[CentOS] Apache Changing IPtables C 5.6 via Apache
Craig White
craigwhite at azapple.com
Sun Aug 21 00:03:57 UTC 2011
On Sun, 2011-08-21 at 00:09 +0100, Always Learning wrote:
> When a web site is attacked, so far by unsuccessful hackers, my error
> routine adds the attackers IP address, prefixed by 'deny', to that web
> site's .htaccess file. It works and the attacker, on second and
> subsequent attacks, gets a 403 error response.
>
> I want to extend the exclusion ability to every web site hosted on a
> server. My preferred method is iptables. However, when breaking-out of a
> PHP script on a web page and running a normal iptables command, for
> example:
>
> iptables -A 3temp -s 1.2.3.4 -j DROP
>
> iptables responds with:
>
> iptables v1.3.5: can't initialize iptables table
> `filter': Permission denied
> (you must be root)
>
> Executing 'whoami' confirms Apache is the user. Giving Apache group rw
> on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is
> executable by all, fails to resolve the problem.
>
> Is there any method of running iptables from an Apache originated
> process ?
>
> Thank you.
----
If you are determined to do that (have user apache capable of making
changes to iptables), you can have your script do it as sudo and make an
entry in /etc/sudoers to allow user apache to execute /sbin/iptables
commands without a password.
Of course automated scripts can (and likely will) go haywire and
anything that automates adding iptables blocks is capable of blocking
you too and I would highly suggest you rethink what you are doing. Also,
there's also the subjectivity of what it is that constitues 'an attack'.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list