I have built this small tutorial because somebody kept requesting different urls on the server with referer spam. The tutorial shows how to block referer spamon a Debian 3.1 server with a apache 2 webserver by using mod_security
Install mod_security
debian21:~# apt-get install libapache2-mod-security Reading Package Lists... Done Building Dependency Tree... Done The following extra packages will be installed: mod-security-common The following NEW packages will be installed: libapache2-mod-security mod-security-common 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 274kB of archives. After unpacking 737kB of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://mirrors.sunsite.dk stable/main mod-security-common 1.8.7-1 [240kB] Get:2 http://mirrors.sunsite.dk stable/main libapache2-mod-security 1.8.7-1 [34,4kB] Fetched 274kB in 0s (682kB/s) Selecting previously deselected package mod-security-common. (Reading database ... 28605 files and directories currently installed.) Unpacking mod-security-common (from ./mod-security-common_1.8.7-1_all.deb) ... Selecting previously deselected package libapache2-mod-security. Unpacking libapache2-mod-security (from ./libapache2-mod-security_1.8.7-1_i386.deb) ... Setting up libapache2-mod-security (1.8.7-1) ... Setting up mod-security-common (1.8.7-1) ... debian21:~#
Enable the newly installed module
debian21:~# a2enmod mod-security Module mod-security installed; run /etc/init.d/apache2 force-reload to enable. debian21:~#
Add this setup to your apache2.conf or your .htaccess file
<ifmodule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range SecFilterForceByteRange 0 255 # Only log suspicious requests SecAuditEngine RelevantOnly # The name of the audit log file #SecAuditLog logs/audit_log # Debug level set to a minimum #SecFilterDebugLog logs/modsec_debug_log #SecFilterDebugLevel 0 # Should mod_security inspect POST payloads SecFilterScanPOST On # By default log and deny suspicious requests # with HTTP status 500 SecFilterDefaultAction "deny,log,status:500" # Block request with suspicious referers SecFilterSelective "HTTP_REFERER" "(holdem|poker|casino|porn)" deny,nolog,status:500 </ifmodule>
And then restart apache
debian21:~# /etc/init.d/apache2 restart Forcing reload of web server: Apache2. debian21:~#
Then run a few test requests to ensure it works as we intended it to
debian21:~# wget http://localhost/ --referer=http://www.holdem.com --15:33:34-- http://localhost/ => `index.html' Resolving localhost... 127.0.0.1 Connecting to localhost[127.0.0.1]:80... connected. HTTP request sent, awaiting response... 500 Internal Server Error 15:33:34 ERROR 500: Internal Server Error. debian21:~#
It blocks the request just like we thought it would.
debian21:~# wget http://localhost/ --referer=http://www.google.com --15:33:43-- http://localhost/ => `index.html' Resolving localhost... 127.0.0.1 Connecting to localhost[127.0.0.1]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1,009 [text/html] 100%[========================================>] 1,009 --.--K/s 15:33:43 (9.62 MB/s) - `index.html' saved [1009/1009] debian21:~#
And we are done.
This is only one way of preventing referer spam, some others have done a similar block by using the built-in Linux firewall called iptables. Perhaps more on using iptables as blocking mechanism another time.