* Johann Schwarzmeier ([EMAIL PROTECTED]) [010921 14:25]:
> Hello,
>
> Hint: see wat iv'ed done:
>
> /etc/apache/srm.conf:
> Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi
> Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi
>
> The CGI:
>
> echo "You come from : ${REMOTE_ADDR}"
>
> sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR}
> sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR}
>
>
> keep in mind: sudo !
> /etc/sudoers
> .
> Cmnd_Alias FIREWALL=/sbin/ipchains
> .
> www-data ALL=NOPASSWD: WWW,FIREWALLcareful with that... someone who breaks your apache will have permission to do, say: sudo ipchains -P input ACCEPT sudo ipchains -F input > > it works fine. The cracker come only one time. :-) On the whole, I'm sure it does, and the risk is acceptably slim. One way to reduce the risk further would be to specify the specific arguments to ipchains, or make a wrapper script something like this: #!/bin/sh # /usr/local/sbin/nimdablocker.sh: give me $1, and I block him. ipchains -I wan-in -j DENY -l -s $1 ipchains -I wan-out -j DENY -l -s $1 #EOF and allow that via sudo instead. -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
pgpV2ZW1EXkM2.pgp
Description: PGP signature
