Dan Muey wrote:
> > Dan Muey wrote:
> > > Howdy,
> > >
> > > I realize that $ENV{'REMOTE_HOST'} and $ENV{'REMOTE_ADDR'} are
> > > handled differently and can be spoofed so don't worry I'm not
> > > basing any security on them.
> >
> > I'm no security expert, but how can these be spoofed? They
> > don't come from the request headers, but are derived from the
> > TCP connection itself.
>
> Well I'm not sure, I always thought what you said was true,
OMG! don't assume that! :~)
> but you
> always hear folks saying that so I was trying to avoid the pummeling
> I felt would be inevitable.
:~)
>
> >
> > Furthermore, how useful are these anyway? For example, I'm
> > currently sitting behind a NAT proxy along with 300 or so
> > other folks, so you'll see the same REMOTE_ADDR for any of us
> > who visit your site. Or is that what you mean by "spoof"?
> >
>
> True, what I was logging was the ip that certain scripts were called
> from. I have some websites that use LWP to call a script on my server.
> So basically that means that, unless, something is changed on their
> server, my server will always see them as coming from the same ip
> address. If there are discrepencies I can look into it if it matters.
>
> As much as like to be able to only allow access from certain
> IP address I don't do it because everyone rants on and on
> about $ENV beinag able to be spoofed so easily.
Well, it can't be spoofed in the sense of being faked. If I'm connecting
from 206.107.121.3, There's no way to convince your server that I'm really
connecting from 66.118.101.132, AFAIK.
However, If I can use an intermediate system as a proxy, I can convince you
that I'm coming from a different host than I "actually" am.
>
> So correct me if I'm wrong but if I have a script that runs on a
> server that I am the only user on and I am the only person allowed to
> put anythign on it then $ENV{'REMOTE_ADDR'} may be a fairly reliable
> way to limit access?? (barring my hero Kevin Mitnick and friends ;p)
No, if by "server" you mean the server on which you are looking at
REMOTE_ADDR. REMOTE_ADDR is the client address. You don't want to build any
scheme based on the supposed hardness of the client system.
But because of proxies, you may have a "good guy" and a "bad guy" using the
same proxy. So you can't use REMOTE_ADDR alone to distinguish between the
two for identification purposes.
If it matters, you need some way for the client to pass you some credentials
with the request that you can validate. You may even want to do this in
combination with REMOTE_ADDR, to decrease the risk that the credentials have
been compromised and are being used to attempt to gain access from an
unexpected host.
>
>
> die "You not allowed freako!\n" unless $ENV{'REMOTE_ADDR'} =~
> m/^1\.2\.3\.4$/; die "You gots to be logged in jack!\n" unless
> $ENV{'REMOTE_USER'} =~ m/^\w+$/;
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
