[CentOS] Apache Changing IPtables C 5.6 via Apache
Craig White
craigwhite at azapple.com
Sun Aug 21 12:34:08 UTC 2011
On Sun, 2011-08-21 at 02:50 +0200, Patrick Lists wrote:
> On 08/21/2011 01:09 AM, Always Learning wrote:
> >
> > When a web site is attacked, so far by unsuccessful hackers, my error
> > routine adds the attackers IP address, prefixed by 'deny', to that web
> > site's .htaccess file. It works and the attacker, on second and
> > subsequent attacks, gets a 403 error response.
> >
> > I want to extend the exclusion ability to every web site hosted on a
> > server. My preferred method is iptables. However, when breaking-out of a
> > PHP script on a web page and running a normal iptables command, for
> > example:
> >
> > iptables -A 3temp -s 1.2.3.4 -j DROP
> >
> > iptables responds with:
> >
> > iptables v1.3.5: can't initialize iptables table
> > `filter': Permission denied
> > (you must be root)
> >
> > Executing 'whoami' confirms Apache is the user. Giving Apache group rw
> > on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is
> > executable by all, fails to resolve the problem.
> >
> > Is there any method of running iptables from an Apache originated
> > process ?
>
> Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables?
> Have you looked at fail2ban and denyhosts? These apps seem to offer a
> similar solution.
----
fail2ban and denyhosts center on failed logins - I don't think this is
what he is dealing with.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list