Admin Security

On certain high-security environments, it is often required to block admin access to all but a white list of IPs. Typically this is done at the Apache level with two servers, one that blocks access to admin urls and another that doesn't. Then the admin server access is locked down as required.

This module does away with that dual server approach. When you activate it (installing/enabling the module does nothing. You have to turn it on in it's UI), It automatically adds your current IP to its white list and begins blocking all other IPs from the standard Drupal admin pages. You can then add as many IPs or IP ranges as you need to. It also automatically allows all access from your localhost (127.0.0.1). That IP is not automatically added to the white list and never has to be. It will always be allowed.

Optionally, you can block logins as well. It defaults to not blocking user logins. When user login blocking is activated it does two things. first it blocks the /user page of course. But because users can also log in from a Log In Block, an extra measure had to be taken. I could not find any way to actually block the internal login process. So what the module does is after the login finishes the module immediately logs the user out and destroys their session.

This module works off of the assumed admin urls.
user/*
users/*
node/*/xxx
taxonomy/*/xxx
admin/*

Basically these are the standard admin urls, the first 4 being core content urls and with all other modules leveraging the "/admin" root path. Contrib modules should build their admin UIs off of these paths as a best practice, but that's not always the case, so there is the ability to add custom paths to the block list.