On Sunday, August 21, 2011 08:46 PM, Craig White wrote:
On Sun, 2011-08-21 at 02:00 +0100, Always Learning wrote:
On Sun, 2011-08-21 at 02:50 +0200, Patrick Lists wrote:
Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables? Have you looked at ? These apps seem to offer a similar solution.
I'm not using SELinux at the moment simply because I don't have the time to understand it. I'm a self-taught Linuxist. I believe it uses the 'labels' inherent with every file description block.
With Craig's SU suggestion, I believe my attack detection system will successfully block the attacker's IP address on a server and for a selected ports only.
I will look at fail2ban and denyhosts and see how they can help.
I'm going to present another view of what I think is a larger picture.
What you seem to want to do is to block host access (TCP possibly UDP) based upon certain GET/POST activities on your web server. Thus you are attempting to create a curtain based upon things that have already failed and eventually you will get a huge IPTABLES filter that will slow up all traffic while parsing the rules. I would suspect that this would also be the same system that is also the web server - thus you will slow down the very system you want to be fast. The entire predicate is reactive. You would also need to have a system to expire those rules after a period of time. It's all a waste of energy focused on giving you satisfaction that you are at least doing something to block script kiddies.
is ipset stable yet? Maybe he is better off with two redundant OpenBSD boxes using pf to protect his boxes and his apache instances scripting them bsd boxen firewall rules.
/me loses the 'simple and works' challenge