[CentOS] Apache Changing IPtables C 5.6 via Apache

[Always Learning]

On Sat, 2011-08-20 at 17:03 -0700, Craig White wrote:

> If you are determined to do that (have user apache capable of making
> changes to iptables), you can have your script do it as sudo and make an
> entry in /etc/sudoers to allow user apache to execute /sbin/iptables
> commands without a password.

Thank you. I will try that. Having read the file it seems ideal.

> Of course automated scripts can (and likely will) go haywire and
> anything that automates adding iptables blocks is capable of blocking
> you too and I would highly suggest you rethink what you are doing. Also,
> there's also the subjectivity of what it is that constitues 'an attack'.

My scripts are generally well behaved, but then I usually test them
extensively. The proposed iptables changes are to place IP addresses in
a spare iptables table and block them. If it works well for one IP
address it should work successfully for subsequent ones.

I am acutely conscious of being locked-out. I can get in remotely via
the console. However the very first entries in every server's iptables
have always been to allow 3 static IPs access. 3test comes later on in
the sequence, ensuring what happens there should never lock me out.

        (approved static IPs)
	0banned
	1approved
	2emails
	3temp
	3web
	4permit
	5drop       

A daily reader of Logwatch, I don't like seeing the same weirdo
attacking different web sites hosted on the same server. I also get an
instant email for every web page error on every site. Banning an IP
address from a server as soon as the first detected hacking occurs seems
a welcome improvement to writing to one web site's .htaccess file.

Thank you for your good suggestion. It is appreciated.


-- 
With best regards,

Paul.
England,
EU.