Comment SPAM on Multi Site I Kill YOU :)

Hey guys

How did i get rid of Comment SPAM

First of i paid these guys to do some securing work on my server http://configserver.com/cp/cpanel.html (the best $125 ever)

Now after they did all there stuff i was still getting Comment Spam

SO i started digging

1) Apache Configuration – Global Configuration

Start Servers 10

Minimum Spare Servers 20

Maximum Spare Servers 20

Server Limit 266

Max Clients 250

Max Requests Per Child 10000

Keep-Alive On

Keep-Alive Timeout 2

Max Keep-Alive Requests 100

Timeout 40

Dont for get guys i have 32 GB of RAM and 4 x 15K SAS drives so the settings works for us

2) PHP Configuration Editor

memory_limit 128

max_execution_time 3150

max_input_time 3150

zlib.output_compression Off

3) MySQL

my.cnf delete it YES delete it

4) Now The Good Part how i got rid of Comment Spam I KILL YOU :slight_smile:

4.1) CSF http://configserver.com/index.html look for all the free stuf

ConfigServer Security & Firewall

ConfigServer ModSecurity Control

ConfigServer Explorer

ConfigServer Mail Queues

ConfigServer Mail Manage

Dont for get to add suhosin and ModSecurity to your server set up the setting out the box will be fine till a point the guys at CSF installed “there” rules for me and they auto update as well so again a cool $125.

Now the tweaks

Now go and edit ConfigServer Security & Firewall – csf v5.56

Edit the configuration file for the csf firewall and lfd

1.1) LF_SUHOSIN = 1 (so one trigger and they are band )

1.2) LF_SUHOSIN_PERM = 1 (so one trigger and they are blocked )

Log entries:

Jun 19 11:37:33 server2 suhosin[21142]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'comment' (attacker '112.111.188.36', file '/home/blogline/public_html/wp-comments-post.php')

2.1) LF_MODSEC = 1 (so one trigger and they are band )

2.1) LF_MODSEC_PERM = 1 (so one trigger and they are blocked )

[Tue Jun 19 11:44:17 2012] [error] [client 184.170.145.13] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/modsec/10_asl_rules.conf"] [line "61"] [id "390616"] [rev "2"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: POST request must have a Content-Length header"] [severity "WARNING"] [hostname "bloglines.co.za"] [uri "/wp-signup.php"] [unique_id "T@BJ8a3Bn2IAAHtRBPsAAAAJ"]

3.1) SECTION:Connection Tracking

CT_LIMIT = 65

CT_INTERVAL = 15

CT_PERMANENT = 1

Time:        Tue Jun 19 11:55:16 2012 +0200
IP: 61.241.221.189 (CN/China/-)
Connections: 71
Blocked: Permanent Block

I hope this helps the server admins out in the world.

I am the “server admin” for http://www.bloglines.co.za