Use ModSecurity to block the IP address of spammers


The other day I made a post about how you can create custom Mod_Security rules to block the IP addresses of scrapers and script kiddys. If you aren’t familiar with the basics of Mod Security, how to create your own custom ModSecurity rules, or how to integrate Mod Security with CSF to block IP’s, please take a minute to read through that post. If you are familiar with all of those things, read on to see how you can integrate Drupal modules like Spamicide with ModSecurity to capture and block the IP addresses of spammers trying to defile your website.

Use Drupal Modules to pass an IP address to ModSecurity

Secured with ModSecurityOne of my favorite Drupal modules for fighting spam is Spamicide. Spamicide adds hidden fields to your signup and comment forms that only spambots can “see”. When a spambot sees these fields and clicks or fills them out, the Spamicide module blocks the action. This is great for preventing an automated spammer from creating a fake account or posting spammy comments, but Spamicide does nothing to keep the bots from hammering at your site all day long.

Block those dirty spammers!

Using ModSecurity you can create a custom rule to grab the IP addresses that the Spamicide module blocks, then use CSF to block those IP addresses. Here’s how:

Setup your Spamicide module as needed and make note of the form field names. You can use the default names or enter your own. Each of these form field names is going to be an argument that you use in your custom Mod Security rules so you will need to create separate rules for each form field name.

Spamicide configuration page
The Spamicide module configuration page

Creating a custom ModSecurity rule for each of your form field names:

SecRule ARGS:click_here "!^$"\
"id:'9978999', severity:'3',msg:'Spamicide box checked'"

Line one of this Mod Security rule uses the ARGS: variable to look for your Spamicide field name, in this case “click_here“. The !^$ part is a Regex expression that basically says “if this is not empty”.
Line two is the ModSecurity ID that you assign (optional), severity level (optional) and the message that will appear in the logs when this rule is triggered.
The result: Any time ModSecurity sees a field name “click_here” that is not empty (i.e.; it’s been clicked) the rule will be triggered. ¬†Remember, you will need to create a custom ModSecurity rule for each form field name that you enabled in your Spamicide module settings.

You can then configure CSF as discussed in the post that I linked at the beginning of this article to block the IP address any time that IP address triggers a Mod Security rule more than your preset number of times. And, goodbye spambot!

Leave a Reply

Your email address will not be published.