Use Mod Security To Block IP Address Based On A Word List

Mod Security is both powerful and flexible in the ways that you can use it to stop spammers, scrapers and even trolls.  Not only can you stop them from posting or accessing a web page but by integrating Mod Security with CSF, you can block their IP address indefinitely.  If you aren’t familiar with the basics of Mod Security or how to use it with CSF to block IP address see this post: Use Mod Security to block IP addresses.Secured with Mod Security

Not long ago I explained how you can use Mod Security to catch and block spammers by passing information from Drupal to Mod Security.  In this post I will show you how to create a single text file of ‘blacklist words’ that whenever used, will block access to your website.  These words can be anywhere: In a comment, in a forum topic, in a browser agent string, in a referral – anywhere!   This can be useful to block a spammer always spamming the same URL, blocking a scraper by it’s browser Agent ID, referrals from a bad website, or even spammy keywords that might keep showing up over and over.

Because of the broad and indiscriminate power of this type of Mod Security rule you have to use it with extreme caution. Be sure to keep a close eye on your logs after creating the rule or adding any new words to your ‘blacklist’ to make sure that you aren’t accidentally blocking real humans.

The Mod Security Blacklist Keyword Rule:

This rule is actually very simple.  It will define your blacklist of words (blacklist.txt) which should be placed where Mod Security can read it (/etc/modsecurity should work) and define what to do when there is any matches to the blacklist. In our case, we want to trigger a block.

This is the Mod Security rule:

SecRule ARGS "@pmFromFile blacklist.txt"\
"t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:880005,severity:2,msg:'Blacklisted word!'"

The first line defines your blacklist file (blacklist.txt).  The remaining lines define how to deal with blanks and text (all lowercase), and the message that will show in your logs when the rule is triggered, this case “Blacklisted word!”.

Add this rule to an existing ruleset (or define it as a new one), add your naughty words to your blacklist.txt file and upload it, restart Apache, and watch your logs.

Happy spammer/scraper catching!

Use Mod Security To Block IP Address Based On A Word List by

About 

    Find more about me on:
  • twitter
  • facebook
  • googleplus
  • skype
  • youtube