|
Recent
Articles |
Perl loop causes strange read-only error Ok, folks: I don't understand this. It must have something to do with anonymous arrays in Perl (no, it doesn't, I realize now), but I don't grok the connection.
Continuation Lines There's been a long standing Unix convention of breaking long lines with a "\" to make them...
Whatever, Perl 6 Is On The Way Larry Wall's recent State of the Onion address concerned Perl 6 and the concept of being prepared to do "whatever" in the context of the next version...
The Hidden Loop Programmers use loops to avoid writing repetitive code, but sometimes forget that compilers will unroll their loops when possible for efficiency.
Webmin, Usermin Need Updates The French Security Incident Response Team (FrSIRT) has reported a pair of vulnerabilities in Webmin and Usermin that could be exploited by remote attackers.
Seeing Perl In Google Code Google's release of a code repository for open source projects has a number of languages represented.
Perl Plus Jifty Equals Hiveminder Yes, Jifty is another web application builder, and yes, Hiveminder is another to-do list; but it is Perl that made them possible.
Perl Bootcamp Saddles Up For Germany The next Big Nerd Ranch session of Perl Bootcamp occurs in Germany in September, and will cover Intermediate...
Perl Coders Get New GTK+ Release Programmers on Perl and other languages can take advantage of the latest stable release of the GTK+ toolkit to facilitate rapid application development.
Yet Another Perl Conference A Week Away YAPC:NA 2006 takes place June 26th-28th in Chicago, with Larry Wall and Damian Conway providing the keynotes that will sandwich the conference's events...
Why Perl Scripts? First let me tell you the history of Perl scripts and then I will go into why I think Perl is the best overall programming language that there is.
|
|
|
|
11.14.06
Using Mod_security To Shield Movable Type
By
Jeremy D. Zawodny
I recently noticed an upswing in the traffic my blog gets from comment spam bots.
They're never successfully able to post comments, of course, but it still results in a lot of hits to the Movable Type script that handles comment submissions: mt-comments.cgi
Notice the "cgi" there? That's right. This is a old school stand-alone Perl CGI script. I'm not running it under mod_perl, so for each request Apache must fork() and exec() to start the Perl interpreter. Then Perl has to parse and compile the script, along with all of its supporting modules.
This all culminates in an error message back to the spam bot--a message that is surely discarded. In short, it's a lot of effort to tell a spam bot to go f--- off. And it causes my 4 year old web server to strain at times.
So I decided to add a new layer to my defenses recently. I added mod_security to my Apache setup and crafted a few rules to combat most of the poorly written bots as well as those that are slightly more well designed.
You see, mod_security provides a decent framework for request filtering within Apache. You can craft all sorts of rules to validate input and check various conditions before control continues in the request handling.
Here's are a few of the rules I use:
SecFilterSelective REQUEST_METHOD "^GET$" chain
SecFilterSelective REQUEST_URI "^/mt/mt-comments.cgi"
That basically looks for GET requests attempting to access the comments script. Even though to only references on my entire site to mt-comments.cgi are in forms that specify POST, some bots try to use GET anyway. This is a simple way to guard against them.
A keen observer might point out that I should write a rule that allows only POST requests, rather than denying GETs. You never know when someone might try to use PUT requests or something equally useless.
# Don't allow POST to mt-comments.cgi without 'jeremy'
SecFilterSelective REQUEST_URI "^/mt/mt-comments.cgi" chain
SecFilterSelective POST_PAYLOAD "!jeremy" "redirect:jeremy.zawodny.com/comments- jeremy.html"
That rule doesn't allow anyone to hit ht-comments.cgi unless the POST payload (the data being submitted) contains the string "jeremy" (case-insensitive). The custom field I've added to the comment form all my blog entries requires that you type my name anyway. But this pushed a loose version of that check into Apache itself.
This rule will let requests through that contain my name anywhere (in the comments, the name, the URL, whatever), but that doesn't concern me. The few that do make it through will still be checked by the Perl code anyway.
Rather than merely returning an error code, I redirect the bot to a page that tells them what was wrong--just in case it's a human, not a bot.
Results
The results are encouraging. I've been running this setup for about 3 days now and I've blocked over 1,000 attempts. No unusual complaints have come in from would-be commenters so far.
Further Reading
I first learned of mod_security from a couple of ONLamp.com articles:
Introducing mod_security
Securing Web Services with mod_security
In addition to providing a good introduction, they also provide some useful rules to plug into your configuration. I've used a handful of them in my setup, but I omitted them in the examples above.
Get all the updates in RSS:
About
the Author: Jeremy Zawodny is the author of the popular Jeremy Zawodny's blog. Jeremy is part of the Yahoo search team and frequently posts in the Yahoo! Search blog as well. |
|