The white house situation room is the pinnacle of power in the USA and in the world. There, the president gets his security briefings, and from there he can order a nuclear attack on any place on earth. Access to that room is reserved for the highest political and military personnel. The door to that room is likely made of strong impenetrable materials, and protected with the latest technology bio-scanners.

But, protection against intruders does not start there. Protection starts at the gates of the white house. Only authorized people can go through those gates. Secret service agents make sure to check the identities of all people trying to access the white house. They make sure they are in the authorization list before letting them through. Layer upon layer of security checks are put in place, and they get more exclusive the closer you get to the situation room.

You should adopt a similar way of thinking when securing administration interfaces. These interfaces allow us to manage our services and platforms. Admin interfaces can take many forms, and allow us to perform various tasks. Let’s take a look at some examples:

• The SSH service allows us to manage our servers
• WordPress admin panel allows us to manage our website
• E-commerce admin interface allows us to manage our digital store and our products 
• Admin interfaces that allow us to manage different equipments (Wifi router, printer, surveillance camera …)

You can see how all these interfaces are sensitive. If a hacker gets control over them, the damage would be too big. Gaining access to the WordPress admin panel means that the hacker can alter the website as much as he likes. Gaining access to SSH means the attacker can retrieve secrets from the server and much much more.

It is thus important to protect these interfaces from hackers. And the first line of defense should be controlling access. We need to prevent hackers from accessing these interfaces in the first place. We thus strip them from the possibility of launching attacks on these interfaces. This defense mechanism is called “reducing the attack surface”.

Depending on the form of the admin interface, this can be achieved in one of 2 ways: via network filtering or via web server configuration.

Network filtering

This applies to services that are accessible on a specific network port. For instance, the SSH service is accessible, by default, on network port 22. You can filter access to that network port using the server’s firewall. You should allow access to that network port from certain IP addresses (for example, public IP addresses of your system administrators). Then you should block access from all other IP addresses.

With this configuration, hackers on the internet would be blocked from accessing the network service, so they cannot attempt to hack into it.

You should check your hosting service on how to implement firewall rules on your server. Most hosting services have a simple user interface to add new firewall rules.

If you are hosting your server in-house, you should either use your firewall solution if you have any. Or, you can use your system’s firewall to block access from the internet (iptables on Linux or Windows Firewall for Windows).

Web server configuration

In some cases, blocking access to a network port does not make sense. For instance, on a WordPress website, you cannot block access to the network ports 80 and 443. If you do, the whole WordPress website will be inaccessible to the public, and not just the WordPress admin interface.

Thankfully, web servers allow us to configure access rules for certain folders within a website. As with the network filtering, you should allow access to the admin interface to administrators. You should then block all other IP addresses from accessing the interface.

In an apache server, you can simply set up filtering with an .htaccess file. You can create a file inside the admin folder (for example, the folder called “wp-admin” in WordPress websites), call the file “.htaccess”, and add the following content to it:

order deny,allow
allow from X.X.X.X
allow from Y.Y.Y.Y
allow from Z.Z.Z.Z
deny from all