○ spam & wormコントロール

・setenvifとrewriteでスパムとワームをコントロール
・完全コピーしないこと (エラーが出ることあり)

・エディタ、ファイラーの操作は省略します
・Enterキーを省略します

・ログイン端末で "#" はroot、"$" は一般ユーザのプロンプトの記号です
・設定ファイルで "#" で始まる行はコメントとして解釈されます

○mod_rewriteの設定

・参考サイト Eight Ways to Blacklist with Apache's mod_rewrite
・RewriteLogを有効にするとapacheに負担を掛けるので、通常は無効にしておきます
・RewriteRuleに E(変数)を設定してaccess_log(設定は別記)に渡しています

:/etc/httpd/conf/extra/httpd-rewrite-block.conf

## Using mod_rewrite to block the stupid comment and spam bots

<IfModule rewrite_module>

RewriteEngine On
ServerSignature Off
Options +FollowSymLinks
#RewriteLog "/var/log/httpd/rewrite_log"

## loglevel setting for apache2.4
#LogLevel warn rewrite:trace3

## loglevel setting for apache2.2
#RewriteLogLevel 5

# Blacklist for REQUEST_METHOD

RewriteCond %{REQUEST_METHOD} ^(delete|head|trace|track) [NC]
RewriteRule ^.*$ - [G,L,E=ignorelog:1]

# Blacklist for THE_REQUEST

RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC]
RewriteRule ^.*$ - [G,L,E=ignorelog:1]

## Blacklist for HTTP_REFERER

RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%00).* [NC]
RewriteCond %{HTTP_REFERER} ^.*(poker|medicine|pills|diet|viagra|mortgage).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^.*(casino|insurance|loan|buy|xanax|meridia).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^.*(incest|adult|porno|lesbian|tramadol|holdem).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^.*(phentermine|gambling|texas|pharmacy|ultram).* [NC]
RewriteRule ^.*$ - [G,L,E=ignorelog:1]

## Blacklist for HTTP_COOKIE

RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule ^.*$ - [G,L,E=ignorelog:1]

## Blacklist for REQUEST_URI
## /~user/でサイトを公開したい場合 |\~の設定をしない

RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*(,|;|:|<|>|">|"<|\\\.\.\\).* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*(\=|\@|\[|\]|\^|\`|\{|\}).* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*(\'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule ^.*$ - [G,L,E=ignorelog:1]

## Blacklist for HTTP_USER_AGENT

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(HTTrack|clshttp|archiver|loader|email).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(nikto|miner|python|winhttp|libwww\-perl).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(curl|wget|java|harvest|scan|grab|extract).* [NC]
RewriteRule ^.*$ - [G,L,E=ignorelog:1]

## Unexpected Search Engine
## robots.txtに設定を追加

RewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|Baiduspider+|BaiduImagespider).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(BaiduMobaider|NaverBot|yodaobot|Yandex|Yeti).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(AdultsVisit|ia_archiver|al_viewer|Twiceler).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(AhrefsBot|Exabot|RU_Bot|360Spider|Statsbot).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(Sosospider|SeznamBot|ZumBot).* [NC]
RewriteRule !^robots\.txt$ - [G,L,E=ignorelog:1]

## Blacklist for QUERY_STRING

RewriteCond %{QUERY_STRING} \?$ [OR]
RewriteCond %{QUERY_STRING} \.\./\.\./\.\./ [OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC]
RewriteRule ^.*$ - [G,L,E=ignorelog:1]

## Misleading Web Manager

RewriteCond %{QUERY_STRING} ^.*(http://195\.228\.157\.218:2082).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(http://217\.218\.225\.2:2082).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(http://193\.255\.208\.32:2082).* [NC]
RewriteRule ^.*$ - [G,L,E=ignorelog:1]

## Ignoring the bad access to the setting's file

RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$ [OR]
RewriteCond %{REMOTE_ADDR} !^192\.168\.0\.*$
RewriteRule (nosuichfile|setup)\.php$ - [G,L,E=ignorelog:1]

</IfModule>

○robots.txtの設定

・省略

User-agent: Baiduspider
Disallow: /
User-agent: Baiduspider+
Disallow: /
User-agent: BaiduImagespider
Disallow: /
User-agent: BaiduMobaider
Disallow: /
User-agent: NaverBot
Disallow: /
User-agent: yodaobot
Disallow: /
User-agent: Yandex
Disallow: /
User-agent: Yeti
Disallow: /
User-agent: AdultsVisit
Disallow: /
User-agent: ia_archiver
Disallow: /
User-agent: al_viewer
Disallow: /
User-agent: Twiceler
Disallow: /
User-agent: AhrefsBot
Disallow: /
User-agent: Exabot
Disallow: /
User-agent: RU_Bot
Disallow: /
User-agent: 360Spider
Disallow: /
User-agent: Statsbot
Disallow: /
User-agent:Sosospider
Disallow: /
User-agent: SeznamBot
Disallow: /
User-agent: ZumBot
Disallow: /

○mod_setenvifの設定

・変数 spamlist ignorelogを設定し、アクセス・ログの制御に使用します
・wormの設定はもはや必要無いかもしれない(試験的にログを取る)?

:/etc/httpd/conf/extra/httpd-setenvif-block.conf

## except IIS worm attack (already not usefull?)

<IfModule setenvif_module>
    SetEnvIfNocase Request_URI "^/(_mem_bin|_vti_bin|c|d|msadc|scripts)/" wormlist ignorelog
    SetEnvIfNocase Request_URI "\.(asp|bat|cmd|dll|exe|files)" wormlist ignorelog
    SetEnvIfNocase Request_URI "\.(htr|htw|ida|idc|idq|printer)" wormlist ignorelog
    SetEnvIf User-Agent "(compatible; MSIE 5.5; Windows 98)" ignorelog
</IfModule>

## access-control for apache2.4

#<RequireAll>
#   Require all granted
#   <RequireNone>
#       Require env wormlist
#   </RequireNone>
#</RequireAll>

## access-control for apache2.2

#Order allow,deny
#Allow from all
#Deny from env=wormlist

## logging

<IfModule log_config_module>
    CustomLog "/var/log/httpd/worm_log" combined env=wormlist
</IfModule>

○ Copyright(c) 528p.com All Rights Reserved.