Docs/SysAdmin/Security/WebAttacks

From Mandriva Community Wiki

Jump to: navigation, search


Contents

Referrer Comment Spam

If you operate a blog using APXS which is the modular version of Apache software included with Mandriva Linux, there are three main ways to block comment and referrer spam using Apache: Apache directives, .htaccess rules and finally, mod_security.

Apache directives

It is possible to setup an Apache environment variable that will be triggered when a referrer has a particular URL contained within it and to block access based on that environment variable. First, you need to add a line that sets the environment variable based on keywords:

SetEnvIfNoCase Referer ".*(keyword1|keyword2|keyword\.com|etc.).*" BadReferrer

Then, you set access based on this environment variable:

#Site settings
<Directory "/var/www/html/directory">
    allow from all
    deny from env=BadReferrer
</Directory>

Now, when someone tries to enter the site using a referrer that contains a prohibited keyword, they will get a 403 forbidden error.

.htaccess rules

Simply add lines such as these to your .htaccess file inside the main site directory.

RewriteCond %{HTTP_REFERER} ^(.*).keyword1(.*)$ [OR]
RewriteCond %{HTTP_REFERER} ^(.*).key(.*)-word(.*)$ [OR]
RewriteCond %{HTTP_REFERER} ^(.*)keyword2(.*) [OR]
RewriteCond %{HTTP_REFERER} ^(.*)keyword3.(.*) [OR]
RewriteCond %{HTTP_REFERER} ^(.*)keyword.com(.*) [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?keyword4.*$
RewriteRule .* http://www.thispagecannotbedisplayed.com/ [R,L]

mod_security rules

A commonly chosen method as it is very effective and you have unlimited options in how to deal with troublemakers.

Add a line inside the /etc/httpd/conf.d/82_mod_security.conf file like this:

SecFilterSelective "HTTP_REFERER" "(keyword1|keyword2|key\.word\.3|etc)" "deny,log,status:403"

to forbid access. Change "status:403" to "redirect:http://127.0.0.1" to redirect the request to localhost of the originating machine. Or,you can also try redirecting to a nonsense unrouteable address like 192.168.52.142 if you want to let them spin their wheels waiting for a timeout.

Also, for some sites that are hitting your system especially hard, you can do a redirect back to the upstream host and let them feast on some of the referrer spam that their customers are dishing out.

To deal with comment spam add a line like:

SecFilterSelective "POST_PAYLOAD" "(keyword1|keyword2|key\.word\.3|etc)" "deny,log,status:403"

same as for referrer spam but that blocks comment spam.

Personal tools