[CentOS] Permissions for LAMP

Sat Jan 25 20:40:30 UTC 2014
Always Learning <centos at u62.u22.net>

On Sat, 2014-01-25 at 10:00 -0800, John R Pierce wrote:


> re: your intrusion detection system, mod_evasive is a useful tool for 
> creating such.

Mine works like this:

1. All errors 301, 302, 400, 401, 403, 500 etc are send to a standard
PHP file

	ErrorDocument 401 /error.php?code=401

2. In that php file, the original HTTP method etc. are extracted

$code      = $_GET['code'];
$method0   = @$_SERVER['REDIRECT_REQUEST_METHOD'];
$method    = $_SERVER['REQUEST_METHOD'];
$mm        = date('m');
$webpage   = $_SERVER["REQUEST_URI"]; if(!$webpage) $webpage="(none)";

3. If the web page requested is one of the usual 'php.....' or other
frequent ones, the banned variable is set.

4. If it HTML activity on an IP address and not on a valid domain name,
the banned variable is set.

5. Ditto if the Method is not allowed, example POST, CONNECT etc.

6. 

if($ban)
   { $ipx = $ip1;
     exec("sudo -u root -t pts/1 /sbin/iptables -A 1banned.".$mm." -j
DROP -s ".$ipx);
   }

7. There are 12 banned tables in IPtables for port 80 traffic. One for
every month. Every month a new table is populated with banned IP
addresses. The current month (January) is named banned.01

8. I keep the contents (the banned IPs) for about a month, then flush
the table (emptying it). 

9. Data Centres are blocked permanently for all port 80 traffic. I allow
known major crawlers.

That is the essence of my system. Its 5? years of refinements. It
catches virtually all hackers after their first attempt. I tried
filtering within IPtables but its difficult to read and blocking is also
difficult to read. My current system is readable, easily maintainable
and flexible.

My system also creates an email ready for sending to the IP's abuse
contact. Just have to copy and paste into a database's webform and press
'send'. Have just complained; it took 1 minute 18 seconds - from opening
the warning email to pressing 'send' - to email a very comprehensive
report.

---------------------------------------
Date & time           = Saturday, 25 January 2014 20:21:21 UTC (GMT
+00:00)
Server name           = ddddddddd.com
Server IP             = 123.123.123.123
Submitted host name   = ddddddddd.com
Submitted page name   = /components/com_content/router.php
>From web page         = (none)
Browser               = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)
Remote host           = 5.45.72.16
Remote address        = 5.45.72.16
Remote name           = 5.45.72.16
Location              = , Netherlands.
Remote port           = 56067
Remote protocol       = HTTP/1.0
IP2 host              = -
IP2 address           = -
Forwarded-for host    = -
Forwarded-for address = -
HTML status code      = 404
HTML method           = GET

---------------------------------------

Its a Data Centre so  5.45.72.0/22 is now blocked. Just want a quiet and
enjoyable life :-)

Probably publish my set-up sometime this year.

-- 
Paul.
England,
EU.

   Our systems are exclusively Linux. No Micro$oft Windoze here.