Recent Topics

mod_security setup

Started by on May 21, 2006 – Contents updated: Aug 27, 2019

May 21, 2006 00:42    

mod_security (http://www.modsecurity.org/) is an open source intrusion detection and prevention engine for web applications. It can also be called a(n) web application firewall. It operates embedded into the web server, acting as a powerful umbrella, shielding applications from attacks.

------

Just one of the things it can do is examine what it calls "post_payloads"; in other words, anything sent via an http_post.

As far as fighting spam goes, that's a godsend because comments and blog registrations are sent via an http_post.

For the last 24 hours, I have been using a variation of this in my .htaccess:


SecFilterEngine On
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:403"
SecFilterSelective "POST_PAYLOAD" "casino|ritalin|lvitra|lolita|zyban|valtex|vlium"

All comments submitted that contain lvitra, zyban, etc.. get a 403.

The results:


[Sat May 20 15:06:33 2006] [error] [client 72.9.236.50] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:20 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:19 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:18 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:17 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:16 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:15 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:14 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:13 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:12 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:11 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:10 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:09 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:08 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:08 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:06 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:06 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:05 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:04 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:03 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php
[Sat May 20 10:38:02 2006] [error] [client 195.175.37.8] client denied by server configuration: /home/****/public_html/vi-comment.php



:D

I'm a firm believer in ripping out the guts of spammers through a small hole in their spine. Short of that opportunity, I really enjoy seeing 403s in my Apache logs.

Check out mod_security @ http://www.modsecurity.org/
There are also more rulesets available @ http://www.gotroot.com/tiki-index.php?page=mod_security+rules

To see if your host has installed mod_security, create a file, and put the following inside of it:

<?php phpinfo(); ?>

Upload that file, rename it to something that ends in .php and open it in your browser. The image attached to this post shows you what to look for.

LIke I said, it can do more, but these days, just being one more way to fight spam is enough for me.

Im using a few other rules but nothing worth mentioning here ;)

Have fun fighting spammers!

---------

This post is intended to let people know that mod_security might be available for them to use. My example is not the only way it can be used to fight spam, just an example of one way. Your own milage may vary.

May 22, 2006 15:39

whoo wrote:

For the last 24 hours, I have been using a variation of this in my .htaccess:


SecFilterEngine On
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:403"
SecFilterSelective "POST_PAYLOAD" "casino|ritalin|levitra|lolita|zyban|valtex|valium"

Just one question as I prepare to upgrade to "Sparkle" today: Does this code go in the htaccess in the blog's root directory, or in another directory ie: conf, admin, myskin folder ?

May 22, 2006 16:09

BaileyWTNH,

my own "hardened" .htaccess is in the root of my site. IF you were feeling especially brave you might want to drop an .htaccess with just the mod_security stuff above into your /htsrv directory, since thats where the file responsible for comment submission lives.

There are several other files that will be affected by the rules in that directory also, however they would be affected all the same if you used the .htaccess in a directory above that > .htaccess's affect child dirs

Also, please note, that depending on where you employ mod_security, that words you include in that list will be be restricted completely -- that is even you will not be able to use them. Your own blog posts are sent via an http_post, so if you want to blog about viagra, or casinos, you might want to keep that in mind.

Clear as mud, I imagine.

May 22, 2006 18:38

Scarily enough, I think I understood that.

May 22, 2006 21:59

I followed your instructions and it works great. Thanks for the guide, whoo!

I might add that my webhost runs php as cgi, so the phpinfo page didn't have an apache section and didn't say that mod_security was enabled, but I had changed a setting with the host, so I knew that it was. When in doubt, ask your web host.

May 23, 2006 10:23

great personman! Im glad to heat that!! Did you do the /htsrv directory or web root??

I wanted to add that most of the examples I've found use a error 412 page -- frankly, I really like my 403 though and enjoy the idea that a human spammer might see it, AND Ive never seen a 412 in my logs unless Im looking at the raw logs -- I like the quick looks at my cpanel logs that show me those 403s :)

Also, I should add that Ive gotten ONE piece of comment spam in the last 4 days, and it was a word I hadnt added, "pharmacy". Go figure.

I was also seeing the occassional registration that contained spam words, and that has stopped -- I think theyre hoping that by registering, they can pass unmoderated comments (which they cannot, anyway). It's catching those too, and im blocking one particular tld that seems to be the most popular "fake email addy" for spammer signups.

