkering with the .htacces? Is it possible to give access to one or two IP addresses in the config file?
Server: CentOS 7 64 Bits
Config file
<?php
$CONFIG = array (
'instanceid' => 'dadsads',
'passwordsalt' => 'iTBM5DX0MBdasdQqEfkwEr/i',
'secret' => 'L+crIwasdasdbhKEtaD13F9ZhqeVj',
'trusted_domains' =>
array (
0 => 'domain.example.lan',
),
'datadirectory' => '/home/dsaasd',
'overwrite.cli.url' => 'https://fdasdas',
'dbtype' => 'mysql',
'version' => '13.0.4.0',
'dbname' => 'cloud_DB',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'cloud_asdadadsDB',
'dbpassword' => '26fasdasd39618d96b8',
'installed' => true,
'versions_retention_obligation' => 'disabled',
);
use iptables. frop all trafic except for the 2 ip if your only doing local traffic.
isn’t there an ip-filter app in the store?
no. The iptables is the basic firewall from any linux OS.
On CentOS, it is called “firewalld”
You need to install/configure it:
yum install firewalld
systemctl enable firewalld
reboot
And so on …
Basically if you dont know how, you’d better pass unless to want to lock you out of the server if you don’t have physical access.
sure enough. but this app (see above) seems to be doing exactly what was wanted by @Daansk44 which is limit access to certain ip-adresses.
might be the case. But why doubling the effort ?
Further more, it managed only IP; not ports …
If you want to secure only by IP, that fine for me.
But if your server is exposed to the net, you’d better set something like IPTABLE+FAIL2BAN
https://www.abuseipdb.com/contributor/17841.svg
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
f2b-HTTP tcp -- anywhere anywhere tcp dpt:http
f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTA BLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- REDACTED anywhere tcp
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data: ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:webmin
ACCEPT tcp -- anywhere anywhere tcp dpt:loc-srv
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ns
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-dg m
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ss n
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft- ds
ACCEPT udp -- anywhere anywhere udp dpt:loc-srv
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dg m
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ss n
ACCEPT tcp -- anywhere anywhere tcp spt:mysql dpt: mysql
ACCEPT tcp -- anywhere anywhere tcp spt:urd dpt:ur d
ACCEPT tcp -- anywhere anywhere tcp dpt:6379
f2b-HTTP tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain f2b-HTTP (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-SSH (1 references)
target prot opt source destination
REJECT all -- 140.143.25.209 anywhere reject-with icmp-p ort-unreachable
REJECT all -- 112.85.42.158 anywhere reject-with icmp-p ort-unreachable
REJECT all -- 123.206.51.221 anywhere reject-with icmp-port-unreachable
REJECT all -- 103.89.88.251 anywhere reject-with icmp-port-unreachable
REJECT all -- test.fluid.chat anywhere reject-with icmp-port-unreachable
REJECT all -- 5.188.10.76 anywhere reject-with icmp-port-unreachable
REJECT all -- 193.112.47.154 anywhere reject-with icmp-port-unreachable
REJECT all -- na-148-243-125-30.static.avantel.net.mx anywhere reject-with icmp-port-unreachable
REJECT all -- 177-53-41-199.ligo.net.br anywhere reject-with icmp-port-unreachable
REJECT all -- 112.85.42.230 anywhere reject-with icmp-port-unreachable
REJECT all -- 118.24.157.66 anywhere reject-with icmp-port-unreachable
REJECT all -- 119.29.140.39 anywhere reject-with icmp-port-unreachable
REJECT all -- 140.143.245.229 anywhere reject-with icmp-port-unreachable
REJECT all -- 209.97.136.12 anywhere reject-with icmp-port-unreachable
REJECT all -- h-255-138.A324.priv.bahnhof.se anywhere reject-with icmp-port-unreachable
REJECT all -- 122.152.201.28 anywhere reject-with icmp-port-unreachable
REJECT all -- 106.58.216.195 anywhere reject-with icmp-port-unreachable
REJECT all -- 76.82.frmst.is anywhere reject-with icmp-port-unreachable
REJECT all -- 78.253.100.166 anywhere reject-with icmp-port-unreachable
REJECT all -- 111.200.195.54 anywhere reject-with icmp-port-unreachable
REJECT all -- 202.29.7.78 anywhere reject-with icmp-port-unreachable
REJECT all -- 118.89.228.41 anywhere reject-with icmp-port-unreachable
REJECT all -- 95.177.216.49 anywhere reject-with icmp-port-unreachable
REJECT all -- 101.99.65.72 anywhere reject-with icmp-port-unreachable
REJECT all -- 222.107.38.218 anywhere reject-with icmp-port-unreachable
REJECT all -- 201-71-189-4-arpa.younet.com.br anywhere reject-with icmp-port-unreachable
REJECT all -- host-186-3-170-152.netlife.ec anywhere reject-with icmp-port-unreachable
REJECT all -- static.vnpt.vn anywhere reject-with icmp-port-unreachable
REJECT all -- ip-132-148-128-185.ip.secureserver.net anywhere reject-with icmp-port-unreachable
REJECT all -- 186.100.193.35.bc.googleusercontent.com anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
1 Like
stratege1401:
why doubling the effort
maybe b/c its pretty simple to setup?
anyways… you are right, it’s part of the system. but as many linux-things you need to get into it first. if one’s coming from windows that might be a bit uncomfy for one
absolutly… but it is worst the pain !
tflidd
June 19, 2018, 9:35am
10
Unless the poster does specify his purpose, you can’t know what’s best for him. If he runs other services or websites that should not be limited, your solution wouldn’t apply.
