FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-20-2011, 11:09 PM
Always Learning
 
Default Apache Changing IPtables C 5.6 via Apache

When a web site is attacked, so far by unsuccessful hackers, my error
routine adds the attackers IP address, prefixed by 'deny', to that web
site's .htaccess file. It works and the attacker, on second and
subsequent attacks, gets a 403 error response.

I want to extend the exclusion ability to every web site hosted on a
server. My preferred method is iptables. However, when breaking-out of a
PHP script on a web page and running a normal iptables command, for
example:

iptables -A 3temp -s 1.2.3.4 -j DROP

iptables responds with:

iptables v1.3.5: can't initialize iptables table
`filter': Permission denied
(you must be root)

Executing 'whoami' confirms Apache is the user. Giving Apache group rw
on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is
executable by all, fails to resolve the problem.

Is there any method of running iptables from an Apache originated
process ?

Thank you.






--
With best regards,

Paul.
England,
EU.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-21-2011, 12:03 AM
Craig White
 
Default Apache Changing IPtables C 5.6 via Apache

On Sun, 2011-08-21 at 00:09 +0100, Always Learning wrote:
> When a web site is attacked, so far by unsuccessful hackers, my error
> routine adds the attackers IP address, prefixed by 'deny', to that web
> site's .htaccess file. It works and the attacker, on second and
> subsequent attacks, gets a 403 error response.
>
> I want to extend the exclusion ability to every web site hosted on a
> server. My preferred method is iptables. However, when breaking-out of a
> PHP script on a web page and running a normal iptables command, for
> example:
>
> iptables -A 3temp -s 1.2.3.4 -j DROP
>
> iptables responds with:
>
> iptables v1.3.5: can't initialize iptables table
> `filter': Permission denied
> (you must be root)
>
> Executing 'whoami' confirms Apache is the user. Giving Apache group rw
> on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is
> executable by all, fails to resolve the problem.
>
> Is there any method of running iptables from an Apache originated
> process ?
>
> Thank you.
----
If you are determined to do that (have user apache capable of making
changes to iptables), you can have your script do it as sudo and make an
entry in /etc/sudoers to allow user apache to execute /sbin/iptables
commands without a password.

Of course automated scripts can (and likely will) go haywire and
anything that automates adding iptables blocks is capable of blocking
you too and I would highly suggest you rethink what you are doing. Also,
there's also the subjectivity of what it is that constitues 'an attack'.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-21-2011, 12:50 AM
Patrick Lists
 
Default Apache Changing IPtables C 5.6 via Apache

On 08/21/2011 01:09 AM, Always Learning wrote:
>
> When a web site is attacked, so far by unsuccessful hackers, my error
> routine adds the attackers IP address, prefixed by 'deny', to that web
> site's .htaccess file. It works and the attacker, on second and
> subsequent attacks, gets a 403 error response.
>
> I want to extend the exclusion ability to every web site hosted on a
> server. My preferred method is iptables. However, when breaking-out of a
> PHP script on a web page and running a normal iptables command, for
> example:
>
> iptables -A 3temp -s 1.2.3.4 -j DROP
>
> iptables responds with:
>
> iptables v1.3.5: can't initialize iptables table
> `filter': Permission denied
> (you must be root)
>
> Executing 'whoami' confirms Apache is the user. Giving Apache group rw
> on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is
> executable by all, fails to resolve the problem.
>
> Is there any method of running iptables from an Apache originated
> process ?

Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables?
Have you looked at fail2ban and denyhosts? These apps seem to offer a
similar solution.

Regards,
Patrick
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-21-2011, 12:51 AM
Always Learning
 
Default Apache Changing IPtables C 5.6 via Apache

On Sat, 2011-08-20 at 17:03 -0700, Craig White wrote:

> If you are determined to do that (have user apache capable of making
> changes to iptables), you can have your script do it as sudo and make an
> entry in /etc/sudoers to allow user apache to execute /sbin/iptables
> commands without a password.

Thank you. I will try that. Having read the file it seems ideal.

> Of course automated scripts can (and likely will) go haywire and
> anything that automates adding iptables blocks is capable of blocking
> you too and I would highly suggest you rethink what you are doing. Also,
> there's also the subjectivity of what it is that constitues 'an attack'.

My scripts are generally well behaved, but then I usually test them
extensively. The proposed iptables changes are to place IP addresses in
a spare iptables table and block them. If it works well for one IP
address it should work successfully for subsequent ones.

I am acutely conscious of being locked-out. I can get in remotely via
the console. However the very first entries in every server's iptables
have always been to allow 3 static IPs access. 3test comes later on in
the sequence, ensuring what happens there should never lock me out.

(approved static IPs)
0banned
1approved
2emails
3temp
3web
4permit
5drop

A daily reader of Logwatch, I don't like seeing the same weirdo
attacking different web sites hosted on the same server. I also get an
instant email for every web page error on every site. Banning an IP
address from a server as soon as the first detected hacking occurs seems
a welcome improvement to writing to one web site's .htaccess file.

