[CentOS] Apache Changing IPtables C 5.6 via Apache

[Christopher Chan]

On Sunday, August 21, 2011 08:46 PM, Craig White wrote:
> On Sun, 2011-08-21 at 02:00 +0100, Always Learning wrote:
>> On Sun, 2011-08-21 at 02:50 +0200, Patrick Lists wrote:
>>
>>> Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables?
>>> Have you looked at ? These apps seem to offer a
>>> similar solution.
>>
>> I'm not using SELinux at the moment simply because I don't have the time
>> to understand it. I'm a self-taught Linuxist. I believe it uses the
>> 'labels' inherent with every file description block.
>>
>> With Craig's SU suggestion, I believe my attack detection system will
>> successfully block the attacker's IP address on a server and for a
>> selected ports only.
>>
>> I will look at fail2ban and denyhosts and see how they can help.
> ----
> I'm going to present another view of what I think is a larger picture.
>
> What you seem to want to do is to block host access (TCP possibly UDP)
> based upon certain GET/POST activities on your web server. Thus you are
> attempting to create a curtain based upon things that have already
> failed and eventually you will get a huge IPTABLES filter that will slow
> up all traffic while parsing the rules. I would suspect that this would
> also be the same system that is also the web server - thus you will slow
> down the very system you want to be fast. The entire predicate is
> reactive. You would also need to have a system to expire those rules
> after a period of time. It's all a waste of energy focused on giving you
> satisfaction that you are at least doing something to block script
> kiddies.
>

is ipset stable yet? Maybe he is better off with two redundant OpenBSD 
boxes using pf to protect his boxes and his apache instances scripting 
them bsd boxen firewall rules.

/me loses the 'simple and works' challenge