restrict_login_ip
This project lets you restrict access to /user/login page by user IP address.
Features
When allowed IP addresses are set, the /user/login page (including the REST login at /user/login?_format=json) will be accessible only for those addresses and return 403 response for all not-white-listed IP addresses.
In 1.1.x the protection was extended:
- You can optionally restrict other login-related pages too: user registration, password reset, one-time login links, the login status endpoint and the
/userpage. - You can choose to return a 404 "Not Found" response instead of 403, so the restricted pages appear not to exist at all.
Post-Installation
Visit /admin/config/people/restrict_login_ip to set the list of allowed IP addresses or ranges (in CIDR format) separated by semicolon.
Alternatively, you can set those as $config['restrict_login_ip.settings']['ip_ranges'] in settings.php.
When the variable is empty, the login page is accessible to all IP addresses.
In 1.1.x the same settings page also lets you choose which additional pages to protect and whether to return 404 instead of 403. The module also shows a warning on the status report if another authentication method (such as basic auth) is enabled, since those can bypass the IP check.
Similar projects
This module was created as a replacement for the Restrict Login or Role Access by IP Address module. The differences is that this module:
- Checks access to the login page instead of checking it after a user submitted the login form.
- Does not log out a user if they changed IP address after login.
- Does not block other login methods (like SSO).