The Whitelist management page
This page allows you to manage the IP Whitelist, defining the list of IPs or IP blocks which have access to your site's administrator area. The management is done using the standard Joomla! toolbar buttons. Clicking on an entry, or checking its box and clicking onwill allow you to edit the entry. Clicking on the button allows you to add an IP/IP range. Checking one or several items in the list and clicking on will remove them from the list.
The Edit/Add page looks like this:
The Whitelist editor page
You current IP address is displayed right above the edit box. Make sure that is the first to include so that you do not lock yourself out of your site's administrator area!
In the IP Address Range box you can enter an IP or IP range in one of the following ways:
A single IP, e.g. 192.168.1.1
A human readable block of IPs, e.g. 192.168.1.1-192.168.1.10
An implied IP range, e.g. 192.168.1. for all IPs between 192.168.1.1 and 192.168.1.255, or 192.168. for all IPs between 192.168.0.1 through 192.168.255.255.
A CIDR block, e.g. 192.168.1.1/8. If you don't know what this is, forget about it as you don't need it.
A Subnet Mask notation, e.g. 192.168.1.1/255.255.255.0
A dynamic IP domain name prefixed by the at-sign. This only
applies if you are using a dynamic IP address domain provider
(e.g. DynDNS). For example, if you are using DynDNS and your
dynamic IP address domain name is example.dyndns.info you can
@example.dyndns.info to whitelist your
dynamic IP address. Be careful to enter the correct domain name or
you may have a delay of up to 30" processing backend login
requests and security exceptions. Furthermore, this method ONLY
works with IPv4 addresses. Dynamic IP domain lookups do not take
into account the IPv6 address. This is a limitation of PHP
Do note that Admin Tools supports IPv4 and IPv6 (if your server supports IPv6) for any form of IP you enter yourself (single IP, human readable block, implied IP range, CIDR block and subnet mask notation). However, IPv6 will not work with the Dynamic IP Domain Name entries.
You can use the Save & New to quickly add multiple entries without having to go back to the administration page and click on New all the time.
Ideally, you should only use this feature if the IP address you are using to connect to the Internet never, ever changes. This is called a "static IP address" and it's usually an optional, extra cost, feature with most Internet service providers. Please note that having a dynamic DNS service, such as those provided by Dyn.com, is the exact opposite from having a static IP address: dynamic DNS services frequently update a domain name to point to your ever changing IP address.
While Admin Tools 5.2.0 and later make it possible to use a dynamic DNS for IP whitelisting it may be problematic for two reasons. First, it's terrible for performance as a DNS resolution must be done for every page load of your site where the IP whitelist must be read. This is any attempt to access the administrator login page while logged out of the administrator and every time there is a security exception raised. If your server does not cache IP resolution locally this can slow your site down considerably.
Furthermore, all dynamic IP providers have a default timeout for the dynamic DNS entries varying from 1 minute to 1 hour. If your IP changes within that period your server might be "blind" to the change. The same thing can happen if your dynamic IP updater (typically running in your router or NAS firmware) fails to update the dynamic DNS provider with your new IP address. At best this will be an inconvenience because you cannot access your site's administration until your dynamic DNS provider is updater and your server "sees" the new IP address for that DNS entry. At worst, this can be initiated by a targeted attack to lock you out of your site while the attacker exploits a different path to gain access to your site, leaving you helpless.
Finally, bear in mind that you should never use this feature if you expect to have to access your administrator area from an Internet connection with an unpredictable IP such as a public WiFi hotspot, a satellite Internet connection (e.g. those used in ships, airplanes and remote research stations) or a mobile broadband connection (including mobile-network-assisted Internet routers, even if your ISP is assigning a static IP address to your main, wired, Internet connection). DO NOT, EVER, WHITELIST THE IP ADDRESS OF A PUBLIC, SHARED CONNECTION! YOU WILL GET HACKED!
For the observant reader, we listed mobile broadband connections together with shared connections. This is not an oversight. Mobile Internet connections tend to recycle IP addresses far faster than their fixed (landline, fiber, cable, ...) counterparts. This is largely because of the ephemeral nature of the connection and the frequent hopping between areas of coverage and areas of non-coverage. Because of the fast rate of IP address recycling, using them for whitelisting ranges from very impractical to potentially dangerous (e.g. if an advanced attacker uses a malicious femptocell to launch a man-in-the-middle attack).