mod_security
During the comment spam crisis, before 3.14 was released, my host installed something called modsecurity. I have noticed that ever since it was installed, the comment spam flood I normally experienced turned into a trickle. modsecurity helps with a lot of things. It's good for helping block a lot of the script vulnerability attacks like cross-site scripting, bad PHP includes, etc so there's a good chance it will be installed on your host, if not ask them.
If you do have modsecurity installed, I will guide you through setting it up such that it blocks of comment spam. What is the advantage of modsecurity over MT-Blacklist? mod_security scans the comment before it hits MT-Blacklist or any MT files. To explain it further you will need to understand how a comment is posted.
With the comment form, when someone clicks the post button, an action called POST is performed where the contents of the comments form are "posted" to the comments script. What mod_security does is check the contents of the values during the POST process, so it kicks in well before MT-Blacklist.
If you do have mod_security installed, chances are you aren't using it to its full potential to block off comment spam. These steps involve messing around with your .htaccess file, which could potentially take down your user area and in some extreme cases the server. I do not advise you go ahead if you do not feel comfortable.
Add this to your .htaccess file
SecFilterEngine On
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:403"
# Stop Comment Spam
SecFilterSelective "POST_PAYLOAD" "movalog.com"
So what does this code do, lets tackle it line by line.
SecFilterEngine On
This first line starts the mod_security engine.
SecFilterScanPOST On
This next line tells mod_security to scan all forms that are posted (see above explanation for the POST action)
SecFilterDefaultAction "deny,log,status:403"
This next line sets the default action for any content that matches the filters. This default action basically denies the comment, logs it in your error log and then send the 403 (Forbidden) error message to the client.
# Stop Comment Spam
SecFilterSelective "POST_PAYLOAD" "movalog.com"
This next line (and any others you add) serve as your Blacklist. mod_security scans all forms that invoke the POST action and if the contents of this POST action match any of the Blacklist items you have specified then it is rejected so this spam comment never even gets near Movable Type.
The modsecurity blacklist is similar to MT-Blacklist, it support url strings, url patterns and regexes. I am not sure of the consequences (if any) of adding hundreds and thousands of blacklist entries. I would advise most of your modsecurity blacklist additions be url strings rather than url patterns/regex as this prevents any false positives. For example, if you added the following line
SecFilterSelective "POST_PAYLOAD" "poker"
You will be blocking any forms that contain the word poker in them, i.e. if someone types poker into the comment form, that comment will be blocked, if you type poker into your Entry screen, that entry will be blocked etc.
As with MT-Blacklist, this blacklist will also need to be maintained. I personally use the blacklisttomodsec.pl script to populate my mod_security with rules.
2 Comments
Subscribe to Movalog's Feed
Debra Riley said:
on Oct 18, 2005 12:50 PM | Reply
244603: Hey, does anyone know where I can find a list of gas stations with low prices in my area?
mod_security said:
on Feb 1, 2007 8:41 PM | Reply
I strongly recommend that everyone puts mod_security in "detection only" mode for a week or two after any ruleset input, just to work out all the false positives...
You do not want legitimate users getting blocked.