On 18-Aug-02 Neil Sedger wrote:
Raphael Mankin wrote:
As has been mentioned, ErrorDocument does part of what you want. The problem is that in order to run ipchains/iptables you have to be root - Apache does not run as root. You therefore need a suid script to do the job, and suid scripts always make me a bit twitchy.
How about sudo? Is that more secure?
SUDO is oonly for CGIs. (AFAIK)
If someone does manage to hack in to be the apache user, all they'll be able to do is add addresses to the firewall block list. I'd expect that at some point they'd make a mistake and block out their own IP ;-)
Suid scripts and hackers are not a combination that appeals under any conditions.
---------------------------------- E-Mail: Raphael Mankin raph@panache.demon.co.uk Date: 22-Aug-02 Time: 13:31:01 ----------------------------------