3

Since to days ago I'm receiving DDOS atacks in my server. I've installed mod_evasive in apache and it works right! It writes the log and send the email with de IPs.

But there's a problem: Apache doesn't add the DROP rule in iptables (or at least it doesn't appear)

I'm using apache in Plesk, the configuration file is like:

DOSHashTableSize 3097
DOSPageCount 1 
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 600
DOSSystemCommand "sudo /sbin/iptables -A INPUT -s %s -j DROP"
DOSEmailNotify "xxx@xxx.com"
DOSLogDir "/var/log/evasive/"

Here is my 'sudoers' file: 

apache ALL=(ALL) NOPASSWD: /sbin/iptables -A INPUT -s [0-9.]* -j DROP

But that doesn't help.

Thanks in advance.

Shadok
  • 623
  • 5
  • 10
Leandro Vidal
  • 43
  • 2
  • 6

2 Answers2

3

Allowing apache to run iptables with root privilege sounds like a very bad idea - I presume you've got root access. If it were me I'd be using a proxy program (like fail2ban) to sift the logs and write the rules.

I've write in visudo this:

And have you checked that is what has been deployed to /etc/sudoers?

From the man page:

If a Cmnd has associated command line arguments, then the arguments in the Cmnd must match exactly those given by the user on the command line (or match the wildcards if there are any)

You've used a regex rather than wildcards. Try:

apache ALL=(ALL) NOPASSWD: /sbin/iptables -A INPUT --dport 80 -s * -j DROP

Although a better idea would be to wrap the functionality in a script rather than calling iptables directly. (note I've explicitly set the port to avoid you locking yourself out - I presume you've got ssh access).

symcbean
  • 19,931
  • 1
  • 29
  • 49
2

In "visudo", change ALL to root, and skip the arguments for iptables:

apache ALL=(root) NOPASSWD: /sbin/iptables

Make sure the leading apache is the name of the user running the web server. (Check with ps -ef|egrep -e 'apache|http'

Then change your DOSSystemCommand to

DOSSystemCommand "sudo -u root /sbin/iptables -A INPUT -s %s -j DROP"

Better solution: make a script owned by root that no one else can modify, make that script run iptables, and have apache call that script (enable that script instead of iptables in sudo).

MattBianco
  • 587
  • 1
  • 6
  • 23