[CentOS] Apache Changing IPtables C 5.6 via Apache
Patrick Lists
centos-list at puzzled.xs4all.nl
Sun Aug 21 00:50:53 UTC 2011
On 08/21/2011 01:09 AM, Always Learning wrote:
>
> When a web site is attacked, so far by unsuccessful hackers, my error
> routine adds the attackers IP address, prefixed by 'deny', to that web
> site's .htaccess file. It works and the attacker, on second and
> subsequent attacks, gets a 403 error response.
>
> I want to extend the exclusion ability to every web site hosted on a
> server. My preferred method is iptables. However, when breaking-out of a
> PHP script on a web page and running a normal iptables command, for
> example:
>
> iptables -A 3temp -s 1.2.3.4 -j DROP
>
> iptables responds with:
>
> iptables v1.3.5: can't initialize iptables table
> `filter': Permission denied
> (you must be root)
>
> Executing 'whoami' confirms Apache is the user. Giving Apache group rw
> on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is
> executable by all, fails to resolve the problem.
>
> Is there any method of running iptables from an Apache originated
> process ?
Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables?
Have you looked at fail2ban and denyhosts? These apps seem to offer a
similar solution.
Regards,
Patrick
More information about the CentOS
mailing list