Block referer spam easily

I have built this small tutorial because somebody kept requesting different urls on the server with referer spam. The tutorial shows how to block referer spamon a Debian 3.1 server with a apache 2 webserver by using mod_security

Install mod_security

debian21:~# apt-get install libapache2-mod-security
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
  mod-security-common
The following NEW packages will be installed:
  libapache2-mod-security mod-security-common
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 274kB of archives.
After unpacking 737kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://mirrors.sunsite.dk stable/main mod-security-common 1.8.7-1 [240kB]
Get:2 http://mirrors.sunsite.dk stable/main libapache2-mod-security 1.8.7-1 [34,4kB]
Fetched 274kB in 0s (682kB/s)
Selecting previously deselected package mod-security-common.
(Reading database ... 28605 files and directories currently installed.)
Unpacking mod-security-common (from .../mod-security-common_1.8.7-1_all.deb) ...
Selecting previously deselected package libapache2-mod-security.
Unpacking libapache2-mod-security (from .../libapache2-mod-security_1.8.7-1_i386.deb) ...
Setting up libapache2-mod-security (1.8.7-1) ...
Setting up mod-security-common (1.8.7-1) ...
debian21:~#

 

Enable the newly installed module

debian21:~# a2enmod mod-security
Module mod-security installed; run /etc/init.d/apache2 force-reload to enable.
debian21:~#

 

Add this setup to your apache2.conf or your .htaccess file

<ifmodule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Unicode encoding check
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 0 255

    # Only log suspicious requests
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    #SecAuditLog logs/audit_log
    # Debug level set to a minimum
    #SecFilterDebugLog logs/modsec_debug_log
    #SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # By default log and deny suspicious requests
    # with HTTP status 500
    SecFilterDefaultAction "deny,log,status:500"

    # Block request with suspicious referers
    SecFilterSelective "HTTP_REFERER" "(holdem|poker|casino|porn)" deny,nolog,status:500
</ifmodule>

 

And then restart apache

debian21:~# /etc/init.d/apache2 restart
Forcing reload of web server: Apache2.
debian21:~#

 

Then run a few test requests to ensure it works as we intended it to

debian21:~# wget http://localhost/ --referer=http://www.holdem.com
--15:33:34--  http://localhost/
           => `index.html'
Resolving localhost... 127.0.0.1
Connecting to localhost[127.0.0.1]:80... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
15:33:34 ERROR 500: Internal Server Error.

debian21:~#

 

It blocks the request just like we thought it would.

 

debian21:~# wget http://localhost/ --referer=http://www.google.com
--15:33:43--  http://localhost/
           => `index.html'
Resolving localhost... 127.0.0.1
Connecting to localhost[127.0.0.1]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,009 [text/html]

100%[========================================>] 1,009         --.--K/s

15:33:43 (9.62 MB/s) - `index.html' saved [1009/1009]

debian21:~#

 

The request passed right trough as intended ;)

And we are done.
This is only one way of preventing referer spam, some others have done a similar block by using the built-in Linux firewall called iptables. Perhaps more on using iptables as blocking mechanism another time.

The comment form is closed.