I have a web app that has user accounts, each user is granted access to do certain things with certain files. They can upload files, they can "delete" (just moved to a trash dir) files, rename certain files on disk, etc.

So far I have SSL, I have a CAPTCHA mechanism for login, CGI::Verify for checking tainted data (of course, -wT) - Everything is perl cgi. Everytime any action runs (by request of remote client), all the data is checked for integrity, your CGI::Session is checked for time, etc. Every file you request to do something to, is checked to make sure it is within your scope of granted access, that you can do with that file what you are requesting the server to do. These things are checked *before* anything is sent back to the client agent, before anything is actually done on the server- that the user requested.

The next thing I want to implement, is an IP deny mechanism. If someone or some"thing" is trying to login too many times, if a valid user is trying to request files they do not have access to.. Then I want to block them, period.

I looked in CPAN for something to work with this, and I don't think I found it. So.. Here is my plan for your thoughts.

I am thinking I want to log each undesirable action as a 'warning'- recorder in a database or perhaps simply in the filesystem. These warning flags will renew each day. So...

Everytime a remote client attempts to log in but the credentials fail, a warning file is made. Such as /tmp/xxx.xxx.xxx.xxx.warning_type.unix_timestamp.

If the remote client makes a request for a file or an action they do not have rights to, (not only does the process fail, also..) maybe 5 warning files are made. If the action is more severe, the more warning files are made.

Everytime a warning file is made, the /tmp (or whatever.. /tmp/warnings, some other place..) is checked for how many warning files are present. If more then x files are present for that ip (/tmp/xxx.xxx.xxx.xxx.*) then I make an entry into an .htaccess file. A deny from xxx.xxx.xxxx.xxx rule, maybe with a comment for when it was put in and why.

I am thinking of making the module so a small script could use it, this way any other languages, or other kinds of sites could use it simply by calling it, for example if user logs in you send them to the "i'm sorry" page and maybe an ssi directive calls the perl script with the remote address of the client agent.

Sounds useful? Stupid? Been done? Where? Would this seem useful to anyone? Please comment.

In reply to A module to deny ip on multiple sketchy http requests, yes, no? by leocharre

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.