Restrict Admin users to the Internal network

We want to allow admin users only from the internal network.

Since i could not find any possibility for this, maybe i have overlooked it, i would like to ask, if its possible to restict certain users to a specific source ip range like 192.168.* or 10.*

In the meantime we disable the admin user and enable it, when we need something. But that is tiresome, and our security advisor feels that would be important.

Thanks in advance.

2 Likes

Hi Ascendancer, did you find a solution for your problem? We’d like to do the same

Adding one more person here, who also needs this feature. Separate admin login page, maybe like https://www.example.com/admin.php or /index.php/admin (?)

1 Like

I also need this feature :thinking:

Maybe app Restrict login to IP addresses could be updated to be applied only to group and user. At the moment it has not been updated for NC 15 …

Does anyone has made Apache rules? or modSecurity rules?

2 Likes

I also would love to have this feature. I would like to restrict the access of certain accounts to the local network only.

Hi, I have found a pretty good solution at web server level!! :partying_face:

 RewriteEngine On
 RewriteCond %{HTTP_COOKIE} nc_username=admin
 RewriteCond %{REMOTE_ADDR} !^192\.168\.
 RewriteRule .* - [F,L]

Explanation

By putting this rule into my NextCloud virtual host, I was able to limit admin action’s to an IP range.

Line by line:

  1. turn on rewrite engine (you need rewrite_mod enable)
  2. check if cookie nc_username equal admin
  3. check if source IP is not part of 192.168.0.0/16
  4. if both conditions are meet, send 403 forbidden

Down side :thinking:

:warning: this does not forbid admin login! :warning:

It only forbid any admin HTTP request. So all admin cookies are set and can be stolen.

Up side :star_struck:

It is way better to perform this check at webserver level and not at PHP level.

Enjoy! :grinning:

1 Like

What about forcing the use of a Yubikey hardware token for the administrator account. If you order one which is physically plugged into a local USB port you could restrict the usage to that device.

A Yubikey is another solution.

As for the solution above, I am not sure it works with webdav or admin APIs. Be careful before using it.

Hello jnmrcdr,

i am trying the same with varnish but the cookies can easily be manipulated. You can delete this Cookie (this can be checked otherwise) or edit your nc_username cookie. Does anyone else has a method for this without looking in the post body with the form data?

As Idea additional to rules from above

You can add rule to Web Server to evaluate POST request to …/index.php/login and drop it if user: admin in body. Looks like you can do this with mod_security, but IDK how…

This will restrict admin to login.

This will not protect you if admin logged in when was in Whitelisted Range and manipulate his cookie nc_username and access from the not permitted IPs.

I got this working via mod_security3 on FreeBSD.
Internet -> Pound Reverse Proxy Server -> Apache mod_security3 Server -> Apache Nextcloud Server

i created a own rule to drop the admin login:
SecRule REQUEST_BODY “user=admin” “id:991,phase:2,log,drop,status:403,msg:‘Admin Login via %{remote_addr} Detected!’,severity:3”

Its important to use mod_security on a Server in front of Nextcloud, otherwise the sequence of the modules is a problem, in my tests the login response cookies were set so after reloading you could login. This doesnt happen if its a seperate Server so the Request doesnt reach the Nextcloud Server.

1 Like