Linode.com Forum

[ferfer]

Hi,

My system crashed today. It was a good crash: mysql went really down, bind was the following to fall (I use mysql-dlz) and even cron and kernel exploted.

While I was trying to understand what happened, I reboot and it took ages to start. Even "top" was painful slow, and... wow! I got 46.0 load just 1 minute later!

PHP was to blame. I narrowed it down and it seems a big spammer "felt in love" with one of my websites (which runs a blog), and was (and still is) sending a LOT of fake spam requests to the site every second. That collapsed my web server, as apache starts php (in cgi-suexec'd mode) and the blog has to send a webpage (querying mysql in its way) to the spammer.

So, mod_security is a good toy, and this:

Quote:
SecFilterSelective HTTP_Referer "\.bigbig\.com" "nolog"


seems to be an effective way to get rid of that particular spammer. This stops the attack before php is launched and my system runs now at 0.3. I'm still being hit by that spammer, but it makes no harm now. I've also added some other common rules like "penis", "enlarge", "cialis" and so on, so I hope a great % of the spam will be off.

The question... do you know

a) a way to live-update mod_security from maybe an online source (something like spam blacklists postfix uses).

b) a better way to deal with blog spammers?

I can take the b2evo spammer list and transformate it into SecFilterSelective things by hand, but maybe there is some automated way to do this, or a better solution for the problem.

Anyway, my system seems to be more stable now. Hope your websites don't suffer from this!

[Xan]

fernandonajer wrote: I've also added some other common rules like "penis", "enlarge", "cialis" and so on, so I hope a great % of the spam will be off.


It's a good thing caker doesn't block words like that on this board, or we wouldn't have been able to read your post!

[Jay]

fernandonajer wrote: "cialis"

Don't hate on oldos!

(i name my webservers after ED drugs, cialis.oldos.org is my current incarnation)

[ferfer]

Xan wrote: It's a good thing caker doesn't block words like that on this board, or we wouldn't have been able to read your post!

;) I know, and what I'm blocking is just referrers, which is most of the spam I'm getting.

What Jay says can be a problem if he ever link my website from his... You couldn't reach my website from his, but if you navigate somewhere else or close the browser and then load mine it would work.

[sbstudios]

I've found that one effective method for dealing with this is to set up SecFilterSelective rules based on proxy headers, since spammers will usually route through one when doing mass posting. This is what I use:

Code: SecFilterSelective HTTP_Forwarded ".+" log,status:403
SecFilterSelective HTTP_Via ".+" log,status:403
SecFilterSelective HTTP_Proxy-Connection ".+" log,status:403
SecFilterSelective HTTP_X-Forwarded-For ".+" log,status:403
SecFilterSelective HTTP_X-BlueCoat-Via ".+" log,status:403

Set inside of a properly-defined location block it's proven to be pretty effective.

[ferfer]

Here in Spain more than 50% of DSL users (I'm one of them) is routed through what they call 'proxy cache' and it adds the X-Forwarded-For header... so I think that is a bad idea at least for my sites...

[sbstudios]

Yeah, it's an aggressive ruleset.

But it depends on how you implement it. You could first use a directive that would allow all requests other than those making a comment post:

Code: SecFilterSelective REQUEST_URI "!/path/to/script\.php\?.*argtomatch=" allow

Then add a directive to allow requests from authenticated users by checking for the appropriate values in COOKIES_NAMES, along with one to check the HTTP_Referer to make sure that the request comes from your domain/site if the cookies aren't present.

Edit: These are the rules that I use for wordpress:

Code: SecFilterSelective REQUEST_URI "!wp-comments-post\.php" allow
SecFilterSelective COOKIES_NAMES "wordpresspass_.*" allow
SecFilterSelective HTTP_Referer "!blog.domain/folder" nolog,redirect:http://blog.main.page/

Add the proxy matching rules after something like these and you should be good to go.

[ferfer]

Thank you! I'll try it...

[kenny]

fernandonajer wrote: a) a way to live-update mod_security from maybe an online source (something like spam blacklists postfix uses).
Well, I've played around with one at http://www.gotroot.com/downloads/ftp/mod_security/rules.conf, however the site's giving me 500s at present.

Kenny

[JKWood]

Here's how I've eliminated blog spam from going through: Hidden fields.

Say you let people post a name, a website, and a comment. In your code, name those fields something odd... I used Spanish. nombre, sitio, commentario.

Now, add a field called "name." Label it "Leave blank", just in case somebody sees it. Hide it with css (style="display:none"). In the submission script, if that hidden field is filled out, reject the post.

I've been using this since March, and not ONE bot has managed to spam my comments. Not one.