[SOLVED] Use mod_evasive to block IP automatically by iptables in CentOS 7 with SELinux, but not works

Aeolustw · 06-05-2016, 08:02 PM

My test server:
Linux centos7 3.10.0-327.18.2.el7.x86_64
Apache 2.4.6
iptables v1.4.21
mod_evasive v1.10.1-22.el7

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

part of configure file: /etc/httpd/conf.d/mod_evasive.conf

Code:

...
    DOSSystemCommand "sudo /usr/local/bin/ddos_ban_ip.sh %s"
...

/usr/local/bin/ddos_ban_ip.sh

Code:

#!/bin/bash
# IP that will be blocked, as detected by mod_evasive
IP=$1
# mod_evasive lock directory
MOD_EVASIVE_LOGDIR=/var/banned/mod_evasive
# Add the following firewall rule (block all traffic coming from $IP)
/sbin/iptables -I INPUT -s $IP -p tcp -m tcp --dport 80 -j DROP
# Remove lock file for future checks
rm -f "$MOD_EVASIVE_LOGDIR"/dos-"$IP"

part of /etc/sudoers

Code:

...
apache ALL=NOPASSWD: /usr/local/bin/ddos_ban_ip.sh
Defaults:apache !requiretty
...

mod_evasive works fine:

Quote:

Jun 6 08:13:21 centos7 mod_evasive[7276]: Blacklisting address 111.OO.OOO.OO: possible DoS attack.

but if i chage sestatus with "setenforce 1"
block ip no works,

Check /var/log/messages

Quote:

Jun 6 08:13:23 centos7 setroubleshoot: SELinux is preventing /usr/sbin/xtables-multi from read access on the file /run/. For complete SELinux messages. run sealert -l c621e1ce-a0cf-4010-ac7a-dcd048059bcb
Jun 6 08:13:23 centos7 python: SELinux is preventing /usr/sbin/xtables-multi from read access on the file /run/.#012#012***** Plugin restorecon (99.5 confidence) suggests ************************#012#012If you want to fix the label. #012/run/ default label should be var_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /run/#012#012***** Plugin catchall (1.49 confidence) suggests **************************#012#012If you believe that xtables-multi should be allowed read access on the file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep iptables /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012

After doing these:

Code:

/sbin/restorecon -v /run/
grep iptables /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

These messages not show again, but iptables not block ip.

Check /etc/httpd/logs/error_log

Quote:

iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

Even /var/log/messages has the message:

Quote:

Jun 6 08:27:28 centos7 mod_evasive[7276]: Blacklisting address 111.OO.OOO.OO: possible DoS attack.

Question:
Q1: How to use mod_evasive to block IP automatically by iptables successfully?
Q2: And is it safe to do this, apache act as root to block ip by iptables?

Thanks All.

JJJCR · 06-05-2016, 09:42 PM

try using fail2ban.

http://unix.stackexchange.com/questi...an-on-centos-7

Aeolustw · 06-05-2016, 11:25 PM

Quote:

Originally Posted by JJJCR

try using fail2ban.

http://unix.stackexchange.com/questi...an-on-centos-7

Thanks.

I had installed it in the beginning, just want to try mod_evasive to block ip by iptables.

JJJCR · 06-06-2016, 02:38 AM

check out this link: https://tellini.info/2011/11/keeping...-and-iptables/

from link above:

Quote:

Don’t forget to grant the permission to run the script to the account used by apache. My sudoers config contains:

www-data ALL=(ALL) NOPASSWD: /root/scripts/ban_ip.sh

Aeolustw · 06-06-2016, 07:12 PM

Quote:

Originally Posted by JJJCR

check out this link: https://tellini.info/2011/11/keeping...-and-iptables/

from link above:

Thanks,JJJCR.

I had been tried the similar topic >> http://www.tecmint.com/protect-apach...ntos-fedora/3/

And the last error message is in /etc/httpd/logs/error_log :

Quote:

iptables v1.4.21: can't initialize iptables table `filter': Permission denied
Perhaps iptables or your kernel needs to be upgraded.

