Kay-Michael Voit wrote:
did you consider just to blockother mac-addresses through iptables?
Yes, but the MAC should just be checked for one specific user.
but... i don't know, what you are doing there, but are you sure you
want to grant every user ssh acces
No, just one user with limited rights. That user executes a C-script
that becomes root and reloads bind. Only this users key is trusted.
i would suggest to use a webinterface, for example with php, which
puts commands into a database, or something similar (perhaps a text
file could do it, too) and then run a cronjob, let's say, every 10
mins with a script that restarts bind.
But isn't ssh more secure than a web interface (even when using SSL)?
Using your method, anybody who hackes the webapp has total root access...
We thought about the cron-option, but as soon as a domain is registered,
the Dutch TLD-organisation checks if there is a valid DNS-record.
Therefore bind needs to be reloaded as soon as the mail is send to the
TLD-org. We could que all mail and send it thrue a cronjob as well, but
this seems a bit complicated for the task.
