Tag Archives: mod_security

Blocking comment spam with mod_security

I’ve mentioned before that I use mod_security to (partially) prevent comment spam on this site. The trouble with spam is that it evolves, so it’s a constant arms race.

I’ve noticed in the last few months that the spam on this site typically has a URL as the comment name. There’s also a URL field in the comment form, with a note on it that you shouldn’t fill it out. Then, in httpd.conf, I have the following.

SecDataDir /tmp
SecTmpDir /tmp
SecRequestBodyAccess On
SecDefaultAction log,deny,status:406,capture,phase:2,t:lowercase

# Reject comments where the name contains a URL
SecRule ARGS:comment_name “https?://”

# Also, reject comments where the url field contains a URL
SecRule ARGS:comment_url “https?://”

Note that that config is specific to the Habari blogging platform. You’d need to tweak the names of the fields (comment_name and comment_url) for whatever blogging platform you’re using.

I haven’t had any spam since putting this in place, but I’ve had several legitimate comments that, ordinarily, would probably have gotten lost in the noise of moderating hundreds of spam messages.

I don’t believe for a moment that this is a permanent solution, but it at least stems the flood for a moment so I can catch my breath.

I also have a bunch of legacy rules, like:

SecRule ARGS “(zoloft|acyclovir|zithromax)” “msg:’Pharm spam'”

(which, ironically, prevented me publishing this article until I disabled it!) but those require constant maintenance as the spam trends shift from week to week.

Review: Modsecurity Handbook, by Ivan Ristic

mod_security Handbook

I’ve finally finished reading Ivan Ristic’s new book, mod_security handbook, published by Feisty Duck. Ivan is the brain behind mod_security. By the way, if you’re not using mod_security on your Apache server, you should be. And this is the book to tell you how to use it.

Ivan sent me a few early releases of the book, and about a month ago I received the first print edition.

This book is what you’ve been waiting for if you use mod_security. (And, as I mentioned, if you’re not using it, you should be.) The documentation for mod_security has long been frustrating. Even where it was complete and informative, you just didn’t know where to start.

This book is where to start.

The first 2/3 of the book is written in tutorial fashion, walking you through tasks from installation to complex scripting. Chapter 6 gives a great description of writing rules, and Chapter 9 gives numerous practical examples which flesh out what goes before. I always learn best by example, so these examples and the accompanying explanations make the earlier academic learning more meaningful to me.

Chapter 8 is about persistent storage of data. I’ve long been interested in this area of mod_security, and have had many times when I needed it and didn’t understand the docs on it. Ivan makes it much clearer than I’ve seen it presented before. I’ll be looking back at this the next time the need arises to do this kind of thing.

The last third of the book is the reference manual. I’m a big fan of having the reference manual in printed format, although it does run the risk of being out of date quickly.

This book is constantly updated, so you can always obtain the latest version. However, it’s unlikely that I’ll be buying a new paper book each time there’s a new release of mod_security. This book is also available in electronic format, and if you buy the ebook, you get updates to it as part of your purchase price. That’s pretty cool.

On the whole, this book is a long-awaited resource, and is very well written, by the person who knows the topic best. Highly recommended. You should go get a copy right away.