Comment SPAM on Multi Site I Kill YOU :)

Hey guys

How did i get rid of Comment SPAM

First of i paid these guys to do some securing work on my server http://configserver.com/cp/cpanel.html (the best $125 ever)

Now after they did all there stuff i was still getting Comment Spam

SO i started digging

1) Apache Configuration - Global Configuration

Start Servers 10
Minimum Spare Servers 20
Maximum Spare Servers 20
Server Limit 266
Max Clients 250
Max Requests Per Child 10000
Keep-Alive On
Keep-Alive Timeout 2
Max Keep-Alive Requests 100
Timeout 40

Dont for get guys i have 32 GB of RAM and 4 x 15K SAS drives so the settings works for us

2) PHP Configuration Editor

memory_limit 128
max_execution_time 3150
max_input_time 3150
zlib.output_compression Off

3) MySQL

my.cnf delete it YES delete it

4) Now The Good Part how i got rid of Comment Spam I KILL YOU :slight_smile:

4.1) CSF http://configserver.com/index.html look for all the free stuf

ConfigServer Security & Firewall
ConfigServer ModSecurity Control
ConfigServer Explorer
ConfigServer Mail Queues
ConfigServer Mail Manage

Dont for get to add suhosin and ModSecurity to your server set up the setting out the box will be fine till a point the guys at CSF installed "there" rules for me and they auto update as well so again a cool $125.

Now the tweaks
Now go and edit ConfigServer Security & Firewall - csf v5.56
Edit the configuration file for the csf firewall and lfd

1.1) LF_SUHOSIN = 1 (so one trigger and they are band )
1.2) LF_SUHOSIN_PERM = 1 (so one trigger and they are blocked )
Log entries:
Jun 19 11:37:33 server2 suhosin[21142]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'comment' (attacker '112.111.188.36', file '/home/blogline/public_html/wp-comments-post.php')

2.1) LF_MODSEC = 1 (so one trigger and they are band )
2.1) LF_MODSEC_PERM = 1 (so one trigger and they are blocked )
[Tue Jun 19 11:44:17 2012] [error] [client 184.170.145.13] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/modsec/10_asl_rules.conf"] [line "61"] [id "390616"] [rev "2"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: POST request must have a Content-Length header"] [severity "WARNING"] [hostname "bloglines.co.za"] [uri "/wp-signup.php"] [unique_id "T@BJ8a3Bn2IAAHtRBPsAAAAJ"]

3.1) SECTION:Connection Tracking

CT_LIMIT = 65
CT_INTERVAL = 15
CT_PERMANENT = 1

Time:        Tue Jun 19 11:55:16 2012 +0200
IP:          61.241.221.189 (CN/China/-)
Connections: 71
Blocked:     Permanent Block

I hope this helps the server admins out in the world.

I am the "server admin" for http://www.bloglines.co.za