On 08/21/2011 01:09 AM, Always Learning wrote: > > When a web site is attacked, so far by unsuccessful hackers, my error > routine adds the attackers IP address, prefixed by 'deny', to that web > site's .htaccess file. It works and the attacker, on second and > subsequent attacks, gets a 403 error response. > > I want to extend the exclusion ability to every web site hosted on a > server. My preferred method is iptables. However, when breaking-out of a > PHP script on a web page and running a normal iptables command, for > example: > > iptables -A 3temp -s 1.2.3.4 -j DROP > > iptables responds with: > > iptables v1.3.5: can't initialize iptables table > `filter': Permission denied > (you must be root) > > Executing 'whoami' confirms Apache is the user. Giving Apache group rw > on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is > executable by all, fails to resolve the problem. > > Is there any method of running iptables from an Apache originated > process ? Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables? Have you looked at fail2ban and denyhosts? These apps seem to offer a similar solution. Regards, Patrick