Heh, yer I know what you mean, I just want to be able to drop DoS attackers straight into the firewall. I suppose another alternative would be to write a C program than can gain then drop root privs at it needs them, accepting only the passed in IP to construct the predefined rule, then only allowing apache to run the program?
Thanks Mad Scientist, your suggestion works fine, I've just got to decide if the security risk is worth it. The DoS attacks that this script stops have recently been totally taking my production system down. Brad. ----- Original Message ----- From: "daRcmaTTeR" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 15, 2002 7:07 AM Subject: Re: [expert] Non root IPchains > On Fri, 16 Aug 2002, Brad wrote: > > > Hi, I've written some IPchains into my perl script using perl-IPchains but > > the script has to be executed by root or ipchains refuses. > > > > Does anyone know how I can allow user "apache" to use ipchains, or how I can > > elevate my privileges within perl. > > > > Thanks, > > Brad. > > Brad, > > what you're asking is downright blasphemy! every penguin in the known > universe just growned in unison. believe me...this you don't want to do. > ipchains is run by root for good reason and thats how it should stay. you > do _not_ want your firewall, or any other part of your system's security > accessible to normal users. > > you will have to settle for the script needing to be run by root. the > alternative is of course opening your box to literaly anyone who had the > knowledge to get in and do what they will. in that case the firewall > becomes a mute point. why bother? > > -- > daRmaTTeR > > Reg. Linux User #186492 > "Stupidity has no moral high ground...it can't see that high!" > > > ---------------------------------------------------------------------------- ---- > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
