{"id":633,"date":"2010-12-23T11:48:41","date_gmt":"2010-12-23T03:48:41","guid":{"rendered":"http:\/\/www.computersolutions.cn\/blog\/?p=633"},"modified":"2010-12-23T11:59:17","modified_gmt":"2010-12-23T03:59:17","slug":"comment-spam-blocking-with-mod_security-debian-and-gotroot-rulesets","status":"publish","type":"post","link":"https:\/\/www.computersolutions.cn\/blog\/2010\/12\/comment-spam-blocking-with-mod_security-debian-and-gotroot-rulesets\/","title":{"rendered":"comment spam blocking with mod_security debian and gotroot rulesets"},"content":{"rendered":"

Comment spam is a big load on servers – recently troubleshooting some intermittent load issues on one of our webservers, I discovered that one page was getting hammered by comment spam abuse – the page had already generated over 400,000 comments, which was causing the server to be slightly unhappy loadwise.<\/p>\n

After clearing out the comment table for that clients site, I looked into solutions.<\/p>\n

mod_security was an obvious one, and the atomic corp rules<\/a> seem to be better than the default mod_security ones (which break most popular apps, sigh).\u00a0 However, although the gotroot rules were good at blocking comment spam, they don’t block the ip’s, so persistent spammer bots will still hammer the server.<\/p>\n

So, whats a solution?<\/strong>
\nBlocking the ip’s dynamically for a short period.
\nAssuming you have a standard setup, the below should be of interest.<\/p>\n

I stick my ruleset into \/etc\/modsecurity2, so amend your url’s accordingly.<\/p>\n

My default initialise code is below (pretty much stock except for the end part)<\/p>\n

