New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Temporary IP whitelisting, secure ways to do it
I'm trying to basically set up some temporary iptables/pf/ipfw-like rules in response to a web request. For example: when the user submits a form, ACCEPT from to IPMI port, forward to internal network IP for the next hour, and remove the ACCEPT rule after that time.
I really, really do not want to even think about setcap or suid'ing the PHP or Python binary or running exec/shell()/equivalents or something - is there any other logical way to do this?
Comments
Create another application that runs as an API that your website backend can call?
The best way is to build a simple daemon to do that job for you, for simplicities sake consider running it over a unix socket.
The simple hackish way is to use sudo and iptables/whatever to do it.
Simple Python based API, http://python-eve.org/should be easy to create.
Consider if fail2ban might not work (either by letting it parse a log file or calling the client directly). It's generally used to do the opposite, but it seems like you could just set up everything else in reverse to get something along the lines of port knocking. And after a quick search, I give you a couple existing starting points:
http://diginc.us/linux/2009/using-fail2ban-to-open-back-doors-ports-in-your-iptables/
http://www.the-art-of-web.com/system/fail2ban-action-whitelist/
Just write a quick python daemon that handles these - that's what I do when I need to accomplish superuser tasks with PHP.
Does that not need
/usr/local/bin/python3.5
suid/setcap'd globally, or do I have to somehow build it into a separate binary?What is your actual usecase, and wouldn't a VPN solve it in a far more secure and less error-prone way?
VNC-esque setup to allow individual users to connect temporarily to a screen sharing session or console
All of them are behind some form of corporate proxy or firewall that blocks most VPN services, and don't have administrative rights to install a tun/tap driver or otherwise.
The last time I looked at guacamole it didn't support multiple users connected to a single shared session or working sound in RDP/VNC