* Johann Schwarzmeier (Johann.Schwarzmeier@gmx.de) [010921 14:25]: > Hello, > > Hint: see wat iv'ed done: > > /etc/apache/srm.conf: > Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi > Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi > > The CGI: > > echo "You come from : ${REMOTE_ADDR}" > > sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR} > sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR} > > > keep in mind: sudo ! > /etc/sudoers > . > Cmnd_Alias FIREWALL=/sbin/ipchains > . > www-data ALL=NOPASSWD: WWW,FIREWALL careful with that... someone who breaks your apache will have permission to do, say: sudo ipchains -P input ACCEPT sudo ipchains -F input > > it works fine. The cracker come only one time. :-) On the whole, I'm sure it does, and the risk is acceptably slim. One way to reduce the risk further would be to specify the specific arguments to ipchains, or make a wrapper script something like this: #!/bin/sh # /usr/local/sbin/nimdablocker.sh: give me $1, and I block him. ipchains -I wan-in -j DENY -l -s $1 ipchains -I wan-out -j DENY -l -s $1 #EOF and allow that via sudo instead. -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Attachment:
pgpDvzEl29nx_.pgp
Description: PGP signature