My test server:
Linux centos7 3.10.0-327.18.2.el7.x86_64
Apache 2.4.6
iptables v1.4.21
mod_evasive v1.10.1-22.el7
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
part of configure file: /etc/httpd/conf.d/mod_evasive.conf
Code:
...
DOSSystemCommand "sudo /usr/local/bin/ddos_ban_ip.sh %s"
...
/usr/local/bin/ddos_ban_ip.sh
Code:
#!/bin/bash
# IP that will be blocked, as detected by mod_evasive
IP=$1
# mod_evasive lock directory
MOD_EVASIVE_LOGDIR=/var/banned/mod_evasive
# Add the following firewall rule (block all traffic coming from $IP)
/sbin/iptables -I INPUT -s $IP -p tcp -m tcp --dport 80 -j DROP
# Remove lock file for future checks
rm -f "$MOD_EVASIVE_LOGDIR"/dos-"$IP"
part of /etc/sudoers
Code:
...
apache ALL=NOPASSWD: /usr/local/bin/ddos_ban_ip.sh
Defaults:apache !requiretty
...
mod_evasive works fine:
Quote:
Jun 6 08:13:21 centos7 mod_evasive[7276]: Blacklisting address 111.OO.OOO.OO: possible DoS attack.
|
but if i chage sestatus with "setenforce 1"
block ip no works,
Check /var/log/messages
Quote:
Jun 6 08:13:23 centos7 setroubleshoot: SELinux is preventing /usr/sbin/xtables-multi from read access on the file /run/. For complete SELinux messages. run sealert -l c621e1ce-a0cf-4010-ac7a-dcd048059bcb
Jun 6 08:13:23 centos7 python: SELinux is preventing /usr/sbin/xtables-multi from read access on the file /run/.#012#012***** Plugin restorecon (99.5 confidence) suggests ************************#012#012If you want to fix the label. #012/run/ default label should be var_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /run/#012#012***** Plugin catchall (1.49 confidence) suggests **************************#012#012If you believe that xtables-multi should be allowed read access on the file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep iptables /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
|
After doing these:
Code:
/sbin/restorecon -v /run/
grep iptables /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
These messages not show again, but iptables not block ip.
Check /etc/httpd/logs/error_log
Quote:
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
|
Even /var/log/messages has the message:
Quote:
Jun 6 08:27:28 centos7 mod_evasive[7276]: Blacklisting address 111.OO.OOO.OO: possible DoS attack.
|
Question:
Q1: How to use mod_evasive to block IP automatically by iptables successfully?
Q2: And is it safe to do this, apache act as root to block ip by iptables?
Thanks All.