The /htsrv directory covers blog user registrations as well.

May 23, 2006 15:11

I did have it in my web root, but I just moved it to htsrv so I could be a little more aggressive and not have to worry about catching blog posts.

May 24, 2006 16:01

A lot of spam comes from sites like "something-ag4s.blogspot.com" The thing they have in common is a dash followed by four random characters, then .blogspot.com. I'm not to the point of banning blogspot, but what about something like this:

SecFilterSelective "POST_PAYLOAD" "casino|ritalin|levitra|lolita|zyban|valtex|valium|-[a-z0-9]{4}.blogspot.com"

I haven't tried this because I'm not sure if I'm doing the RegEx correctly. Is my syntax ok?

May 24, 2006 19:40

I can point you to a good way to test it..

check your pm's later today.

actually, on second thought, thats not the way to block that, since if I read correctly, your talking about a referer. That particular mod_security rule is going to look at content, not referer.

mod_security can be used to check referers though. the gotroot link above contains example rules of how you would do that.

May 24, 2006 20:25

No, actually I was talking about urls in comments. I went ahead and tested it and it seems to work just like I want it to. That rule should stop half of the comment spam before it even touches the php files.

May 24, 2006 20:45

ahhh oke, well thats good then. :)

Jun 12, 2006 19:26

I ran into a bit of a hitch recently; I solved it and thought I might share.

Some of what I wanted to block I wanted to be able to post. The solution was simple

Add the following line:

SecFilterEngine Off

to an .htaccess in b2evolution's /admin directory. When done, you will be able to post content regardless of whether or not it's being blocked via the method I explained above.

PS: the line turns off mod_security for any files accessed within that directory.

Jun 12, 2006 20:39

I've been adding words to this rule and I guess I added one too many. This morning someone couldn't post a comment with the word "Socialist" in it. It was matching "cialis", which is a word in a lot of spam comments. Since this method has the power of regular expressions, I was able to fix it like this:

SecFilterSelective "POST_PAYLOAD" "paxil|diazepam|celebrex|tramadol|phentermine|xanax|ritalin|levitra|lolita|zyban|valtex|valium|[^o]cialis[^t]|-[a-z0-9]{4}.blogspot.com"


Now it only matches "cialis" if it's not in between an o and a t.

Another option would be to surround keywords with with [\W] to only match when there's a non-alphanumeric character on either side. So,

[\W]cialis[\W]


would match " cialis ", "cialis.blogspot.com", "www.cialis.com", "buy-cialis.cheap.com", etc. But it wouldn't match "socialist" or any other words that have "cialis" in the middle of them (with other letters on either side).

With regex, the possibilities are really opened up. I'm not very good with regex, but it's already helping me quite a bit.

Jun 12, 2006 20:57

Right you are, EdB. This should cover that, too:

[^oe]cialis[^t]


Or the \W method, although it might let through some false negatives.

Jun 13, 2006 21:32

thought I would share this:


SecFilterEngine On
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:403"
SecFilterSelective "POST_PAYLOAD" ".ru|marketing|loan|pharmacy|tramadol|pharm|casino|www4|www3|www1|ww2|sex|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia|xanax|mp3|drug|pill|valium"

since I linked to this thread from the registration spam thread .. notice I block .ru (that takes care of all links, and that includes registration attempts that might attempt to use a .ru email addy.

Im sure, in fact I know, its possible to code a way to check email addy content against a list of unwanted tlds but:

My personal thing has been keeping everything consolidated -- in other words, rather than using one file/hack/plugin to do one thing, and another to do something else, and so on, I can use just one: my .htaccess

For what its worth, since I started using mod_security, ive not gotten ONE spam registration

Jun 21, 2006 22:13

What kind of log is it that you are using to see how many hits are blocked?

Jun 21, 2006 22:20

That's the apache log. Check with your webhost to see how to view it.

Aug 27, 2019 02:35

I'm getting the mod_security error but it only occurs when I am saving after editing a post. Does anyone have a suggestion that can be implemented in b2evo settings.

Aug 27, 2019 11:46

No really. If you have access to your host a) ask them to 'white rule' the request or b) you may be able to temporarily disable mod-security from your cPanel

You may also like to start a new thread when you get as issue, with version number etc.

There are various files that cause this issue, (evoadm.php) for example. Check the URL, and post it with the query.


Form is loading...

CMS + forums – This forum is powered by b2evolution CMS, a complete engine for your website.