Banning pesky guestbook spammers

Fix it!!

Banning pesky guestbook spammers

Postby YoDude9999 » Wed Nov 22, 2006 3:08 am

Hi all, my first post on this forum so please bare with me here.

I host my own site from my computer at home and am running Apache 2.2
My site URL is a very public one in nature as I belong to another forum and have it listed in my sig so users can get to the site easily.

Unfortunetly this is also a very public location for those pesky robots that attack guestooks relentlessly. I've noticed that a lot of the robots have IP addresses that don't resolve to a server name and for those I have a portion of my guestbook CGI script that will automatically ban them by adding all unresolved IP addresses to a .htaccess file located in the guestbook subdirectory using the form of:

Deny from 192.168.0.2 (as an example)

and this seems to work pretty well for those unresolved addresses. The only down sides I see to using this method is that the possibility of an actual user getting banned and that the IP addresses keep stacking up in the .htaccess file which is starting to get somewhat large. Using this method, only unresolved IP addresses get banned for the guestbook. This method does not ban any IP address from the rest of the site, just from the guestbook and this is by design.

On the other hand, I get the IP's that DO resolve to something like:

p1174-ipbf407sapodori.hokkaido.ocn.ne.jp
d-211-14-250-026.d-cable.katch.ne.jp
usr049.pial012-02.wpb.im.wakwak.ne.jp

The only common thing about these IP addresses is that these in particular all are comming from Japan (.jp)

I have tried using rewrite to ban these robots, but I'm either just not "getting it" or what I want to do may not be possible. I've been trying to write some conditions and rules to filter these types of addresses with no success at all. Looking at the addresses, they all end with .jp

Is there a way using rewrite to ban all addresses that end with .jp rather than banning each address individually? Or is there a different or better way to do it?

TIA for any help and Happy Thanksgiving!

Steve-
YoDude9999
 
Posts: 11
Joined: Wed Nov 22, 2006 2:19 am

Postby richardk » Wed Nov 22, 2006 8:46 am

Ban all .jp addresses:
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{REMOTE_HOST} \.jp$ [NC]
RewriteRule .* - [F]


To ban IP addresses, a good way is to have an /banned-ips directory and create files in it of the IP address, eg. "12.34.56.78".
Then you can have a small and quick (it just tests if a file exists) piece of code to test: (on the bottom of the above)
Code: Select all
RewriteCond %{DOCUMENT_ROOT}/banned-ips/%{REMOTE_ADDR} -f
RewriteRule .* - [F]


To block someone just create the file. Deleting the file unblocks them.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby YoDude9999 » Wed Nov 22, 2006 9:54 am

Thank you Richard, I will certainly try these and see the results.

One last question. Using the method I described for automatic banning of unresolved IP's gives me an error in the error log stating that an IP address has been denied access due to server configuration. I kind of like this because I can use that information to tell that things are working as I expect.

I assume that using rewrite, likely won't give me any error messages in the error log and so the only way I'll know is that I won't see any more .jp listings in my guestbook?

I'll try it on myself to see what happens.

I appreciate the quick response and had spent several hours (days actually) trying to come up with something that would work. I've done a bit of programming in my life and understanding the proper syntax of rewrite is just way confusing. It's got to be perfect or it just doesn't do it right and leads to a LOT of frustration. Even after reading all the "beginner" stuff, which helped a bit, it just didn't explain the nitty-gritty of everything I needed to know.

There's just not enough detail given on exactly what everything does and what the rules are for implementation. I have to learn this stuff for myself and I've never been an IT professional with any formal education to go with it. The Apache manuals assume everyone knows what goes on and how things are supposed to work, which isn't very helpful for everyone. Guess I'm just a "Dummy" :P

Thanks again,

Steve-
YoDude9999
 
Posts: 11
Joined: Wed Nov 22, 2006 2:19 am

Postby YoDude9999 » Wed Nov 22, 2006 11:13 am

Hmm, tried this to see the results:

Code: Select all
Options +FollowSymLinks
RewriteEngine on

RewriteCond %{REMOTE_HOST} \.com$ [NC]
RewriteRule .* - [F]


thinking this should have banned myself and it doesn't do it.

Using this however, does:

Code: Select all
Options +FollowSymLinks
RewriteEngine on

RewriteCond %{REMOTE_HOST} \.3$ [NC]
RewriteRule .* - [F]


being that my IP address is 192.168.0.3, this makes sense to me.

Is there a way to simply print or send to a file the returned values of the HTTP, Server and Request variables so I can actually see the results? This would help a lot.

My guestbook script uses the following lines to get the domain names of the IP's I've listed in my earlier post.

Code: Select all
$ipaddress = $ENV{REMOTE_ADDR};
$domainname = gethostbyaddr(inet_aton($ipaddress), AF_INET);


It looks as though REMOTE_HOST doesn't return the same information.

Here's a thought, do I have to have: HostnameLookups On to get the proper return from REMOTE_HOST? Currently it is: HostnameLookups Off.

Still stuck,

Steve-
YoDude9999
 
Posts: 11
Joined: Wed Nov 22, 2006 2:19 am

Postby YoDude9999 » Wed Nov 22, 2006 12:13 pm

Ok, now I feel like an idiot :o

After turning HostNameLookups On this code now works:

Code: Select all
Options +FollowSymLinks
RewriteEngine on

RewriteCond %{REMOTE_HOST} \.com$ [NC]
RewriteRule .* - [F]


Thanks Richard, I think I'm getting what I need now.
YoDude9999
 
Posts: 11
Joined: Wed Nov 22, 2006 2:19 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 8 guests

cron