Ejabberd: disable admin user access from client side
What version of ejabberd are you using?
17.04
What operating system (version) are you using?
CentOS
How did you install ejabberd (source, package, distribution)?
package
What did not work as expected? Are there error messages in the log? What
was the unexpected behavior? What was the expected result?
We have the Admin user which we used for Administrator purpose and We allowing our internal IP from the firewall to access the ejabberd WebAdmin page through 5280 but the problem is that someone from the client side which using port 5222 and we allowing traffic from the public on this port I mean 5222 can also log in as our admin user if they have password.
My question is how we can disable admin user access from client side and restrict the ejabberd WebAdmin page to be serve and login only from our local network using port 5280.
Adiii717
All 8 comments
See ACL settings to allow admin user only from local.
/Close this
licaon-kter
on 15 Aug 2018
I already checked that setting can you please share any example or link. Thanks
Adiii717
on 15 Aug 2018
In this example, user1@localhost can login to the webadmin, but cannot login using XMPP client to 5222 port.
listen:
-
port: 5222
module: ejabberd_c2s
access: c2s
acl:
admin:
user:
- "user1@localhost"
adminc2s:
user:
- "user1@localhost"
access_rules:
c2s:
- deny: blocked
- deny: adminc2s
- allow
configure:
- allow: admin
badlop
on 15 Aug 2018
Thanks Its working fine when I tried to log in using client got error: Cannot bind resource. While before this setting client was able to connect as admin user.
Thanks Appreciated.
Adiii717
on 15 Aug 2018
Hi, Thanks for the last one but again I am facing issue while restricting IP for this backend user that only can connect from node server or private subnet.
c2s:
- deny: blocked
- deny: admin
- allow:
- user: "backend_admin@localhost"
- ip: "::FFFF:10.0.0.1/16"
I tried with IPv6 and also with IPv4 formate but of them worked.
c2s:
- deny: blocked
- deny: admin
- allow:
- user: "backend_admin@localhost"
- ip: "10.0.0.1/16"
Please, how I can restrict IP.
Adiii717
on 16 Aug 2018
It is important the order of the rules. Some examples:
First of all, this denies login to blocked and admins. It allows the account user1@localhost. It also allows clients from IP "10.0.0.0/24" And it denies everybody else. So, if user1 is admin, he cannot login!
access_rules:
c2s:
- deny: blocked
- deny: admin
- allow:
- user: "user1@localhost"
- allow:
- ip: "10.0.0.0/24"
- deny
This denies login to blocked and admins. It allows to login the account user1@localhost if it connects from IP "10.0.0.0/24". And it denies everybody else. So, user1 can connect ONLY from addresses "10.0.0.0/24"
access_rules:
c2s:
- deny: blocked
- deny: admin
- allow:
- user: "user1@localhost"
- ip: "10.0.0.0/24"
- deny
Thanks, @badlop I did the same configuration as you mention but when Node server try to connect got the following error.
error: Cannot bind resource
c2s:
- deny: blocked
- deny: admin
- allow:
- user: "backend_admin@localhost"
- ip: "10.0.0.1/16"
- deny
While backend_admin is not a admin user.
and this one allow to connect from every IP
c2s:
- deny: blocked
- deny: admin
- allow:
- user: "backend_admin@localhost"
- allow:
- ip: "10.0.0.1/16"
- deny
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 29 Aug 2019
Related issues
rahul-l
路
3Comments
irvingwa
路
3Comments
shazvan275
路
3Comments
SamWhited
路
4Comments
Vshnv
路
4Comments
Most helpful comment
In this example, user1@localhost can login to the webadmin, but cannot login using XMPP client to 5222 port.