(This is my first post in a long time, and first post ever using Gutenberg. It doesn’t suck as hard as I thought!)
Recently I’ve been noticing the referrer “site.ru” showing up in the server logs more and more. At first I thought it was just simple referral spam, but since (as of now at least) the website site.ru is down, that didn’t make sense. So I took a closer look and it looks more like this is a generic bot or script searching for vulnerabilities in PHP files, vulnerable WordPress plugins, etc. A quick sampling of the IP addresses associated with these “site.ru bots” shows that they virtually all come from server farms – so, it was time to block them all.
How To Block site.ru Bots
Because I’m running a server with 100’s of sites, using .HTACCESS to block it would be a pain, so instead I used Mod_Security, which protects all sites on the entire server.
I already had a rule created to block referrer spam, based on a REGEX list of referrers that looked like this:
SecRule REQUEST_HEADERS:REFERER “(?i:(bad-referral|badreferrer2.com|badreferrer3.org))” “phase:1,severity:’3′,msg:’Spammy referrer’,id:240071”
To make this ModSecurity rule work for this new referrer string, all I would have to do is add “|site.ru” to the list of referrers in the rule. But since I assumed that this list would grow, I decided to modify the rule to read the list from a file instead. Mod_Security can parse and read a large list from a file 100 times faster than a REGEX list, so I changed the rule a bit so that it reads the list of referrer strings from a file:
SecRule REQUEST_HEADERS:REFERER “@pmFromFile /modsec/referrer-list.conf” “t:lowercase,t:compressWhiteSpace,t:replaceNulls,t:urlDecode,rev:2,phase:1,log,severity:’3′,msg:’**Spam Referrer’,id:240071”
I then created the file referrer-list.conf in the /modsec directory and added site.ru to the file (one string on each line). I also imported a list of 1500 or so known “bad referrers” I found on the interwebz and added them to the list.
This rule now blocks anything with any portion of the sites/text listed in referrer-list.conf file and returns an html error 406 to the offending bot. I also have CSF configured so that after a specific IP gets these errors more than a few times, that IP gets blocked at the firewall. A few more hits from the same IP subnet, and that entire subnet also gets blocked. So, no more site.ru spam!
Any time I create a new rule to bock anything with Mod_Security, I review everything it blocks for a few days to make sure I’m not accidentally blocking any legit visitors. After reviewing the logs from this new rule for a few days, I’ve found 0 false-positives – 99% of the IP addresses of the site.ru ‘bots’ belonged to server farms and 100% were attempting to access .PHP files, most in /WP-CONTENT. But I also noticed that out of the over 1,000 “bad” referrers in the list I downloaded, the only other bad referrer I’ve seen come around and get blocked was “uptime.com” .. So after a couple of days, this rule has blocked about 500 site.ru bots and about 200 uptime.com bots.
How to block a Referrer With .HTACCESS
To block site.ru or uptime.com (or any naughty referrer string) you could put something like this in .HTACCESS to accomplish the same thing:
RewriteCond %{HTTP_REFERER} site.ru [NC]
RewriteCond %{HTTP_REFERER} site.ru
RewriteRule .* – [F]
Obviously adding a rule for multiple referrers or for more than just one website would be a pain, which is a great reason to use Mod Security. Even better to use Mod Security and integrate it with CSF Firewall.