On Sat, 2011-08-20 at 17:03 -0700, Craig White wrote:
> If you are determined to do that (have user apache capable of making
> changes to iptables), you can have your script do it as sudo and make an
> entry in /etc/sudoers to allow user apache to execute /sbin/iptables
> commands without a password.
Thank you. I will try that. Having read the file it seems ideal.
> Of course automated scripts can (and likely will) go haywire and
> anything that automates adding iptables blocks is capable of blocking
> you too and I would highly suggest you rethink what you are doing. Also,
> there's also the subjectivity of what it is that constitues 'an attack'.
My scripts are generally well behaved, but then I usually test them
extensively. The proposed iptables changes are to place IP addresses in
a spare iptables table and block them. If it works well for one IP
address it should work successfully for subsequent ones.
I am acutely conscious of being locked-out. I can get in remotely via
the console. However the very first entries in every server's iptables
have always been to allow 3 static IPs access. 3test comes later on in
the sequence, ensuring what happens there should never lock me out.
(approved static IPs)
0banned
1approved
2emails
3temp
3web
4permit
5drop
A daily reader of Logwatch, I don't like seeing the same weirdo
attacking different web sites hosted on the same server. I also get an
instant email for every web page error on every site. Banning an IP
address from a server as soon as the first detected hacking occurs seems
a welcome improvement to writing to one web site's .htaccess file.
Thank you for your good suggestion. It is appreciated.
--
With best regards,
Paul.
England,
EU.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
