How do you do mass server IP bans?

pubcrawler

Like most folks we have bad traffic coming out our ears.

The most annoying type is comment spam.

I know there are 500 different services and outsourced things, but prefer to self maintain things.

Historically we've been plugging these into iptables directly on the firewall and keeping a record in MySQL with some info on when and why.

How are other folks doing similar and what tools, if any are you using?

Ishaq

I use iptables.

pubcrawler

Me too @Ishaq, iptables overhead gets real slow as the list grows. Something like 10ms+ of latency at a few thousand entries.

Looking at ipset, which does away with the latency supposedly.

Still have the management issue of how to pipe the blocks from where we take them in, track them then pipe them to ipset/iptables.

Someone must have something out there since a common big problem.

24khost

we use apf, bfd, and cpanel I have a front end to it that makes it easier to add, remove and such from the apf database.

George_Fusioned

csf?

Akismet will also protect your from comment spam in WordPress.

24khost

ok that isn't so hard to do. Basically you can create a cronjob that will create the apf file and delete the old one replace it with the new one and restart apf. that wouldn't be that hard.

Kris

CloudFlare is good for Comment Spam.

Shows a doorway page to known spam / proxy / bot-net IPs.

Even predictively using a network range heat-map it will block proxies if a network / C-range is obviously for spam usage.

Also could use Mod_Security and some GotRoot (AtomiCorp) Rules - A description of each rule you can include into your setup is here

Free Full Delayed Mod_Security Rules : Here

With mod_security, if there's a common URL, or any type of pattern (unless it's heavy spyntax and random new URLs) you should be able to come up with some custom rules to block comment spamming.

SecRule REQBODY_PROCESSOR_ERROR_MSG "Generic blacklisted items." t:lowercase
SecRule REQUEST_URI "blogspot\.com"
SecRule REQUEST_URI "viagra"
SecRule REQUEST_URI "canada%20pharmacy"

Etc etc. I got goot while running up an Abuse & Security department at a data center, and wrote custom rules to stop worms, exploits, etc in their track. Stopped a few zero-days with Mod_Security too. It's a great tool, I wouldn't let a web server live without it.

bamn

ISC / Dshield's abuse lists are good for IPs/hosts who are lighting up the Internet like a Christmas tree

Kris

Don't mean to de-rail, but another related to ISC that I abosolutely love for **blocking almost all spam email **is Barracuda Central's RBL (run by Barracuda Networks)

I'd say 95% or more is blocked by this list alone, and 0 false positives. I don't even bother to run other lists with it to avoid false positives I've encountered in the past

Barracuda Central RBL - Free, takes 1 minute to sign up and register the IPs you'll be using the RBL from. Adds into cPanel / Exim like any other RBL.

Great free service especially given the cost of some of their equipment and normal filtering solutions.

NickM

My forum uses StopForumSpam's database to prevent registration from known spammers. Does a pretty good job.

jar

Copy paste copy paste copy paste copy paste

I don't know why I enjoy repetition, but I find it relaxing. Making scripts to save myself the trouble of repetitive tasks that have to be completed quickly? Less relaxing.

patrokov

@jarland said:

I don't know why I enjoy repetition, but I find it relaxing. Making scripts to save myself the trouble of repetitive tasks that have to be completed quickly? Less relaxing.

Of course the big danger with writing a script is that you forget how to do it in the first place.

nocom

ZB Block
Bad Behavior plugin for wp

pubcrawler

There's @jarland being old school on us Repetition learning.

One of these days we having a beer. One of my favorite low key folks around here.