\/etc\/modsecurity2\/modsecurity_crs_10_config.conf<\/p>\n

SecRuleEngine On<\/pre>\n
 SecRequestBodyAccess On<\/pre>\n
 SecResponseBodyAccess On<\/pre>\n
 SecResponseBodyMimeType (null) text\/html text\/plain text\/xml<\/pre>\n
 SecResponseBodyLimit 2621440<\/pre>\n
 SecServerSignature Apache<\/pre>\n
 SecComponentSignature 200911012341<\/pre>\n
 SecUploadDir \/var\/asl\/data\/suspicious<\/pre>\n
 SecUploadKeepFiles Off<\/pre>\n
 SecAuditEngine RelevantOnly<\/pre>\n
 SecAuditLogRelevantStatus \"^(?:5|4(?!04))\"<\/pre>\n
 SecAuditLogType Concurrent<\/pre>\n
 SecAuditLog \/var\/log\/apache2\/modsec_audit.log<\/pre>\n
 SecAuditLogParts ABIFHZ<\/pre>\n
 SecArgumentSeparator \"&\"<\/pre>\n
 SecCookieFormat 0<\/pre>\n
 SecRequestBodyInMemoryLimit 131072<\/pre>\n
 SecDataDir \/var\/asl\/data\/msa<\/pre>\n
 SecTmpDir \/tmp<\/pre>\n
 SecAuditLogStorageDir \/var\/asl\/data\/audit<\/pre>\n
 SecResponseBodyLimitAction ProcessPartial<\/pre>\n
SecPcreMatchLimit 100000<\/pre>\n
SecPcreMatchLimitRecursion 100000<\/pre>\n
SecDebugLog \/var\/log\/apache2\/modsec_debug.log<\/pre>\n
SecDebugLogLevel 3<\/pre>\n
### Ruleset additions for blocking ########################################<\/pre>\n
# Make sure to clear the default action<\/pre>\n
SecDefaultAction phase:1,pass<\/pre>\n
# Initialize collection and deprecate by 3 points per day (86400 seconds)<\/pre>\n
SecAction phase:1,initcol:IP=%{REMOTE_ADDR},deprecatevar:IP.spam=3\/86400,nolog<\/pre>\n
# If there are already >15 spam points for this IP, then drop<\/pre>\n
# the connection and add 1 point (instead of 3, as below).<\/pre>\n
SecRule IP:spam \"@gt 15\" phase:1,setvar:IP.spam=+1,drop,setenv:spam=spam<\/pre>\n
# Clear the default action for any mod_security rules later in httpd.conf.<\/pre>\n
SecDefaultAction phase:1,pass<\/pre>\n
### End Ruleset additions for blocking ####################################<\/pre>\n
What does it do?\u00a0 Basically we keep score of any ip address that visits the site.<\/strong>
\nEvery day any scores depreciate by 3 points per ip.
\nIf any ip scores more than 15 points, we block it.<\/p>\n
Now, as it stands, its pretty useless, as we don’t do any scoring.<\/p>\n
So, next we’ll need to add some scoring to some of the rules.<\/p>\n
In our case, we were getting seriously hammered by pharmacy spam (mostly out of latvia)<\/p>\n
So, I went into the default gotroot ruleset that I installed into \/etc\/modsecurity2<\/p>\n
Comment spam is in this file: 30_asl_antispam.conf<\/p>\n
I added some scoring there.
\nIn my case, we saw hundreds of thousands of attempts for levitra and tramadol spam, so I went to the pharmacy scoring, and added this:<\/p>\n
setvar:IP.spam=+15<\/code> in the SecRule check.
\nThis means that any positive lookup for that rule will give the ip a 15 point score.
\nThat will block that attacker ip from the site for 5 days (as  we decrement 3 points per day for a given ip).<\/p>\n
The setvar needs to go after the “capture,…” part of the rule.<\/p>\n
eg<\/p>\n
(don’t copy, paste this, you’ll need to add “setvar:IP.spam=+15” into your existing file)<\/em>
\n# Rule 300040:
\nSecRule ARGS|!ARGS:\/domain\/|!ARGS:description|!ARGS:redirect_to|!ARGS:setting[banemail]|!ARGS:\/username\/|!ARGS:\/user_name\/|!ARGS:\/page_content\/|!ARGS:\/search\/|!ARGS:\/email\/!ARGS:Mensaje|!ARGS:\/product\/|!ARGS:\/domain\/|!ARGS:description$
\n\"capture,setvar:IP.spam=+15<\/strong>,id:300040,rev:7,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Spam: Pharmacy',logdata:'%{TX.0}'\"<\/code><\/p>\n
I added this to appropriate places, and watched for our first victim^Mspammer in our site logs.
\nBingo – here we have a spammer trying to add to a url on one of our sites:<\/p>\n
[23\/Dec\/2010:11:39:45 +0800] [www.chou.cn\/sid#bcf3f338][rid#b339b670][\/gallery\/papratiti\/img_5993.jpg.php][1] Access denied with code 403 (phase 2). Pattern match “(?:buy[-_ ]?(cheap)?[-_ ]?(?:adipex|suboxone|pseudovent|topamax|trazodone|prevacid|zyrtec|xenical|toprol|zoloft…” at ARGS:comment. [file “\/etc\/modsecurity2\/30_asl_antispam.conf”] [line “194”] [id “300061”] [rev “10”] [msg “Atomicorp.com – FREE UNSUPPORTED DELAYED FEED – WAF Rules: Spam: Pharmacy”] [data “xanax”] [severity “CRITICAL”]<\/p>\n
[23\/Dec\/2010:11:43:16 +0800] [www.chou.cn\/sid#bcf3f338][rid#bfac9d68][\/gallery\/papratiti\/img_5993.jpg.php][1] Access denied with connection close (phase 1). Operator GT matched 15 at IP:spam. [file “\/etc\/modsecurity2\/modsecurity_crs_10_config.conf”] [line “40”]<\/p><\/blockquote>\n
Bam, that ip is blocked (for 5 days).\u00a0 Next time around, as its the first rule to run, it will block immediately without processing other rules.<\/p>\n
You can amend the block times by decreasing the increments or scoring as per your requirements.<\/p>\n
All in all, this is an easy amendment to make to the gotroot rules, and makes for faster experience for users.
\nThanks to http:\/\/linux.icydog.net\/apache\/commentspam.php<\/a> for his implementation, this is pretty much based off that.<\/p>\n
Lawrence<\/p>\n","protected":false},"excerpt":{"rendered":"
Comment spam is a big load on servers – recently troubleshooting some intermittent load issues on one of our webservers, I discovered that one page was getting hammered by comment spam abuse – the page had already generated over 400,000 comments, which was causing the server to be slightly unhappy loadwise. After clearing out the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[48,25,4],"tags":[297,300,301,298,299],"class_list":["post-633","post","type-post","status-publish","format-standard","hentry","category-exploits","category-technical-mumbo-jumbo","category-useful-info","tag-atomicorp","tag-blocking-comment-spam","tag-latvian-spammers","tag-modsecurity","tag-ruleset"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/633","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=633"}],"version-history":[{"count":7,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/633\/revisions"}],"predecessor-version":[{"id":635,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/633\/revisions\/635"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=633"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}