On Sun, 2011-08-21 at 00:09 +0100, Always Learning wrote:
When a web site is attacked, so far by unsuccessful hackers, my error routine adds the attackers IP address, prefixed by 'deny', to that web site's .htaccess file. It works and the attacker, on second and subsequent attacks, gets a 403 error response.
I want to extend the exclusion ability to every web site hosted on a server. My preferred method is iptables. However, when breaking-out of a PHP script on a web page and running a normal iptables command, for example:
iptables -A 3temp -s 1.2.3.4 -j DROP
iptables responds with:
iptables v1.3.5: can't initialize iptables table `filter': Permission denied (you must be root)
Executing 'whoami' confirms Apache is the user. Giving Apache group rw on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is executable by all, fails to resolve the problem.
Is there any method of running iptables from an Apache originated process ?
Thank you.
---- If you are determined to do that (have user apache capable of making changes to iptables), you can have your script do it as sudo and make an entry in /etc/sudoers to allow user apache to execute /sbin/iptables commands without a password.
Of course automated scripts can (and likely will) go haywire and anything that automates adding iptables blocks is capable of blocking you too and I would highly suggest you rethink what you are doing. Also, there's also the subjectivity of what it is that constitues 'an attack'.
Craig