script updates .htaccess restriction dyndns ?

Howdy,

Wanted to see if anyone had a recommendation for a script to update an .htaccess file with your current IP address.

I am looking to keep some admin bits a little more restricted over the web, and would prefer script kiddies not to just bash at usernames and passwords.

cat .htaccess

Order Allow,Deny
Allow from yourhomeip in format 123.456.789.012
Allow from yourwebserverip in format 123.456.789.012

# BEGIN WordPress
# END WordPress

etc.

Allow from is a great tool, but it is built with (gee) security in mind. Since it does a forward and a reverse lookup, your dyndns.org assigned name, such as myhomemachine.dyndns.org will generally never resolve back successfully, since apache will look that up, map it to 1.2.3.4, then nslookup 1.2.3.4 and see that it resolves to myuberfiberconnection.blastthenet.com - then apache says "nope!"

Now that search engines can hit this DH forum topic (grin) I'm looking for a script, cron'able every 5 mins or so, that's low resource. Would love to have a file with .htaccess locations, perhaps like

/home/myuseracct/mysite.org/admin/.htaccess
/home/myuseracct/mysite.org/testing/.htaccess

etc. that could be read. Am picturing the script reading locations, and replacing things from those specified files.

Maybe via section blocks such as

### my allowed dynamic IP start ###

### my allowed dynamic IP end ###

and it being fair game to replace anything between those.

I'm not sure how the script would store the state of the last lookup for myhomemachine.dyndns.org but I'm visioning a simple flat file in the root directory.

Ideally, the script would just run via cron, check if the nslookup is the same as it was 5 minutes ago. Since the very likely answer is "yes", die there, and take no more cpu.

But if it has changed, go replace in the specified htaccess files the old ip of 1.2.3.4 with the new ip of 5.6.7.8, and write out the rest of the .htaccess file as it was.

I know that's a lot to ask, which is why I'm asking if someone has already done something similar. My google fu was remarkably blank on this, other than seeing requests for something like this :)

TIA for any pointers . . .



responses to this thread will be emailed to me, thanks.

I can see this one has the traction of a damp herring, hah.


responses to this thread will be emailed to me, thanks.

I've started looking into programming this in Php5, for local execution since this functionality doesn't seem to be out there yet.

If I get it working nicely, I'll contribute it.


responses to this thread will be emailed to me, thanks.

In reply to:

---

I've started looking into programming this in Php5, for local execution since this functionality doesn't seem to be out there yet.

If I get it working nicely, I'll contribute it.

---

I don't think this got any traction because at least to me it is one of those "Computer Science 101" exercises that if you broke down into the two steps (looking up an address and changing the line of a text file) you could have found a solution with Google by now.

Bash script:
#!/bin/bash
INPUT_FILE="/path/to/.htaccess"
IP_ADDRESS=`dig short $1`
# The digit before substitution restricts to that line number
PATTERN="'3 s/Allow from.*/Allow from $IP_ADDRESS/'"
eval sed -i $PATTERN $INPUT_FILE

.htaccess file:
Order Deny, Allow
Deny from all
Allow from 1.2.3.4


And then your cron command would be
/bin/bash /path/to/script.sh subdomain.dyndns.org

Though one might want to make sure IP_ADDRESS was set to an IP address and not something else. Executing an expensive binary like PHP or Perl every 5 minutes for a simple task would not be a good idea either.





Customer since 2000 openvein.org

That's a good thought and all, thanks for the idea.

I have quite a few directories, so I'm looking to check each .htaccess file, or at least maintain a static list and iterate through that.

I appreciate your 101 example since bash / awk / et al. is not my forte, even though I perhaps have other IT qualities . . . I'll work on adapting what you started.

I just figured this had to be a common issue these days with the two-way check Apache does, and the fact that most folks in their right minds would want to limit certain parts of sites o at least certain subnets . . .

If it appreciably raised an issue for someone while cron'd */5 with nice -n19 I'd be greatly worried. There's nothing I run via cron that's not as nice as I can be to my neighbors :)

Take care.


responses to this thread will be emailed to me, thanks.

Keep in mind that a .htaccess file applies not only to the directory it's in, but also to any subdirectories. Unless you've got a lot of disjoint directories that need protection, you should be able to get away with a single .htaccess file.

Completely agreed; it's just usually of a form :

/package
/package/admin-part

and I'm usually wanting to protect the admin part.

I also tend to put the restrictions down as far as I can in the structure, to avoid having a bloated base site .htaccess

Since I don't have access these days to httpd.conf ;)

But excellent point.


responses to this thread will be emailed to me, thanks.

In reply to:

---

I have quite a few directories, so I'm looking to check each .htaccess file, or at least maintain a static list and iterate through that.

---

Easily done with a for loop of course.

In reply to:

---

If it appreciably raised an issue for someone while cron'd */5 with nice -n19 I'd be greatly worried. There's nothing I run via cron that's not as nice as I can be to my neighbors :)

---

I'd also take into account memory usage. PHP consumes at least 15MB. No need to bring out the toolbox if you just need to tighten a screw.


Customer since 2000 openvein.org

True that, although one of the first things I'd do would be to die if no change, so hopefully not much for the build up and tear down there.

I'll have to twiddle with it and see what I wreck, err, make.


responses to this thread will be emailed to me, thanks.

I've published an article with my almost-but-not-quite complete Bash script:

http://webdev.openvein.org/articles/UpdateTextFilesUsingBashAndSed.html

Refer to Advanced Bash-Scripting Guide if you have questions about how things are done in Bash.



Customer since 2000 openvein.org

Ganz Gut! OK, that's generally helpful, and for many people via your site article.

Now it's time to make sure those SEO keywords are in there, for every n00b (ahem) looking for this to find. When done, I think we can make sure it's indexed in all 4 or 5 major engines, hah. I know you haven't added links from the page to other spots, etc. and don't know if you want it widely advertised even. But I'm sure appropriate links to the rest of your site from there won't hurt in the end.

Thanks for the contribution. I'll keep what little I've started in php around, as I'm loath to throw away code.

I think that there are more people who will use this, once they find it, and a link from the DH wiki wouldn't hurt either. It's nice to get at least some recognition for your contributions to the community.

Anything that helps keep out a few more automated attacks should do nothing but help us all ;)


responses to this thread will be emailed to me, thanks.