LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-05-2016, 08:02 PM   #1
Aeolustw
Member
 
Registered: Jun 2009
Location: Taiwan
Distribution: Linux Debian (or CentOS)
Posts: 51

Rep: Reputation: 1
Use mod_evasive to block IP automatically by iptables in CentOS 7 with SELinux, but not works


My test server:
Linux centos7 3.10.0-327.18.2.el7.x86_64
Apache 2.4.6
iptables v1.4.21
mod_evasive v1.10.1-22.el7

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

part of configure file: /etc/httpd/conf.d/mod_evasive.conf
Code:
...
    DOSSystemCommand "sudo /usr/local/bin/ddos_ban_ip.sh %s"
...

/usr/local/bin/ddos_ban_ip.sh
Code:
#!/bin/bash
# IP that will be blocked, as detected by mod_evasive
IP=$1
# mod_evasive lock directory
MOD_EVASIVE_LOGDIR=/var/banned/mod_evasive
# Add the following firewall rule (block all traffic coming from $IP)
/sbin/iptables -I INPUT -s $IP -p tcp -m tcp --dport 80 -j DROP
# Remove lock file for future checks
rm -f "$MOD_EVASIVE_LOGDIR"/dos-"$IP"
part of /etc/sudoers
Code:
...
apache ALL=NOPASSWD: /usr/local/bin/ddos_ban_ip.sh
Defaults:apache !requiretty
...
mod_evasive works fine:
Quote:
Jun 6 08:13:21 centos7 mod_evasive[7276]: Blacklisting address 111.OO.OOO.OO: possible DoS attack.
but if i chage sestatus with "setenforce 1"
block ip no works,

Check /var/log/messages
Quote:
Jun 6 08:13:23 centos7 setroubleshoot: SELinux is preventing /usr/sbin/xtables-multi from read access on the file /run/. For complete SELinux messages. run sealert -l c621e1ce-a0cf-4010-ac7a-dcd048059bcb
Jun 6 08:13:23 centos7 python: SELinux is preventing /usr/sbin/xtables-multi from read access on the file /run/.#012#012***** Plugin restorecon (99.5 confidence) suggests ************************#012#012If you want to fix the label. #012/run/ default label should be var_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /run/#012#012***** Plugin catchall (1.49 confidence) suggests **************************#012#012If you believe that xtables-multi should be allowed read access on the file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep iptables /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
After doing these:
Code:
/sbin/restorecon -v /run/
grep iptables /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
These messages not show again, but iptables not block ip.

Check /etc/httpd/logs/error_log
Quote:
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Even /var/log/messages has the message:
Quote:
Jun 6 08:27:28 centos7 mod_evasive[7276]: Blacklisting address 111.OO.OOO.OO: possible DoS attack.
Question:
Q1: How to use mod_evasive to block IP automatically by iptables successfully?
Q2: And is it safe to do this, apache act as root to block ip by iptables?

Thanks All.
 
Old 06-05-2016, 09:42 PM   #2
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,850

Rep: Reputation: 337Reputation: 337Reputation: 337Reputation: 337
try using fail2ban.

http://unix.stackexchange.com/questi...an-on-centos-7
 
1 members found this post helpful.
Old 06-05-2016, 11:25 PM   #3
Aeolustw
Member
 
Registered: Jun 2009
Location: Taiwan
Distribution: Linux Debian (or CentOS)
Posts: 51

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by JJJCR View Post
Thanks.

I had installed it in the beginning, just want to try mod_evasive to block ip by iptables.
 
Old 06-06-2016, 02:38 AM   #4
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,850

Rep: Reputation: 337Reputation: 337Reputation: 337Reputation: 337
check out this link: https://tellini.info/2011/11/keeping...-and-iptables/

from link above:
Quote:
Don’t forget to grant the permission to run the script to the account used by apache. My sudoers config contains:

www-data ALL=(ALL) NOPASSWD: /root/scripts/ban_ip.sh
 
2 members found this post helpful.
Old 06-06-2016, 07:12 PM   #5
Aeolustw
Member
 
Registered: Jun 2009
Location: Taiwan
Distribution: Linux Debian (or CentOS)
Posts: 51

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by JJJCR View Post
check out this link: https://tellini.info/2011/11/keeping...-and-iptables/

from link above:
Thanks,JJJCR.

