0

I am running a CentOS 7 server, and I want to be able to Ban or Unban certain IP with Fail2ban.

However it's not working when I run the code below:

$exec = exec('sudo fail2ban-client set apache banip 0.0.0.0', $output, $return);

var_dump($exec);    
var_dump($output);   
var_dump($return);

Do I need some special permissions for PHP is that why it wont work?

The $return variable spits out 1 when I run it. I know 0 means it's Successful.

While $output doesn't return anything.

Nikk
  • 7,384
  • 8
  • 44
  • 90
  • Have you check this thread: https://serverfault.com/questions/285256/how-to-unban-an-ip-properly-with-fail2ban/475117 ? – Shahroze Nawaz Jul 27 '17 at 11:52
  • The commands work in SSH as sudo. They don't through exec...I'm guessing it's a sudo issue – Nikk Jul 27 '17 at 12:40

2 Answers2

4

No need to su root and save root password in a file (dangerous). All you need to do is change group for files in /var/run/fail2ban (fail2ban.pid and fail2ban/sock) to www-data and group permissions to rw and rwx. fail2ban-client is run with user www-data (apache) and it needs these permissions to communicate with its server.

Don
  • 3,876
  • 10
  • 47
  • 76
Said
  • 41
  • 2
0

I would guess you need a password for sudo. If you have a root user and this is indeed the case, you need to do it like that: 

$command = 'sudo -u root -S fail2ban-client set apache banip 0.0.0.0 < yourpass.key';

$exec = exec($command, $output, $return);

var_dump($exec);    
var_dump($output);   
var_dump($return);


Where yourpass.key is a file containing the password for root. The way I did it above, the password file has to be in the same directory as the PHP Script. However you can change that path.

For instance, if you want to store the file in /home just write 

$command = 'sudo -u root -S fail2ban-client set apache banip 0.0.0.0 < /home/yourpass.key';
NullDev
  • 6,739
  • 4
  • 30
  • 54
  • Can I just add the password as text? Like this: `'sudo -u root -S fail2ban-client set apache banip 0.0.0.0 < password123'` – Nikk Jul 27 '17 at 13:48
  • User `root` login is disabled. Another user has to be logged in, then `su`. However php is running internally so it should let it `root`. – Nikk Jul 27 '17 at 13:52
  • @Borsn Yes that works, however I wouldn't recommend it as its a security issue. If you still want to, do it like so: `'sudo -u root -S fail2ban-client set apache banip 0.0.0.0 << password123'` Also, I am sure you won't be able to use the root user in PHP if it's disabled. Remember: Exec still calls a normal shell. – NullDev Jul 27 '17 at 14:27
  • This doesn't work like so. Probably because of the root. What is a solution in this case enable root (that doesn't seem to make sense security wise)? Any way I can give php the right to be able to run this? – Nikk Jul 27 '17 at 15:39
  • @Borsn For me it works perfectly fine. Can you add `2>&1` at the end of your command like `$command = 'sudo -u root -S fail2ban-client set apache banip 0.0.0.0 2>&1 < yourpass.key';` and let me know what `$exec` returns? – NullDev Jul 28 '17 at 07:11
  • This is what I get `sudo: unable to open audit system: Permission denied`. Now there is a response. So what is my next step? I've tried logging in with root and the pass for it. It's not letting me. – Nikk Jul 31 '17 at 22:53
  • @Borsn Now this is another issue. It usually means that you have SELinux Enabled. See here: https://stackoverflow.com/questions/7313519/from-php-apache-exec-or-system-program-as-root-sudo-unable-to-open-audit – NullDev Aug 01 '17 at 07:21
  • Thanks. If I wanted to use another user will it be like this `-u username -S fail2ban-client set apache banip 0.0.0.0 2>&1 << password`? – Nikk Aug 01 '17 at 10:06
  • @Borsn Exactly. Also: The `2>&1` in the end of your command just redirects Channel 2 (Standard Error) and Channel 1 (Standard Output) to your PHP Variable. You don't necessarily need it. Except for debugging or if you need the full output of your exec elsewhere. – NullDev Aug 01 '17 at 10:42
  • Without `2>&1` im not getting any output for `root`. Um and for the other user, it fails the way I have it before and doesn't output anything. – Nikk Aug 01 '17 at 15:58
  • Storing the root password in a file is not a good solution to the problem. Just run the command as a different user, as the other answer suggests. – Aaron Cicali Sep 28 '21 at 22:57