On Sun, 2011-08-21 at 02:00 +0100, Always Learning wrote:
On Sun, 2011-08-21 at 02:50 +0200, Patrick Lists wrote:
Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables? Have you looked at ? These apps seem to offer a similar solution.
I'm not using SELinux at the moment simply because I don't have the time to understand it. I'm a self-taught Linuxist. I believe it uses the 'labels' inherent with every file description block.
With Craig's SU suggestion, I believe my attack detection system will successfully block the attacker's IP address on a server and for a selected ports only.
I will look at fail2ban and denyhosts and see how they can help.
---- I'm going to present another view of what I think is a larger picture.
What you seem to want to do is to block host access (TCP possibly UDP) based upon certain GET/POST activities on your web server. Thus you are attempting to create a curtain based upon things that have already failed and eventually you will get a huge IPTABLES filter that will slow up all traffic while parsing the rules. I would suspect that this would also be the same system that is also the web server - thus you will slow down the very system you want to be fast. The entire predicate is reactive. You would also need to have a system to expire those rules after a period of time. It's all a waste of energy focused on giving you satisfaction that you are at least doing something to block script kiddies.
You should spend the time protecting the server with good system administration... SELinux, which you state 'you are not using at the moment' is a prime example.
You should ensure that known attack vectors (first place to look is the very common php programs like phpmyadmin) are either not in use or at least always kept up to date and secured via access controls.
The security issues you should be worrying about are not the things that are getting logged - that's just a record of things that already didn't work.
Craig