PHP script for Apache / LHP64 512 [NEARLY SOLVED]

[Meshworks]

Hi all....

You're (not) going to love this ...

I am building a php script to automatically ban IP's from my website that look too carefully for things like phpmyadmin and other xampp type folders....

Once we've built a list, the script (should) rip through, banning ip's using iptables.

The line in question could look something like:

$runme="iptables -I INPUT -s " . $ip . " -j DROP";
if ($ip!=$host_ipaddress) $result=shell_exec($runme);

Unfortunately this (and everything else I've tried) causes an error:
iptables v1.4.6: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

The lampp distro I'm using seems to run as user nobody (not 200% sure of that - could be spot!).

Without adding the apache user to the sudoers list, is there any way to make this work? How would someone who knows what they're doing get round this?!

Ideas welcome!

: )

LHP64 512
Apache Friends Xampp

[Meshworks]

The only idea I've had so far is to add or use a different user, and call a script that uses su or similar to call the iptables command.

Better ideas anyone?

[Meshworks]

OK the problem has a chicken / egg quality about it:

1) Xampp seems to be running as root - in fact it produces an error if started as "spot" :

Code: Select all

bash-4.1# su spot
<spot> ~
bash-4.1$ /opt/lampp/lampp start
You need to start XAMPP as root!

I have checked lxtask and the httpd daemons state that they are running as root.
This is probably because they are launched as root.

Code: Select all

<root> ~
bash-4.1# /opt/lampp/lampp start
Starting XAMPP for Linux 1.7.7...
XAMPP: Starting Apache with SSL (and PHP5)...
XAMPP: Starting MySQL...
XAMPP for Linux started.
<root> ~
bash-4.1# 

The details in the httpd.conf are revealing here ...

Code: Select all

# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.  
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
# commented out by lampp compatibility check and meshworks gnomes
#User nobody
#Group nogroup
#Group nobody
User spot
Group spot

This would indicate that xampp is actually running stuff as a different user.
This is borne out by apache's inability to execute "shell_exec($runme); " certain commands correctly.

2 ) Is there a way of stopping this error and making xampp run as a different user with less rights?

3) I would prefer to avoid adding this user to the sudoers list...
However ... if the user is not able to su to a different one then "he" will still not be able to run the commands!

Code: Select all

<root> ~
bash-4.1# su spot
<spot> ~
bash-4.1$ whoami
spot
<spot> ~
bash-4.1$ su root
su: must be suid to work properly
<spot> ~

Here's another telling snippet. As spot is not on the sudo list, the following command fails.
What it should do is run a command (in this case 'ls') as root, supplying the password instead of having to type the password in...

Code: Select all

<root> ~
bash-4.1# echo password | sudo -u root -S ls
Building       File-Sharing	my-documents	  puppy-reference  wine
Choices        Fonts		my-roxapps	  spot
Desktop        ftpd		Performing	  Startup
DesktopHidden  my-applications	Projectfiles.com  Web-Server
<root> ~
bash-4.1# su spot
<spot> ~
bash-4.1$ echo password | sudo -u root -S ls
Password:Sorry, try again.
Password:
sudo: 1 incorrect password attempt
<spot> ~

As you see the 'ls' command fails as user spot...

Ideas anyone?
Best fit solution welcome!
Stop gnome hairloss for pity's sake!

[Meshworks]

Ok. The solution is to run the php script via chron, say every two minutes.
This will enable a propper user to run the script, not apache.
Another bonus is that the ban script can be kept outside the htdocs folder.

Now all I need to do is read up chron (which I have avoided until now!)

More soon.