restricting access to site to range of ip addresses

fizzy

i'm currently restricting access to a website at the moment by ip address. this works fine for people who have a static ip, but i've found out one of our users is using eircom net (not sure which account type yet).

i figure all i can do is set his account's ip restriction to cover all eircom net ips? is there any tool online that i can use to find out what ranges they use - i rang them but they were reluctant to help and eventually said they use a whole load of ranges - it's pretty random - but a definitive list would do.

maybe i should switch to some other method of restricting access - short of cookies (which can be too easily wiped) i'm not sure what options are out there for me. should i be thinking about secure certs or something?

i'd appreciate any advice!
thanks a mill

seamus

Broadband users use a different ip range to dial up users afaik. Give eircom net a ring and ask them tbh.

buddy

Sorry to state the obvious, but if you block all eircom net IP's no-one connecting through them will be able to access the site. Isn't that a bit extreme for one user?

seamus

Eircom.net's IP range for dialup users is 159.134.*

A better method of access control is a login system. You supply the logins, you control who has access.

dahamsta

Ask on IIU, someone will probably post the ranges for you. If not, try ILUG. A certain admin on Boards likely knows them by heart, but I dunno if they'd give 'em to you. Try fluttering your eyelashes.

adam

mneylon

Try looking on RIPE ....

gibo_ie

as seamus said Eircom use 159.134.*.*
This is their official allocation and will tell you if you ask!
Gibo

Seth Brundle

...and when the blocked user changes ISP (say in work or whatever) they can then access the site!
Go with Seanus's idea of an administrator controlled login system rather than IP blocking!

andersde10

The standard way to restict access is to have a public area that anyone can access, then a login via username and password over https. Now for those users on a fixed IP you lock them down to that IP. For those over Eircom you can lock them down to that range - if it is very sensitive data they are accessing you could either make a fixed IP a requirment (think they can buy this from eircom). If you are really paranoid you can introduce a second level of security questions - like that banks do.

Another solution would be to require the user's on dynamic IP's to have a cookie on their machine to allow access. This would need some sort of verification functionality which allows then to login the first time, then a cookie is written and from then on they need that cookie in order to access the site. This could give you loads of hastle though because if they wiped their cookies they could no longer access and you'd need to handle reverification. It'd be very secure though.

fizzy

thanks a mill for all the replies guys... been sick so only saw them all now.

we do have a username and password login system in place.
it's just that as an extra security measure my boss wants the ip restriction in place i.e. so that even if someone gets hold of someone's login details, it would be no good to them unless they were accessing the app from the same ip as the original user...

i had thought of the cookie thing but i did it would just be too much hassle for us as our users are very non technical...

anyways i've still no definitive list of eircom ips as yet and we don't even know what eircom a/c type the user has yet so boss is happy enough to give access from everywhere to that user for now...

thanks again for all the input

Seth Brundle

if you already have a username/login system in place then all you need do is add in another check (to check users IP against a list of banned IPs). What method do you have in place at the moment to verify users?

fizzy

What method do you have in place at the moment to verify users?

i check the username and password entered against those stored in a database. ideally, i want to be able to check that the username and password and ip address match. this is possible for those with a fixed ip and a range can be used for organisations using multiple ips.
the idea is not so much to exclude a known list of bad ips as to not allow access unless the user is using the approved ip(s) if that makes sense...

maxheadroom

fizzy wrote:

i check the username and password entered against those stored in a database. ideally, i want to be able to check that the username and password and ip address match. this is possible for those with a fixed ip and a range can be used for organisations using multiple ips.
the idea is not so much to exclude a known list of bad ips as to not allow access unless the user is using the approved ip(s) if that makes sense...

A quick and dirty way would be something like (this is php - adjust as required)

[php]
$ipgood = false

$allowedips = array("1.1.1.1", "1.2.3");
$numips = count($allowedips);
for($counter=0; $counter < $numips; $counter ) {
$ipmatch = strpos($_SERVER, $allowedips[$counter]);
if ($ipmatch === false) {
//badip
$ipgood = false
} else {
//goodip
$ipgood = true
}
}

if ($ipgood === true) {
// Do login db procedure
} else {
//Go direct to failed login procedure
}[/php]

fizzy

oops only saw this post now... thanks for the code max