I run my own CentOS 5-based web server which powers my website among a couple of others. I have a WordPress blog which attracts quite a lot of comment and more recently trackback spam.

 

I use the Akismet service, so it rarely ever gets through, but I'm finding from my server logs that I'm getting hit quite frequently by spammers giving it a try, sometimes every few seconds for several minutes at a time. Sitting there tail -f'ing the access_log when they do this and it becomes apparent they're knocking on the door quite frequently. I'd like to be able to implement some solution to block IPs if they attempt to do more than a few trackbacks in a certain amount of time.

 

I'm running the latest version of Apache 2.2 in the CentOS 5 repositories.

 

Here's an example from /var/log/httpd/access_log of the kind of thing I mean:

 







 

There are a few factors that might help in determining rules to implement:

• More than a certain number of attempts within a certain time from the same IP (say, 15 in 5 minutes or more)
  
  
• User-Agent set to TrackBack/versionnumber
  
  
• URL in the form of /blog/year/month/day/string/trackback/ (with or without trailing slash)
  
  
• HTTP POST request
  
  

What do you think the best solution for this is? I guess something could be done using iptables, but I'm pretty inexperienced at doing anything with iptables. If not, what is the best solution for this? Is it completely futile? Find out in... oops, sorry. :P

 

Thanks guys in advance. :)

Ban by the USER AGENT, it has to be the best way. In an .htaccess file at the DocumentRoot level place.

 







 

You can do <Limit GET POST HEAD> if they use GET and HEAD as well.

 

Oh wait though, do you want to only ban those that are constantly knocking on your door?

Yeah, I could disable trackbacks entirely from WP and I guess they would all give up eventually if it kept 404'ing. There are still legitimate trackbacks I want to allow, so I want to prevent people who are doing it too much, without disabling it entirely.

 

I imagine that would be more complex to do... :)

Quote:I imagine that would be more complex to do... :)

 

Well the only way to do that, would be to include some code inside the trackback code that does some sort of simple check against what came before. Checking for things like, that ip just gave me something, that url has just been fed to me before, that url has arrived too close to another trackback that just occurred. Maybe what you could do is go the whole hog and produce an administration section that lets to you vet the trackbacks, ok'in them in your own time. I don't think there is a directly easy solution.

 

Checking around the web I see some wordpress solutions:

[/url]http://blog.mytechaid.com/archives/2005/03...-spam-solution/ ?

 

[url=http://www.optiniche.com/blog/117/wordpres...kback-tutorial/]http://www.optiniche.com/blog/117/wordpres...kback-tutorial/ <-- how it works, maybe to assist with writing your own solution.

Thanks for the links and the help znx. :)

 

I will take a look and report back here if I have any success.