Fedora 16 with SELinux running WordPress with Akismet

So you have WordPress and Akismet to get rid of spam. But for some reason Akismet is not working:

WordPress with Akismet failing

You can test if you have a valid key and connectivity from the command line with either wget:

wget --post-data 'key=YOURKEYGOESHERE&blog=http://example.org'\
http://rest.akismet.com/1.1/verify-key

or using curl:

curl -d 'key=YOURKEYGOESHERE' -d 'blog=http://example.org' \
http://rest.akismet.com/1.1/verify-keyd

If it works you should receieve a file called “verify-key” containing the word “valid”

If that doesn’t work then you have problems outside the scope of this article.

But if you can retrieve the key than chances are your SELinux configuration is limiting what the httpd server can do.

Luckily the fix is simple: allow httpd to make outgoing connections:

setsebool -P httpd_can_network_connect on

But wait a minute you say. Now my httpd server can connect to anything, attackers can use it to attack other systems potentially (especially if you allow CGI scripts and arbitrary WordPress plugins or themes which can contain PHP code).

So we need to limit what systems the httpd server can connect to. The good news here is that IPTables supports this.

In the case of Akissmet you’d want to add something like this to your /etc/sysconfig/iptables file:

-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m owner --uid-owner apache -m tcp -p tcp --dport 80 \
--dest 66.135.58.61 -j ACCEPT
-A OUTPUT -m owner --uid-owner apache -m tcp -p tcp --dport 80 \
--dest 66.135.58.62 -j ACCEPT 
-A OUTPUT -m owner --uid-owner apache -m tcp -p tcp --dport 80 \
--dest 72.223.69.89 -j ACCEPT
-A OUTPUT -m owner --uid-owner apache -m tcp -p tcp --dport 80 \
--dest 72.223.69.88 -j ACCEPT
-A OUTPUT -m owner --uid-owner apache -j REJECT

This should allow only existing inbound connections (e.g. web clients) and outgoing connections to Akismet (you may want to add any other services you use of course).

Tags: ,

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: