I get spammers slamming my little web sites all the time. A couple of my pages seem to have gotten added to some bot list, and there is no end of attempts to add comments to my WordPress blogs and tickets to my trac issue tracker. There are lots of ways to fight this, and both WordPress and trac have pretty decent built-in tools. One apache-based tool I recently added is mod_evasive, and it is so simple and elegant there’s really no reason not to use it. It’s small and appears to use an in-memory hash table for live state tracking so it shouldn’t slow things down much. All it does is look for rapid access from the same IP address, and put a temporary block on that address for a short time period. So as not to interfere with access by real people, it only takes action against obvious abuse. Here’s my configuration, with notes:
# MDM i thought about changing these to block 5 ticket requests in 60 seconds
# BUT THAT'S TOO MUCH for any other part of my websites
# This really isn't going to solve the trac problem... but i'll leave it for DOS attacks
# I did make it a little tighter:
# lowered page count from 5 to 3 (3 page requests within 1 second)
# upped site count from 100 to 50, interval from 2 to 10 (50 site requests in 10 seconds)
# MDM The only thing getting blocked is me, prolly due to HangTheDJ pings, doh
# Forget this, set it back high again. It's ONLY going to stop true DDOS attacks.
# We'll set up mod_qos or something else for trac ticket spammers.
# MDM Actually looks like spammers are dropping off...? didnt see any logging tho... huh
# I'll tighten up a LITTLE; site count from 100 to 30; page interval from 1 to 2; blocking period from 10 to 20
# MDM OK it seems to be working great now!
# But why limit the block to 20 seconds? I'm upping it to 5 minutes.
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 30
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 300