On Sunday, August 21, 2011 08:46 PM, Craig White wrote: > On Sun, 2011-08-21 at 02:00 +0100, Always Learning wrote: >> On Sun, 2011-08-21 at 02:50 +0200, Patrick Lists wrote: >> >>> Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables? >>> Have you looked at ? These apps seem to offer a >>> similar solution. >> >> I'm not using SELinux at the moment simply because I don't have the time >> to understand it. I'm a self-taught Linuxist. I believe it uses the >> 'labels' inherent with every file description block. >> >> With Craig's SU suggestion, I believe my attack detection system will >> successfully block the attacker's IP address on a server and for a >> selected ports only. >> >> I will look at fail2ban and denyhosts and see how they can help. > ---- > I'm going to present another view of what I think is a larger picture. > > What you seem to want to do is to block host access (TCP possibly UDP) > based upon certain GET/POST activities on your web server. Thus you are > attempting to create a curtain based upon things that have already > failed and eventually you will get a huge IPTABLES filter that will slow > up all traffic while parsing the rules. I would suspect that this would > also be the same system that is also the web server - thus you will slow > down the very system you want to be fast. The entire predicate is > reactive. You would also need to have a system to expire those rules > after a period of time. It's all a waste of energy focused on giving you > satisfaction that you are at least doing something to block script > kiddies. > is ipset stable yet? Maybe he is better off with two redundant OpenBSD boxes using pf to protect his boxes and his apache instances scripting them bsd boxen firewall rules. /me loses the 'simple and works' challenge