pdent1 Posted October 16, 2009 Share Posted October 16, 2009 I run cronjobs on my website. After one of my visitors got curious and tinkered around he realized he could reset my cron jobs...woohoo.... Is there a way to get information from the server to make sure it is who it is? I have my idea below but I would like to know if there was another more secure way of doing this or if my way is fine. Since I also automaticly updating incoming CPA Leads and Paypal IPN the same way as my cronjobs. Paypal IPN does have to make sure there 'account balance' has money through Database so they can't just go throwing money at themselves..Luckily I had thought of that before the visitor went tinkering. I basicly figured something like if i ran a cronjob and my server ip was 1.1.1.1 and the cronjob sent to http://site.com/cron.php?id=admin22113 coding would be as followed: $id=$_GET["id"]; $ip=@$REMOTE_ADDR; if ($ip==1.1.1.1){ if ($id="admin22113"){ DoFunctions(CronJobs) } } the $id(admin22113) I put as a secondary security measure. Say my own personal passcode to check if its there to say its me. Only problem with this is my CPA Company IP changes and doesn't do "passcodes". I have to use Get functions to receive data through server so this is a little harder for a visitor to call. If there are any other possible ways please help me out. Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted October 16, 2009 Share Posted October 16, 2009 Instead of banning everyone but yourself (or a group of IPs), you should try to ban the individual IP or IP block. If this was a one time event, then it might not happen again. For now, just look through your server logs and you are sure to find out who did what. Quote Link to comment Share on other sites More sharing options...
pdent1 Posted October 16, 2009 Author Share Posted October 16, 2009 ya i made it clear for who it was not to do it again or else he will be banned. I now added to call the username if there is one when the cronjob is accessed and mail the Username to me. I have enough members if someone gets ****ed off tho they could just do it from not being logged in just by going to site.com/cron.php...so I'm just trying to limit who has the ability to do it(Server mostly) Because currently I switched it over to moderator based. So that only select moderators can do it. But i'd like it automated cause I have a big trust issue when it deals with a website dealing with other peoples money and want to be as secure as possible. So far it seems all the cronjobs comes from 1 IP address ( Have it $_get the server IP and then echo it so it shows in an email to myself). Would the IP address IF statement work fine is all I need to know. If the IP changes I can just set the if statement that if IP does not match ip to say there was an error then I can run the cron job myself. Quote Link to comment Share on other sites More sharing options...
pdent1 Posted October 16, 2009 Author Share Posted October 16, 2009 any ideas? Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted October 17, 2009 Share Posted October 17, 2009 I don't get it. Crons are supposed to be run by the server. There shouldn't be a user associated with the cron running. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.