Aug 11, 2011
tom

Allowing apache to write with iptables

Question

Since to days ago I’m receiving DDOS atacks in my server. I’ve installed mod_evasive in apache and it works right! It writes the log and send the email with de IPs.

But there’s a problem: Apache doesn’t add the DROP rule in iptables (or at least it doesn’t appear)

I’m using apache in Plesk, the configuration file is like:

DOSHashTableSize 3097
DOSPageCount 1 
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 600
DOSSystemCommand "sudo /sbin/iptables -A INPUT -s %s -j DROP"
DOSEmailNotify "xxx@xxx.com"
DOSLogDir "/var/log/evasive/"

Here is my ‘sudoers’ file:

apache ALL=(ALL) NOPASSWD: /sbin/iptables -A INPUT -s [0-9.]* -j DROP

But that doesn’t help.

Thanks in advance.

Answer

Allowing apache to run iptables with root privilege sounds like a very bad idea – I presume you’ve got root access. If it were me I’d be using a proxy program (like fail2ban) to sift the logs and write the rules.

I’ve write in visudo this:

And have you checked that is what has been deployed to /etc/sudoers?

From the man page:

If a Cmnd has associated command line arguments, then the arguments in
the Cmnd must match exactly those given by the user on the command line
(or match the wildcards if there are any)

You’ve used a regex rather than wildcards. Try:

apache ALL=(ALL) NOPASSWD: /sbin/iptables -A INPUT --dport 80 -s * -j DROP

Although a better idea would be to wrap the functionality in a script rather than calling iptables directly.
(note I’ve explicitly set the port to avoid you locking yourself out – I presume you’ve got ssh access).

Related posts:

  1. Problem with sendmail combined with iptables
  2. Why did iptables suddenly block HAProxy
  3. iptables v1.4.10: can’t initialize iptables table `NAT’: Table does not exist
  4. apache is not responding from the outside (firewall/iptables problem)
  5. Iptables rules sometimes are reset automatically

Leave a comment