When a web site is attacked, so far by unsuccessful hackers, my error routine adds the attackers IP address, prefixed by 'deny', to that web site's .htaccess file. It works and the attacker, on second and subsequent attacks, gets a 403 error response. I want to extend the exclusion ability to every web site hosted on a server. My preferred method is iptables. However, when breaking-out of a PHP script on a web page and running a normal iptables command, for example: iptables -A 3temp -s 1.2.3.4 -j DROP iptables responds with: iptables v1.3.5: can't initialize iptables table `filter': Permission denied (you must be root) Executing 'whoami' confirms Apache is the user. Giving Apache group rw on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is executable by all, fails to resolve the problem. Is there any method of running iptables from an Apache originated process ? Thank you. -- With best regards, Paul. England, EU.
On Sun, 2011-08-21 at 00:09 +0100, Always Learning wrote:> When a web site is attacked, so far by unsuccessful hackers, my error > routine adds the attackers IP address, prefixed by 'deny', to that web > site's .htaccess file. It works and the attacker, on second and > subsequent attacks, gets a 403 error response. > > I want to extend the exclusion ability to every web site hosted on a > server. My preferred method is iptables. However, when breaking-out of a > PHP script on a web page and running a normal iptables command, for > example: > > iptables -A 3temp -s 1.2.3.4 -j DROP > > iptables responds with: > > iptables v1.3.5: can't initialize iptables table > `filter': Permission denied > (you must be root) > > Executing 'whoami' confirms Apache is the user. Giving Apache group rw > on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is > executable by all, fails to resolve the problem. > > Is there any method of running iptables from an Apache originated > process ? > > Thank you.---- If you are determined to do that (have user apache capable of making changes to iptables), you can have your script do it as sudo and make an entry in /etc/sudoers to allow user apache to execute /sbin/iptables commands without a password. Of course automated scripts can (and likely will) go haywire and anything that automates adding iptables blocks is capable of blocking you too and I would highly suggest you rethink what you are doing. Also, there's also the subjectivity of what it is that constitues 'an attack'. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On 08/21/2011 01:09 AM, Always Learning wrote:> > When a web site is attacked, so far by unsuccessful hackers, my error > routine adds the attackers IP address, prefixed by 'deny', to that web > site's .htaccess file. It works and the attacker, on second and > subsequent attacks, gets a 403 error response. > > I want to extend the exclusion ability to every web site hosted on a > server. My preferred method is iptables. However, when breaking-out of a > PHP script on a web page and running a normal iptables command, for > example: > > iptables -A 3temp -s 1.2.3.4 -j DROP > > iptables responds with: > > iptables v1.3.5: can't initialize iptables table > `filter': Permission denied > (you must be root) > > Executing 'whoami' confirms Apache is the user. Giving Apache group rw > on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is > executable by all, fails to resolve the problem. > > Is there any method of running iptables from an Apache originated > process ?Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables? Have you looked at fail2ban and denyhosts? These apps seem to offer a similar solution. Regards, Patrick
> When a web site is attacked, so far by unsuccessful hackers, my error > routine adds the attackers IP address, prefixed by 'deny', to that web > site's .htaccess file. It works and the attacker, on second and > subsequent attacks, gets a 403 error response.Have you looked at mod_evasive? http://www.zdziarski.com/blog/?page_id=442 Barry
From: Always Learning <centos at u61.u22.net>> Executing 'whoami' confirms Apache is the user. Giving Apache group rw > on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is > executable by all, fails to resolve the problem. > Is there any method of running iptables from an Apache originated > process ?I would be wary of letting the apache user control iptables... Better have another independent script to read the list of IPs file, filter it, and then call iptables. JD