Is it possible to deny user agents that only show characters

Fix it!!

Is it possible to deny user agents that only show characters

Postby malmklang » Wed Mar 28, 2007 9:50 am

This is quite possibly not a security issue, but for me it is, cause spam is a security issue and an ugly on too, causes my server to bend over sometimes.

So, there's a number of spammer bots that leaves only text/numbers strings as user agent in my server log. So, is there a rule I could use to deny or redirect those cases?

A few examples:
dtrehrtsjmnd sy7bivetsl bvQdsltldp s
fdbdjf8 gq djvbkmxdr kqhjfxsfkjn
vsraskylubfldkmpsslidaisvlxsxcfhiyqbwap
aqfmefokp skhsauvaoxfywmbabkkvhafcxe h

As appose to normal strings like:
(compatible; Mozilla/5.0; MSIE 5.0; FAST Crawler 6; +http://www.sesam.no/bot/)
malmklang
 
Posts: 17
Joined: Mon Mar 12, 2007 6:54 am

Postby htaccesselite » Wed Mar 28, 2007 2:58 pm

Code: Select all
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} !^$
RewriteCond %{HTTP_USER_AGENT} !^.*(mozilla|google|msie|crawl|feed|bot|gecko|firefox).* [NC]
RewriteRule .* - [F,L]


This checks any non-empty user-agent for the presence of those words, if it doesn't find any of them it will FAIL.

Got the idea from block access to files during the day
Last edited by htaccesselite on Sat Mar 31, 2007 12:14 am, edited 1 time in total.
htaccesselite
 
Posts: 6
Joined: Tue Nov 07, 2006 4:20 am
Location: http://groups.google.com/ group/apachehtaccess

Postby richardk » Fri Mar 30, 2007 12:15 pm

Or you could try
Code: Select all
Options +FollowSymLinks

RewriteEngine On

# The user agent can't contain only letters, numbers and spaces.
RewriteCond %{HTTP_USER_AGENT} !^[a-z0-9\s]+$ [NC]
RewriteRule .* - [F,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby htaccesselite » Fri Mar 30, 2007 1:00 pm

Nice one richardk, I like your approach better. But don't you mean this?
Code: Select all
RewriteCond %{HTTP_USER_AGENT} ^[a-z0-9\s]+$ [NC]



Heres a better version of my code, from Avoid Spiders
Code: Select all
RewriteCond %{HTTP_USER_AGENT} !^.*(avan|micro|safa|msie|net|new|wire|mozi|oper|goog|feed|craw).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(vali|yaho|sea|eng|che|teo|scoot|bot|word|jav|xml|rpc|blog|larb|Web|prox|Eldo).*$ [NC,L]
RewriteCond %{REQUEST_URI} ^/failed_auth\.html$
RewriteRule .* - [F]


You should replace failed_auth.html with the file that is returned with your 403 error, to avoid looping. You can set it to return a custom 403 error page with
Code: Select all
ErrorDocument 403 /failed_auth.html



Instead of sending a 403 Fail response, a better alternative might be to create a blank.txt document and rewrite to it, thats what I do. So the RewriteRule becomes:
Code: Select all
RewriteRule .* /blank.txt [L]

This saves bit of bandwidth, simplifies your error_log, and costs a little less for the server because there is no need to make two log entries.
Last edited by htaccesselite on Sat Mar 31, 2007 12:15 am, edited 1 time in total.
htaccesselite
 
Posts: 6
Joined: Tue Nov 07, 2006 4:20 am
Location: http://groups.google.com/ group/apachehtaccess

Postby richardk » Fri Mar 30, 2007 1:58 pm

But don't you mean this?

Yes, i do.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby malmklang » Fri Mar 30, 2007 3:48 pm

Thanks a bunch both of yous :) , should've tried a little first myself, as regex are something I use frequently in perl... just didn't think it'd be exactly the same for apache. But regex is regex it seems, no matter where or what :)

Had to ad A-Z to the regex ;)
Thought NC took care of that?
malmklang
 
Posts: 17
Joined: Mon Mar 12, 2007 6:54 am

Postby richardk » Sun Apr 01, 2007 2:51 pm

Had to ad A-Z to the regex :wink:
Thought NC took care of that?

It does/should.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 16 guests

cron