Since to days ago I’m receiving DDOS atacks in my server. I’ve installed mod_evasive in apache and it works right! It writes the log and send the email with de IPs.
But there’s a problem: Apache doesn’t add the DROP rule in iptables (or at least it doesn’t appear)
I’m using apache in Plesk, the configuration file is like:
DOSHashTableSize 3097 DOSPageCount 1 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 600 DOSSystemCommand "sudo /sbin/iptables -A INPUT -s %s -j DROP" DOSEmailNotify "email@example.com" DOSLogDir "/var/log/evasive/"
Here is my ‘sudoers’ file:
apache ALL=(ALL) NOPASSWD: /sbin/iptables -A INPUT -s [0-9.]* -j DROP
But that doesn’t help.
Thanks in advance.
Allowing apache to run iptables with root privilege sounds like a very bad idea – I presume you’ve got root access. If it were me I’d be using a proxy program (like fail2ban) to sift the logs and write the rules.
I’ve write in visudo this:
And have you checked that is what has been deployed to /etc/sudoers?
From the man page:
If a Cmnd has associated command line arguments, then the arguments in
the Cmnd must match exactly those given by the user on the command line
(or match the wildcards if there are any)
You’ve used a regex rather than wildcards. Try:
apache ALL=(ALL) NOPASSWD: /sbin/iptables -A INPUT --dport 80 -s * -j DROP
Although a better idea would be to wrap the functionality in a script rather than calling iptables directly.
(note I’ve explicitly set the port to avoid you locking yourself out – I presume you’ve got ssh access).