I think if i enable SELinux and enforcing mode , SELinux will prevent apache to use iptables,
even i had been granted apache the permission in /etc/sudoers

Code:

apache ALL=NOPASSWD: /usr/local/bin/ddos_ban_ip.sh, /sbin/iptables
Defaults:apache !requiretty

JJJCR · 06-06-2016, 09:40 PM

Quote:

I think if i enable SELinux and enforcing mode , SELinux will prevent apache to use iptables,
even i had been granted apache the permission in /etc/sudoers

I don't think SELinux will prevent apache from using iptables even if you set it to enforcing mode.

As long as in your SELinux settings you did not specify the settings to stop using apache for the particular user then it will work fine.

Aeolustw · 06-07-2016, 05:44 AM

Quote:

Originally Posted by JJJCR

I don't think SELinux will prevent apache from using iptables even if you set it to enforcing mode.

As long as in your SELinux settings you did not specify the settings to stop using apache for the particular user then it will work fine.

Thanks, and I fixed this problem.
It works fine now.

part of /etc/sudoers

Code:

...
apache ALL=NOPASSWD: /var/www/mod_evasive/ddos_ban_ip.sh, /usr/bin/rm, /sbin/iptables
#apache 	ALL=(ALL)	NOPASSWD: ALL
Defaults:apache !requiretty
...

part of /etc/httpd/conf.d/mod_evasive.conf

Code:

...
DOSSystemCommand "sudo /var/www/mod_evasive/ddos_ban_ip.sh %s"
...
DOSLogDir   	 "/var/www/mod_evasive"
...

/var/www/mod_evasive/ddos_ban_ip.sh

Code:

#!/bin/bash
# IP that will be blocked, as detected by mod_evasive
IP=$1
# mod_evasive lock directory
MOD_EVASIVE_LOGDIR=/var/www/mod_evasive
# Add the following firewall rule (block all traffic coming from $IP)
/sbin/iptables -I INPUT -s $IP -p tcp -m tcp --dport 80 -j DROP
# Remove lock file for future checks
rm -f "$MOD_EVASIVE_LOGDIR"/dos-"$IP"

The important change is moving ddos_ban_ip.sh from /usr/local/bin to /var/www/mod_evasive
and apache should has rwx file attribute permission for the new /var/www/mod_evasive directory and same SELinux context type as /var/www/html.

Code:

ls -Z /var/www

Quote:

drwxr-xr-x. root root system_u：object_r：httpd_sys_script_exec_t：s0 cgi-bin
drwxr-xr-x. root root system_u：object_r：httpd_sys_content_t：s0 html
drwxrwx---. root apache system_u：object_r：httpd_sys_content_t：s0 mod_evasive

The last SELinux Troubleshoot:

Quote:

SELinux is preventing /usr/sbin/xtables-multi from getopt access on the rawip_socket Unknown.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that xtables-multi should be allowed getopt access on the Unknown rawip_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

Code:

# grep iptables /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context system_u:system_r:httpd_sys_script_t:s0
Target Objects Unknown [ rawip_socket ]
Source iptables
Source Path /usr/sbin/xtables-multi
Port <Unknown>
Host centos7
Source RPM Packages iptables-1.4.21-16.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name centos7
Platform Linux centos7 3.10.0-327.18.2.el7.x86_64 #1 SMP
Thu May 12 11:03:55 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-06-07 12:03:55 CST
Last Seen 2016-06-07 12:03:55 CST
Local ID 71d3b17b-199e-47a9-9f84-9787cc585102

Raw Audit Messages
type=AVC msg=audit(1465272235.992:12410): avc: denied { getopt } for pid=26461 comm="iptables" lport=255 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=rawip_socket
type=AVC msg=audit(1465272235.992:12410): avc: denied { net_admin } for pid=26461 comm="iptables" capability=12 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
type=SYSCALL msg=audit(1465272235.992:12410): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=4 a1=0 a2=40 a3=7fff0866ee80 items=0 ppid=26460 pid=26461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
Hash: iptables,httpd_sys_script_t,httpd_sys_script_t,rawip_socket,getopt

JJJCR · 06-07-2016, 08:21 PM

Glad you figured it out.

Thanks for sharing the info, hope it will help others who might have the same issue.