In the last month and a half since releasing blacklist_to_modsec, I’ve collected a number of tips, caveats, and notes that will be valuable to anyone who uses blacklist_to_modsec, and in general anyone who wants to use mod_security to prevent website spam.
- Read the ***mod_security documentation|http://www.modsecurity.org/documentation/index.html***. I would highly recommend reading the full reference manual from start to finish. It will help you get the most out of mod_security, and tell you a lot of things you might not otherwise find out.
- It pays to be familiar with the Apache documentation – mod_security is an Apache module, and is configured through Apache config files. So if you know how Apache works, you can be more effective at configuring mod_security. Documentation can be found ***here for Apache 1.x|http://httpd.apache.org/docs/*** and ***here for Apache 2.x|http://httpd.apache.org/docs-2.0/***.
- Consider blocking ‘pinappleproxy’. This is a proxy that many spammers go through. You can do this with the following mod_security rule: SecFilterSelective “HTTP_Via” “pinappleproxy”. Eventually, spammers will stop using this proxy or figure out how to disguise it, but for now this could be helpful.
- Use ‘500’ as your response error code when blocking requests with mod_security: SecFilterDefaultAction “deny,log,status:500”. This makes it look like your script is broken, rather than saying that the spammer was denied or blocked. This may not fool everyone, but it might fool some.
- mod_security will intercept requests even for files that don’t exist. For example, if you have moved or renamed a blog comment script, many spammers will continue trying to attack it. mod_security will parse and intercept all of theese requests, which is totally pointless. Instead, use Apache directives such as to tell mod_security to ignore such scripts:
<Location /mt/mt-comments.cgi>SecFilterEngine Off</Location>
- The mod_security location ‘ARGS’ is a synonym for ‘POST_PAYLOAD|QUERY_STRING’ – so using it as part of your blacklist rule format will ensure that both POST and GET forms are checked.
- Consider upgrading to ***Apache 2.x|http://httpd.apache.org/docs-2.0/*** if possible. It is far more robust and efficient than Apache 1.x, has a better regex engine and better module support, and tends to work much better with mod_security.
- Make sure that when you upgrade blacklist_to_modsec, you run it with the ‘-i’ switch to reinitialize your data files. Also make sure that you double check the user-configurable settings in the script, as they may change after an upgrade.
Let me know if you have any other suggestions, tips, or questions.