* Johann Schwarzmeier (Johann.Schwarzmeier@gmx.de) [010921 14:25]:
> Hello,
>
> Hint: see wat iv'ed done:
>
> /etc/apache/srm.conf:
> Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi
> Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi
>
> The CGI:
>
> echo "You come from : ${REMOTE_ADDR}"
>
> sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR}
> sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR}
>
>
> keep in mind: sudo !
> /etc/sudoers
> .
> Cmnd_Alias FIREWALL=/sbin/ipchains
> .
> www-data ALL=NOPASSWD: WWW,FIREWALL
careful with that... someone who breaks your apache will have permission
to do, say:
sudo ipchains -P input ACCEPT
sudo ipchains -F input
>
> it works fine. The cracker come only one time. :-)
On the whole, I'm sure it does, and the risk is acceptably slim. One way
to reduce the risk further would be to specify the specific arguments to
ipchains, or make a wrapper script something like this:
#!/bin/sh
# /usr/local/sbin/nimdablocker.sh: give me $1, and I block him.
ipchains -I wan-in -j DENY -l -s $1
ipchains -I wan-out -j DENY -l -s $1
#EOF
and allow that via sudo instead.
--
Vineet http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Attachment:
pgpDvzEl29nx_.pgp
Description: PGP signature