As mentioned before, I block most webservers I’m responsible for from making port 80 outbound requests. This helps reduce the likelihood of someone exploiting a vulnerability on one of the sites – as Apache wouldn’t be able to download some sort of root kit and so on.
Anyway, the firewall bit is relatively easy…. (This is shamelessly stolen from Bytemark)
……
/sbin/iptables -D OUTPUT -j no_www
/sbin/iptables –flush no_www
/sbin/iptables –delete-chain no_www
/sbin/iptables –new-chain no_www
/sbin/iptables -I OUTPUT -j no_www
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data -o lo -j ACCEPT
# DNS queries are fine
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol udp –dport 53 -j ACCEPT
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol tcp –dport 53 -j ACCEPT
# TCP/UDP/ICMP are blocked
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol tcp -j REJECT –reject-with icmp-admin-prohibited
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol udp -j REJECT –reject-with icmp-admin-prohibited
/sbin/iptables -A no_www –protocol icmp –match owner –uid-owner www-data -j REJECT –reject-with icmp-admin-prohibited
The annoying bit is that when this is done, WordPress’s admin panel becomes a bit useless… this can be cunningly fixed by editing the wp-config.php file and adding in something like :
if($_SERVER[‘REMOTE_ADDR’] == ‘78.105.96.188’) {
define(‘WP_PROXY_HOST’, ‘127.0.0.1’);
define(‘WP_PROXY_PORT’, ‘3128’);
define(‘WP_PROXY_BYPASS_HOSTS’, ‘localhost’);
}
So, if I’m browsing from my office PC, everything should just happily work.
TBH suprised you dont block everything by default and only allow whats needed out?
I’m too lazy to do that… although i admit it’s a very small step to go from blocking port 80 out to blocking everything out for the apache user – as there is (afaik) no other traffic out from apache anyway.