What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Make PRTG webinterface inaccessible using IP

Votes:

0

I run PRTG on a remote server with a static IP, so if I enter the IP in my browser I end up there. Since I set up a dns record to access the site, and would rather not have random people end up there, I want to make it impossible to reach from just the IP (the IP is not exactly secret, so somebody randomly entering it into the browser is a realistic possibility).

So my question is if I can prevent the IP to automatically redirect to the correct port or somehow make it only accessible via the proper domain. The dns runs on a different server (different IP) so maybe I can lock it to only accept the dns servers IP?

If no other way is currently available, I will use the method suggested in this question: https://kb.paessler.com/en/topic/86815-can-i-restrict-the-client-ips-that-can-access-the-administration-webpage-to-a-specific-ip-or-subnet

dns ip port prtg webserver

Created on Oct 22, 2021 4:43:47 PM



3 Replies

Votes:

0

Hello,

Thank you for your message.

Regarding what you would like to achieve, I'm afraid that it is not possible to block the access via the IP address otherwise you won't be able to access PRTG via the domain as well.

Nevertheless, you should be able to limit the access to specific countries/IPs for example, in the firewall of your network.

You can also change the default port for HTTPS so PRTG does not reply to unwanted HTTPS requests executed on default port. To do so, I invite you to go under Setup > System Administration > User Interface and then select the option *Custom configuration under "TCP Port for PRTG Web Server". Afterwards, configure the port you desire to use and then restart the Core service (you will be asked to do so when saving the modification).

Regards.

Created on Oct 25, 2021 12:13:10 PM by Florian Lesage [Paessler Support]



Votes:

0

I changed the port to something pretty random and adjusted the port on the dns, and that aspect works... but the firewall inbound rule doesn't seem to trigger. Maybe I just made a mistake setting it up. It's set to only allow access to the port from the dns server's IP which has the proper dns A-Record and SVR-Record, and the local IP. I still can access it if I add the port from my home-PC tho, which kind of bothers me. (And if I don't delete the cookies afterwards I don't even need the port again. It seems like it stopped automatically adding the changed port tho after I made the firewall rule tho.)

Since the main security problem is mostly fixed it's not as important anymore, but it still bothers me.

Created on Oct 26, 2021 5:30:21 AM



Votes:

0

I'm afraid that restricting the IP addresses allowed to connect would be the only solution here as it is not possible to block the access to the server via its IP address. Modifying the port as you did is also a step to limit the connections to users knowing it as well, unless if your IP address is available on Internet and therefore port scan can be done.

Regards.

Created on Oct 26, 2021 8:45:56 AM by Florian Lesage [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.