Re: [exim] sudo - iptables trick

Góra strony
Delete this message
Reply to this message
Autor: W B Hacker
Data:  
Dla: exim users
Temat: Re: [exim] sudo - iptables trick
Marc Perkel wrote:

> Trying a load reduction trick which I will share if it works. Running
> into a little snag and this is probably simple but I need to get user
> mail to run iptables that requires user root to run, and without havinf
> to use a password to do it.


1) install 'monitord' and run it as root.

2) have it check for a never-running/non-existent binary every
'n' seconds. It will always fail, hence execute any script you
supply.

3) have said script look for a file, erase that file, take the
series of actions you specify.

- The 'trigger' file can be written by any user or daemon, in
whatever space you allow, even by a WinDiot on an exported SMBFS
mount.

Since monitord is running as root, it can always read and delete
the 'trigger' file.

But it is never to *use* or even read said file - only to
'detect' it, then execute the scripts you gave it, never scripts
proveded by others.

This allows you to enable a 'civilian' to safely reboot a Unix
server - or anything else - without giving them shell, let
alone su to root.

>
> I'm lazy so is there someone who can tell me what I need to do and I'll
> share the trick.
>


Please keep the trick - I have my own .. ;-)

> Basicly my idea is that when a dictionary tack occurs I want to block
> the IP address for a short period of time as a load reduction trick with
> the chain being cleared every few minutes.
>
> Thanks in advance.
>


More easily done with tools external to Exim, IMNSHO, as most
such attacks ipfw logs here have nothing to do with mail
services anyway.

Most are dum - bass attempts to login as 'root' and/or a list of
other users we don't even have....

Bill