How to protect public admin area


#1

Hi, I enabled the remote server backup via internet and now the admin page is exposed to the public (thus is password protect).
I need to protect it, what is the best practice? I think I am using the default web server, how to disable it and work with apache/virtual hosts and .htaccess? I read the documentation but cannot understand how to disable the default webserver. I found the directory of www docs but the are only the skeleton.
So I can blind it to my fixed ip or so.

Thanks


#2

Hope this helps someone. I use a Mikrotik router.

For internet client backups I allow traffic thru for the backup client:

/ip firewall nat
add action=dst-nat chain=dstnat comment=“UrBackup Port Forwarding - Client backup uploads” dst-address-type=local dst-port=55415 protocol=tcp to-addresses=10.0.8.214 to-ports=55415

Then to restrict internet scanning of the http admin I only allow clients that have hit the backup port within the last 24hrs to access to the http admin port.

The first rule adds all devices trying to connect to port 55415 (backup client port) to an address list:

/ip firewall filter
add action=add-src-to-address-list address-list=UrBackupAccess address-list-timeout=1d chain=forward comment=“Give UrBackup web access if running Urbackup client backups” dst-port=55415 protocol=tcp

Second Rule allows that UrBackupAccess Address List access to the 55414 web admin pages:

/ip firewall nat
add action=dst-nat chain=dstnat comment=“UrBackup Port Forwarding” dst-address-type=local dst-port=55414 log=yes protocol=tcp src-address-list=UrBackupAccess to-addresses=10.0.8.214 to-ports=55414

FYI I also have port knock rules that will whitelist access, and I have another rule without the address list restrictions I can manually enable to give unrestricted access to the http admin port which I disable as soon as I’m done giving access/reinstalled the backup client.