On Sat, 2011-08-20 at 17:03 -0700, Craig White wrote: > If you are determined to do that (have user apache capable of making > changes to iptables), you can have your script do it as sudo and make an > entry in /etc/sudoers to allow user apache to execute /sbin/iptables > commands without a password. Thank you. I will try that. Having read the file it seems ideal. > Of course automated scripts can (and likely will) go haywire and > anything that automates adding iptables blocks is capable of blocking > you too and I would highly suggest you rethink what you are doing. Also, > there's also the subjectivity of what it is that constitues 'an attack'. My scripts are generally well behaved, but then I usually test them extensively. The proposed iptables changes are to place IP addresses in a spare iptables table and block them. If it works well for one IP address it should work successfully for subsequent ones. I am acutely conscious of being locked-out. I can get in remotely via the console. However the very first entries in every server's iptables have always been to allow 3 static IPs access. 3test comes later on in the sequence, ensuring what happens there should never lock me out. (approved static IPs) 0banned 1approved 2emails 3temp 3web 4permit 5drop A daily reader of Logwatch, I don't like seeing the same weirdo attacking different web sites hosted on the same server. I also get an instant email for every web page error on every site. Banning an IP address from a server as soon as the first detected hacking occurs seems a welcome improvement to writing to one web site's .htaccess file. Thank you for your good suggestion. It is appreciated. -- With best regards, Paul. England, EU.