Mod-security (mlogc) problem
Arthur Dent
misc.lists at blueyonder.co.uk
Fri Apr 9 14:23:34 UTC 2010
Hi Dominick,
I'm sorry to bother you again, but everything seems to be going just
fine since the last lot of policy updates, so I decided to move into the
next phase of my project.
You're going to hate me for this...
What I have is a Mod-Sec rule that detects a particular kind of attack;
when detected it identifies the IP address of the attacker and (using
the modsec "exec" function) passes this to a script.
During our recent exchange I was using this rule for testing, but for
now all the script does is write the IP address into a file. (This
worked by the way).
Now for the next part. Instead of writing it to a file I want to ban the
IP in iptables using a feature of the fail2ban application which I also
have running on this machine.
The script uses the following command:
fail2ban-client set modsec banip $IP
touch -c /var/log/httpd/modsec_audit.log
where $IP is the IP address passes from mod-sec, the "banip" is a
argument of the fail2ban-client app which initiates a manual banning of
the IP and "modsec" is the name of the "jail" (in fail2ban parlance) to
be activated for this IP.
The "touch" command is necessary to trick fail2ban into thinking that
the log file it is monitoring has been updated and thus needs to wake
itself and take action.
Putting all this together now gives me this (single) avc when testing:
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270821681.36:50303): avc: denied { search } for pid=30224 comm="fail2ban-client" name="fail2ban" dev=sda5 ino=476186 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270821681.36:50303): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa9b0e0 a2=b6810c a3=b76fb2c8 items=0 ppid=30222 pid=30224 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="fail2ban-client" exe="/usr/bin/python" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
How best to handle this?
I am writing this from behind the sofa, out of range of beer bottles
hurled from the Netherlands.
Thanks!
Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100409/fc245763/attachment.bin
More information about the selinux
mailing list