Prerequisites:
ipchains support (enabled by default in most cases)
sudo (you might have to install this)
First create a chain to hold the blocked IPs and place it at the
head of the input and output chains. (These will be erased if you
reboot. Make sure they appear above any other rules you might
have)
/sbin/ipchains -N blockip
/sbin/ipchains -A input -p tcp -j blockip
/sbin/ipchains -A output -p tcp -j blockip
The blockip script is simply intended to keep the web server from
having the right to do anything other than the intended action with
ipchains. I place it in /root/bin/blockip and execute it using sudo
#!/usr/bin/tclsh
# blockip takes a single IP address and adds an ipchains rule to
# block it in both directions
set ip [lindex $argv 0]
if {$argc != 1 || ![string is digit [string map { . ""} $ip]]} {
puts "give me the IP and just the IP"
}
puts [exec /sbin/ipchains -A blockip -p tcp -s $ip -j DENY ]
puts [exec /sbin/ipchains -A blockip -p tcp -d $ip -j DENY ]
use visudo to add this line to /etc/sudoers
nsadmin ALL=NOPASSWD: /root/bin/blockip
Create a .tcl file containing the following and place it in
/web/<servername>/tcl/ (or wherever your server's tcl
directory is)
ad_register_filter -critical t -priority 1 preauth * /*.exe
vt_blockip
proc vt_blockip {conn ignore} {
exec sudo /root/bin/blockip [ns_conn peeraddr]
ns_conn close
return "filter_break"
}
Edit tcl/ad-security.tcl and change
ad_register_filter -critical t -priority 1 preauth * /*
sec_read_security_info
to
ad_register_filter -critical t -priority 2 preauth * /*
sec_read_security_info
so that the blocking filter will be higher priority than the
security filter.
and, finally, here is the cron script to clear the blocked IPs
#!/bin/sh
/sbin/ipchains -F blockip