I have some statistics plugins for WordPress that evaluate what sites refer to my blog. I use “WassUp”, “StatPress” and “CyStats”. Unfortunately some idiot thinks it’s funny to bombard my webserver with referer spam. Complaining to the local net-admin us useless of course.
There are some tutorials for mod_security, but most of the ones I found were still for V1. After some messing with perl to get the right HTTP_HEADERS (perl als a cgi script stores these in the %ENV hash and can print them easily), here’s a simple rule to kill them all. Well most of them, or just THE ONE that bugs me :-)
I assume that you have mod_security installed with standard options. I just used the minimal config file that came with the source code.
SecRule REQUEST_HEADERS:REFERER "^.*(ney\.co\.cc).*$" nolog,deny,status:500
The filter is just a standard regular expression like you can use in PERL. In this case I block all referers that contain the string “ney\.co\.cc”. “^” means “starts with”, “$” means “ends with”. The “.” stands for any possible character and “*” indicates that it can occur “zero or more” times. So it filters everything like “_whatever_ney.co.cc_whatever”. I hope this is good enough to get rid of this spammer.
I used a PERL script that prints all environment variables that matter. I can’t post the contents, as there is some HTML code inside which WordPress doesn’t like. If you have execution of cgi-scripts enabled, just put it into /server_root/cgi-bin/ and open it in a webbrowser.
[Wed Mar 25 19:08:32 2009] [error] [client 126.96.36.199] client denied by server configuration: /srv/www/vhosts/blog.spitzenpfeil.org/htdocs/, referer: http://mortgage-pay-refinance-second.magicney.co.cc/
Now I just have to find out if mod_security2 interferes with other things I want to work…
The logfile settings might need some tweaking, as I can see the mod_security audit logile is growing.
I also use “mod_evasive” to limit the number of hits per time interval my website tolerates, before the requester is blocked for a few seconds :-)