[CentOS] Apache Changing IPtables C 5.6 via Apache

Sun Aug 21 12:46:18 UTC 2011
Craig White <craigwhite at azapple.com>

On Sun, 2011-08-21 at 02:00 +0100, Always Learning wrote:
> On Sun, 2011-08-21 at 02:50 +0200, Patrick Lists wrote:
> 
> > Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables?
> > Have you looked at ? These apps seem to offer a 
> > similar solution.
> 
> I'm not using SELinux at the moment simply because I don't have the time
> to understand it. I'm a self-taught Linuxist. I believe it uses the
> 'labels' inherent with every file description block.
> 
> With Craig's SU suggestion, I believe my attack detection system will
> successfully block the attacker's IP address on a server and for a
> selected ports only.
> 
> I will look at fail2ban and denyhosts and see how they can help.
----
I'm going to present another view of what I think is a larger picture.

What you seem to want to do is to block host access (TCP possibly UDP)
based upon certain GET/POST activities on your web server. Thus you are
attempting to create a curtain based upon things that have already
failed and eventually you will get a huge IPTABLES filter that will slow
up all traffic while parsing the rules. I would suspect that this would
also be the same system that is also the web server - thus you will slow
down the very system you want to be fast. The entire predicate is
reactive. You would also need to have a system to expire those rules
after a period of time. It's all a waste of energy focused on giving you
satisfaction that you are at least doing something to block script
kiddies.

You should spend the time protecting the server with good system
administration... SELinux, which you state 'you are not using at the
moment' is a prime example.

You should ensure that known attack vectors (first place to look is the
very common php programs like phpmyadmin) are either not in use or at
least always kept up to date and secured via access controls.

The security issues you should be worrying about are not the things that
are getting logged - that's just a record of things that already didn't
work.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.