Blocking referer spam with mod_security2 using Apache2

I have some statistics plugins for WordPress that evaluate what sites refer to my blog. I use “WassUp”, “StatPress” and “CyStats”. Unfortunately some idiot thinks it’s funny to bombard my webserver with referer spam. Complaining to the local net-admin us useless of course.

There are some tutorials for mod_security, but most of the ones I found were still for V1. After some messing with perl to get the right HTTP_HEADERS (perl als a cgi script stores these in the %ENV hash and can print them easily), here’s a simple rule to kill them all. Well most of them, or just THE ONE that bugs me :-)

I assume that you have mod_security installed with standard options. I just used the minimal config file that came with the source code.

SecRule REQUEST_HEADERS:REFERER "^.*(ney\.co\.cc).*$" nolog,deny,status:500

The filter is just a standard regular expression like you can use in PERL. In this case I block all referers that contain the string “ney\.co\.cc”. “^” means “starts with”, “$” means “ends with”. The “.” stands for any possible character and “*” indicates that it can occur “zero or more” times.  So it filters everything like “_whatever_ney.co.cc_whatever”. I hope this is good enough to get rid of this spammer.

I used a PERL script that prints all environment variables that matter. I can’t post the contents, as there is some HTML code inside which WordPress doesn’t like. If you have execution of cgi-scripts enabled, just put it into /server_root/cgi-bin/ and open it in a webbrowser.

VICTORY!!

[Wed Mar 25 19:08:32 2009] [error] [client 89.105.128.33] client denied by 
server configuration: /srv/www/vhosts/blog.spitzenpfeil.org/htdocs/,
referer: http://mortgage-pay-refinance-second.magicney.co.cc/

Now I just have to find out if mod_security2 interferes with other things I want to work…

The logfile settings might need some tweaking, as I can see the mod_security audit logile is growing.

I also use “mod_evasive” to limit the number of hits per time interval my website tolerates, before the requester is blocked for a few seconds :-)

This entry was posted in Server. and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA Image

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>