[CentOS] Apache Changing IPtables C 5.6 via Apache

Sun Aug 21 00:03:57 UTC 2011
Craig White <craigwhite at azapple.com>

On Sun, 2011-08-21 at 00:09 +0100, Always Learning wrote:
> When a web site is attacked, so far by unsuccessful hackers, my error
> routine adds the attackers IP address, prefixed by 'deny', to that web
> site's .htaccess file. It works and the attacker, on second and
> subsequent attacks, gets a 403 error response.
> 
> I want to extend the exclusion ability to every web site hosted on a
> server. My preferred method is iptables. However, when breaking-out of a
> PHP script on a web page and running a normal iptables command, for
> example:
> 
> 	iptables -A 3temp -s 1.2.3.4 -j DROP
> 
> iptables responds with:
> 
> 	iptables v1.3.5: can't initialize iptables table
> 	`filter': Permission denied
> 	(you must be root)
> 
> Executing 'whoami' confirms Apache is the user. Giving Apache group rw
> on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is
> executable by all, fails to resolve the problem.
> 
> Is there any method of running iptables from an Apache originated
> process ?
> 
> Thank you.
----
If you are determined to do that (have user apache capable of making
changes to iptables), you can have your script do it as sudo and make an
entry in /etc/sudoers to allow user apache to execute /sbin/iptables
commands without a password.

Of course automated scripts can (and likely will) go haywire and
anything that automates adding iptables blocks is capable of blocking
you too and I would highly suggest you rethink what you are doing. Also,
there's also the subjectivity of what it is that constitues 'an attack'.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.