I had been tried the similar topic >> http://www.tecmint.com/protect-apach...ntos-fedora/3/

And the last error message is in /etc/httpd/logs/error_log :
Quote:
iptables v1.4.21: can't initialize iptables table `filter': Permission denied
Perhaps iptables or your kernel needs to be upgraded.
I think if i enable SELinux and enforcing mode , SELinux will prevent apache to use iptables,
even i had been granted apache the permission in /etc/sudoers
Code:
apache ALL=NOPASSWD: /usr/local/bin/ddos_ban_ip.sh, /sbin/iptables
Defaults:apache !requiretty
 
Old 06-06-2016, 09:40 PM   #6
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,850

Rep: Reputation: 337Reputation: 337Reputation: 337Reputation: 337
Quote:
I think if i enable SELinux and enforcing mode , SELinux will prevent apache to use iptables,
even i had been granted apache the permission in /etc/sudoers
I don't think SELinux will prevent apache from using iptables even if you set it to enforcing mode.

As long as in your SELinux settings you did not specify the settings to stop using apache for the particular user then it will work fine.
 
1 members found this post helpful.
Old 06-07-2016, 05:44 AM   #7
Aeolustw
Member
 
Registered: Jun 2009
Location: Taiwan
Distribution: Linux Debian (or CentOS)
Posts: 51

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by JJJCR View Post
I don't think SELinux will prevent apache from using iptables even if you set it to enforcing mode.

As long as in your SELinux settings you did not specify the settings to stop using apache for the particular user then it will work fine.
Thanks, and I fixed this problem.
It works fine now.

part of /etc/sudoers
Code:
...
apache ALL=NOPASSWD: /var/www/mod_evasive/ddos_ban_ip.sh, /usr/bin/rm, /sbin/iptables
#apache 	ALL=(ALL)	NOPASSWD: ALL
Defaults:apache !requiretty
...
part of /etc/httpd/conf.d/mod_evasive.conf
Code:
...
DOSSystemCommand "sudo /var/www/mod_evasive/ddos_ban_ip.sh %s"
...
DOSLogDir   	 "/var/www/mod_evasive"
...
/var/www/mod_evasive/ddos_ban_ip.sh
Code:
#!/bin/bash
# IP that will be blocked, as detected by mod_evasive
IP=$1
# mod_evasive lock directory
MOD_EVASIVE_LOGDIR=/var/www/mod_evasive
# Add the following firewall rule (block all traffic coming from $IP)
/sbin/iptables -I INPUT -s $IP -p tcp -m tcp --dport 80 -j DROP
# Remove lock file for future checks
rm -f "$MOD_EVASIVE_LOGDIR"/dos-"$IP"
The important change is moving ddos_ban_ip.sh from /usr/local/bin to /var/www/mod_evasive
and apache should has rwx file attribute permission for the new /var/www/mod_evasive directory and same SELinux context type as /var/www/html.

Code:
ls -Z /var/www
Quote:
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
drwxrwx---. root apache system_u:object_r:httpd_sys_content_t:s0 mod_evasive
The last SELinux Troubleshoot:
Quote:
SELinux is preventing /usr/sbin/xtables-multi from getopt access on the rawip_socket Unknown.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that xtables-multi should be allowed getopt access on the Unknown rawip_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
Code:
# grep iptables /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context system_u:system_r:httpd_sys_script_t:s0
Target Objects Unknown [ rawip_socket ]
Source iptables
Source Path /usr/sbin/xtables-multi
Port <Unknown>
Host centos7
Source RPM Packages iptables-1.4.21-16.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name centos7
Platform Linux centos7 3.10.0-327.18.2.el7.x86_64 #1 SMP
Thu May 12 11:03:55 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-06-07 12:03:55 CST
Last Seen 2016-06-07 12:03:55 CST
Local ID 71d3b17b-199e-47a9-9f84-9787cc585102

Raw Audit Messages
type=AVC msg=audit(1465272235.992:12410): avc: denied { getopt } for pid=26461 comm="iptables" lport=255 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=rawip_socket
type=AVC msg=audit(1465272235.992:12410): avc: denied { net_admin } for pid=26461 comm="iptables" capability=12 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
type=SYSCALL msg=audit(1465272235.992:12410): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=4 a1=0 a2=40 a3=7fff0866ee80 items=0 ppid=26460 pid=26461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
Hash: iptables,httpd_sys_script_t,httpd_sys_script_t,rawip_socket,getopt
 
Old 06-07-2016, 08:21 PM   #8
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,850

Rep: Reputation: 337Reputation: 337Reputation: 337Reputation: 337
Glad you figured it out.

Thanks for sharing the info, hope it will help others who might have the same issue.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mod_evasive does not block some IPs marciano Linux - Server 4 05-17-2016 09:23 AM
LXer: How to harden Apache web server with mod_security and mod_evasive on CentOS LXer Syndicated Linux News 0 09-10-2014 02:51 AM
CentOS 5.3 - Won't load i2o-block driver automatically? Jukas Linux - Server 4 10-19-2009 07:15 PM
Mod_evasive and iptables lavinya Linux - Security 1 12-08-2007 08:22 AM
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 06:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration