On Sat, 2011-08-20 at 17:03 -0700, Craig White wrote:
If you are determined to do that (have user apache capable of making changes to iptables), you can have your script do it as sudo and make an entry in /etc/sudoers to allow user apache to execute /sbin/iptables commands without a password.
Thank you. I will try that. Having read the file it seems ideal.
Of course automated scripts can (and likely will) go haywire and anything that automates adding iptables blocks is capable of blocking you too and I would highly suggest you rethink what you are doing. Also, there's also the subjectivity of what it is that constitues 'an attack'.
My scripts are generally well behaved, but then I usually test them extensively. The proposed iptables changes are to place IP addresses in a spare iptables table and block them. If it works well for one IP address it should work successfully for subsequent ones.
I am acutely conscious of being locked-out. I can get in remotely via the console. However the very first entries in every server's iptables have always been to allow 3 static IPs access. 3test comes later on in the sequence, ensuring what happens there should never lock me out.
(approved static IPs) 0banned 1approved 2emails 3temp 3web 4permit 5drop
A daily reader of Logwatch, I don't like seeing the same weirdo attacking different web sites hosted on the same server. I also get an instant email for every web page error on every site. Banning an IP address from a server as soon as the first detected hacking occurs seems a welcome improvement to writing to one web site's .htaccess file.
Thank you for your good suggestion. It is appreciated.