On Sun, 2011-08-21 at 02:50 +0200, Patrick Lists wrote: > On 08/21/2011 01:09 AM, Always Learning wrote: > > > > When a web site is attacked, so far by unsuccessful hackers, my error > > routine adds the attackers IP address, prefixed by 'deny', to that web > > site's .htaccess file. It works and the attacker, on second and > > subsequent attacks, gets a 403 error response. > > > > I want to extend the exclusion ability to every web site hosted on a > > server. My preferred method is iptables. However, when breaking-out of a > > PHP script on a web page and running a normal iptables command, for > > example: > > > > iptables -A 3temp -s 1.2.3.4 -j DROP > > > > iptables responds with: > > > > iptables v1.3.5: can't initialize iptables table > > `filter': Permission denied > > (you must be root) > > > > Executing 'whoami' confirms Apache is the user. Giving Apache group rw > > on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is > > executable by all, fails to resolve the problem. > > > > Is there any method of running iptables from an Apache originated > > process ? > > Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables? > Have you looked at fail2ban and denyhosts? These apps seem to offer a > similar solution. ---- fail2ban and denyhosts center on failed logins - I don't think this is what he is dealing with. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.