user agent as a security feature?

“i want to restrict the access … as much as possible.” In that case, just don’t put the site online. ;)

Both IP and user agent filtering can indeed be circumvented, but might require someone who has access to figure out how to. This depends on how well you implement it. For example, giving a message “only IPs from X are allowed” makes it kind of obvious, but also bad input filtering might allow someone to cause the site to give unintended feedback.

It does seem overkill, but it also depends on what exactly you need and what you can require from your users.

If you don’t want people to find the site, consider making it available only through a subdomain that is not the default domain for the webserver or through something like Tor.

If you want make sure only specific people can use the site and you can require them to put in some effort, then you might want to consider using client SSL certificates.

That said, whatever you do, you can’t really protect against people sharing the site with others or be certain that there are no ways to circumvent any of your protections. It is always a balance.

@dloser here is some more information about what i’m asking:

the site is public for everyone, i was talking about restricting the access to the Back End of the site (admin area) - which should be accessed only by the Admin - so the url (just the login page) will not be shared.

about the IP filtering - it doesn’t give any message - just returns a 404 response if the IP rule is not matched.

so if i add user agent filter that will require effort only from the admin but it will be more secure - am I right?

Interesting. IMO the more security features you set up, the more difficult the access is for hackers. I don’t know how .NET works exactly, but with an apache server I would have created an additional filter with htaccess/htpassword on your backend directory. And the address of this backend would be really complicated, not guessable : the admin could have bookmarked the page the first time he uses it.

[quote=kifkaf]about the IP filtering - it doesn’t give any message - just returns a 404 response if the IP rule is not matched.[/quote]

It’s a good thing.

[quote=kifkaf]so if i add user agent filter that will require effort only from the admin but it will be more secure - am I right?[/quote]
That will require effort from hackers too. After all, once the config has been correctly set up on the admin machine, it doesn’t require any additional effort from him/her to connect to the backend, whereas hackers couldn’t ever connect to it unless they know exactly how you secured your access.

Ah, ok. Well, back end doesn’t really mean that though. It usually refers to the servers running the site (see https://en.wikipedia.org/wiki/Front_and_back_ends).

Adding any type of filtering or whatever can be said to make it more secure. However, all additional code also introduces an extra risk for vulnerabilities. For example, your IP filtering gives a 404 if the IP is incorrect, but what happens when the IP is not in the format you expect it to be? Perhaps you expect IPv4, but you get an IPv6 address (or for some reason not an address at all). This could lead to an exception which might be presented to the user, showing that there is something interesting going on. The more checks like this you have, the greater the chance one might encounter an issue with it.

I doubt it is really worth the effort. If it is, perhaps it is better to separate the administration from the (main) site altogether.

@dloser
sorry for the mix-up about what “back end” means.

[quote=author]I doubt it is really worth the effort. If it is, perhaps it is better to separate the administration from the (main) site altogether. [/quote]
and than how would you secure it? back to square one.

[quote=author]but what happens when the IP is not in the format you expect it to be? Perhaps you expect IPv4, but you get an IPv6 address (or for some reason not an address at all). This could lead to an exception which might be presented to the user, showing that there is something interesting going on[/quote]

the only interesting thing it might show is not an exception but the 404 response returned url will have a couple of symbols.

[quote=kifkaf]and than how would you secure it? back to square one.[/quote]
But what you are doing now is mostly obscuring the fact that something more is present in something that is publicly available. If you separate it, that’s a less of a concern or hassle. The real security comes from having a secure admin login without vulnerabilities. But again, it all matters on what you need and what your options (and their costs) are, which is ultimately something only you can judge.

[quote=kifkaf]the only interesting thing it might show is not an exception but the 404 response returned url will have a couple of symbols.[/quote]
The point is that this is assuming everything works as you think it does. This is not always the case. ;)