Thank you for your good suggestion. It is appreciated.


--
With best regards,

Paul.
England,
EU.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-21-2011, 01:00 AM
Always Learning
 
Default Apache Changing IPtables C 5.6 via Apache

On Sun, 2011-08-21 at 02:50 +0200, Patrick Lists wrote:

> Maybe SELinux blocks Apache from writing to /etc/sysconfig/iptables?
> Have you looked at ? These apps seem to offer a
> similar solution.

I'm not using SELinux at the moment simply because I don't have the time
to understand it. I'm a self-taught Linuxist. I believe it uses the
'labels' inherent with every file description block.

With Craig's SU suggestion, I believe my attack detection system will
successfully block the attacker's IP address on a server and for a
selected ports only.

I will look at fail2ban and denyhosts and see how they can help.

Thank you.


--
With best regards,

Paul.
England,
EU.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-21-2011, 03:43 AM
Barry Brimer
 
Default Apache Changing IPtables C 5.6 via Apache

> When a web site is attacked, so far by unsuccessful hackers, my error
> routine adds the attackers IP address, prefixed by 'deny', to that web
> site's .htaccess file. It works and the attacker, on second and
> subsequent attacks, gets a 403 error response.

Have you looked at mod_evasive?
http://www.zdziarski.com/blog/?page_id=442

Barry
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-21-2011, 05:55 AM
Kenneth Porter
 
Default Apache Changing IPtables C 5.6 via Apache

--On Sunday, August 21, 2011 2:51 AM +0100 Always Learning
<centos@u61.u22.net> wrote:

> I am acutely conscious of being locked-out. I can get in remotely via
> the console. However the very first entries in every server's iptables
> have always been to allow 3 static IPs access. 3test comes later on in
> the sequence, ensuring what happens there should never lock me out.

To reduce the attack surface, create a script that can only update that
subtable with a supplied IP address and then invoke it by sudo.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-21-2011, 07:26 AM
Keith Roberts
 
Default Apache Changing IPtables C 5.6 via Apache

On Sat, 20 Aug 2011, Barry Brimer wrote:

> To: CentOS mailing list <centos@centos.org>
> From: Barry Brimer <lists@brimer.org>
> Subject: Re: [CentOS] Apache Changing IPtables C 5.6 via Apache
>
>> When a web site is attacked, so far by unsuccessful hackers, my error
>> routine adds the attackers IP address, prefixed by 'deny', to that web
>> site's .htaccess file. It works and the attacker, on second and
>> subsequent attacks, gets a 403 error response.
>
> Have you looked at mod_evasive?
> http://www.zdziarski.com/blog/?page_id=442

There is also another application that reads the Apache log
file, and then IIRC writes IPTables rules to deal with these
sort of attacks. It was written for a university thesis
several years ago, but I just do not remember the name of
that particular guy or the project.

Kind Regards,

Keith Roberts

-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-21-2011, 11:05 AM
Always Learning
 
Default Apache Changing IPtables C 5.6 via Apache

On Sat, 2011-08-20 at 22:43 -0500, Barry Brimer wrote:

> > When a web site is attacked, so far by unsuccessful hackers, my error
> > routine adds the attackers IP address, prefixed by 'deny', to that web
> > site's .htaccess file. It works and the attacker, on second and
> > subsequent attacks, gets a 403 error response.

> Have you looked at mod_evasive?
> http://www.zdziarski.com/blog/?page_id=442

Thank you for the suggestion. I have just looked at it and see:-

* Requesting the same page more than a few times per second

* Making more than 50 concurrent requests on the same child per second

* Making any requests while temporarily blacklisted ...

My requirement, based on observations, is to instantly cut-off the IP's
access as soon a wrong URL is entered. When a web page error occurs it
is handled by a PHP routine. Two sets of checks show whether it was an
'innocent' mistake or a known hacking attempt. Currently known hacking
attempts are blocked at the web site's .htaccess file.

mod_evasive lacks the ability to compare the erroneous page request and
then take action. Clive's helpful /etc/sudoers suggestion overnight
seems ideal because (if it works for my routine) it will let me block an
IP address at iptables and limit that blocking to a port.

My check list has a 104 'words' which cause an IP address to be blocked.
When my revised system is working satisfactorily with whole server
blocking I will publish the details on the web.


--
With best regards,

Paul.
England,
EU.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-21-2011, 11:44 AM
Always Learning
 
Default Apache Changing IPtables C 5.6 via Apache

On Sun, 2011-08-21 at 08:26 +0100, Keith Roberts wrote:

> There is also another application that reads the Apache log
> file, and then IIRC writes IPTables rules to deal with these
> sort of attacks. It was written for a university thesis
> several years ago, but I just do not remember the name of
> that particular guy or the project.

That is probably too slow for me. My present system is immediate and
effective usually within the same second. I just want to expand
site .htaccess blocking to iptables whole server blocking and will, when
I have a spare minute, implement Clive's /etc/sudoers suggestion.

-
With best regards,

Paul.
England,
EU.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 11:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org