/ BLOG / s9y trackback spam

I’ve used fail2ban on various machines for quite some time, usually only to guard SSH. Sadly this morning I woke up to another couple of gig gone in futile trackback spamming attempts and decided to write a quick regex to cover myself as it was starting to become more than a slight annoyance.

If you’re unfamiliar with fail2ban’s filter conf files, then I suggest you take a look at some of the other existing files as these steps aren’t exactly verbose.

I quickly crafted the following regex, and placed it into a new conf within the fail2ban filter.d directory (name however you like):

[Definition]

failregex = ^<HOST> -.*"(GET|POST) /comment.php\?type=trackback.*" [0-9]+ [0-9]+$

ignoreregex =

And then added the relevant entry to jail.local, and restarted fail2ban. Since these “attacks” (I use that word lightly) only appear to happen at the evening I’ve had to wait until now to see how well this works. I’ve since tweaked my bantime, increasing it over my default and things are looking much better.

I also took this opportunity to setup the badbots and a few other of the default filters that I’ve never really touched previously. They’ve not yet been triggered, so I may well leave them for a few days and see whether or not they’re actually worth while.