[CentOS] Apache Changing IPtables C 5.6 via Apache

Sun Aug 21 14:07:51 UTC 2011
Always Learning <centos at u61.u22.net>

On Sun, 2011-08-21 at 05:46 -0700, Craig White wrote:

> I'm going to present another view of what I think is a larger picture.
> 
> What you seem to want to do is to block host access (TCP possibly UDP)
> based upon certain GET/POST activities on your web server.

Yes, in this instance the annoying attacks of 200 attempts to break-in
via phpmyadmin for example or the stupid pratts suffixing a correct web
page name with things like ...login and ... forgotten_password ... and
execute and ...sql... etc.  I don't want that crap.

> Thus you are
> attempting to create a curtain based upon things that have already
> failed and eventually you will get a huge IPTABLES filter that will slow
> up all traffic while parsing the rules.

Yes create a curtain but wrong about 'huge'. Attempts are done via
compromised IP addresses around the world by the same person or a group
of like-minded people. It is my intention to delete the contents of the
temporary iptables table often to prevent it becoming a liability.

I could probably achieve this by having two temporary tables (for
blocked IP addresses) and after a week or two delete the contents of one
table and than at another interval delete the contents of the second
table. This would provide a useful overlap and ensure an IP blocked
today is not 'freed' tomorrow when a temporary table's contents are
deleted.

Persistent offenders would have their IP address or their IP block, if a
data centre, permanently stored in another table (3web).

> I would suspect that this would
> also be the same system that is also the web server - thus you will slow
> down the very system you want to be fast. The entire predicate is
> reactive. You would also need to have a system to expire those rules
> after a period of time.

I can do a cron at a regular interval to flush the first temporary table
and a second cron job to flush the second temporary table. So not too
much effort involved.

> It's all a waste of energy focused on giving you
> satisfaction that you are at least doing something to block script
> kiddies.

It is a good programming and learning Linux exercise. I gain personally
from doing it. The ultimate objective is a smooth running system
although I am certain there will be other issues arising.

> You should spend the time protecting the server with good system
> administration... SELinux, which you state 'you are not using at the
> moment' is a prime example.

Yes you are correct. May have a look at it in a week or two. In the past
SELinux seems to stop things running which is not what I want.

> You should ensure that known attack vectors (first place to look is the
> very common php programs like phpmyadmin) are either not in use or at
> least always kept up to date and secured via access controls.

PHPmyAdmin is definitely not available to the public. Absolutely not.
That was one of my very first priorities. I do not follow the /var/www
convention for locating public web pages. Every hosted web site is a
virtual site and entrance through the front door (the server's IP
addresses) is blocked and monitored.

> The security issues you should be worrying about are not the things that
> are getting logged - that's just a record of things that already didn't
> work.

I have introduced additional logging on things that work as well as do
not work. 

It is the things I am unaware of that present a danger. That is why I
try to block everything and specifically permit authorised things
through the firewall.  Obviously I am still learning and SELinux needs
some experimentation after I discover exactly how it works and the logic
behind it and the Linux 'labelling'.

Your /etc/sudoers is uppermost in my thoughts.

Thank you.


-- 
With best regards,

Paul.
England,
EU.