On Sun, 2011-08-21 at 00:09 +0100, Always Learning wrote: > When a web site is attacked, so far by unsuccessful hackers, my error > routine adds the attackers IP address, prefixed by 'deny', to that web > site's .htaccess file. It works and the attacker, on second and > subsequent attacks, gets a 403 error response. > > I want to extend the exclusion ability to every web site hosted on a > server. My preferred method is iptables. However, when breaking-out of a > PHP script on a web page and running a normal iptables command, for > example: > > iptables -A 3temp -s 1.2.3.4 -j DROP > > iptables responds with: > > iptables v1.3.5: can't initialize iptables table > `filter': Permission denied > (you must be root) > > Executing 'whoami' confirms Apache is the user. Giving Apache group rw > on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is > executable by all, fails to resolve the problem. > > Is there any method of running iptables from an Apache originated > process ? > > Thank you. ---- If you are determined to do that (have user apache capable of making changes to iptables), you can have your script do it as sudo and make an entry in /etc/sudoers to allow user apache to execute /sbin/iptables commands without a password. Of course automated scripts can (and likely will) go haywire and anything that automates adding iptables blocks is capable of blocking you too and I would highly suggest you rethink what you are doing. Also, there's also the subjectivity of what it is that constitues 'an attack'. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.