Knowledgebase

Portal Home > Knowledgebase > Articles Database > mod_rewrite rule to block user agent

mod_rewrite rule to block user agent

Posted by Ibrahim6oct, 12-17-2008, 08:39 PM
mod_rewrite rule to block user agent how can i block this user agent through mod_rewrite "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" and is this agent will affect all the IE 6 users ? and whats is the difference between the one above and this one : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) ?
Posted by Dynash, 12-17-2008, 08:43 PM
Why do you want to block them? Just ban his IP or something. __________________ -Stephen. JavaKrypt.com - Antsta.com
Posted by Ibrahim6oct, 12-17-2008, 08:45 PM
I received a lot of traffic from it... its now about one month am facing a ddos attack and i think its a bad bot used by a "BlackEnergy DDOS" so its will be a trial to ban, and i hope it solves the problem...
Posted by Eric - Zoidial, 12-17-2008, 09:30 PM
That useragent is *very* standard - and quite common, so blocking it would result in blocking a lot of legitimate traffic. Blocking by IP is a better idea, as Dynash suggested. Barring that, you can try mod_evasive which will limit per IP connections, which might help mitigate the ddos attack. Blocking IP's with mod_rewrite would be something like: RewriteEngine On RewriteCond %{REMOTE_ADDR} ^127.0.0.2$ [OR] RewriteCond %{REMOTE_ADDR} ^127.0.0.3$ RewriteRule .* - [F,L] (change the 127.0.0.x addresses to ones you need to block) If you are still gung-ho about blocking all your users, you *could* block based on useragent, but it's a terrible idea with the user agent string you mentioned given how common it is: RewriteEngine On RewriteCond %{HTTP_user_agent} ^Mozilla/4\.0\ $compatible;\ MSIE\ 6\.0;\ Windows\ NT\ 5.1;\ SV1$$ [NC] RewriteRule .* - [F]
Posted by Ibrahim6oct, 12-17-2008, 09:33 PM
Thanks Eric very much.. whats is the difference between this : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) ? and the one i want to block it ? and is the one i want to block it will affect : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30 ?
Posted by Eric - Zoidial, 12-17-2008, 09:51 PM
If this is truly some sort of bot/ddos attack, they are probably spoofing legitimate user agents, so there probably isn't a difference between 'bad host' user agents and 'legitimate host' user agents here. That said, I've searched my logs and don't see that user agent offhand, so... You may want to try: RewriteEngine On RewriteCond %{HTTP_user_agent} ^Mozilla/4\.0\ $compatible;\ MSIE\ 6\.0;\ Windows\ NT\ 5\.1;\ SV1;\ InfoPath\.2;\ \.NET\ CLR\ 2\.0\.50727;\ \.NET\ CLR\ 3\.0\.04506\.30$$ [NC] RewriteRule .* - [F] Or check the IP's that this user agent is coming from. There may only be a few distinct IP's that you need to block. You can get a sorted list of IP addresses with number of occurrences by running this command from the shell (if you have shell access, and assuming you are using Apache, with an access_log that includes useragent data): cat access_log |grep "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30" | awk '{print $1}' | sort | uniq -c | sort -n
Posted by Dynash, 12-17-2008, 10:03 PM
The .NET CLR 2/3 is nothing to worry about. That is just telling you the user who is browsing your site has the Microsoft .NET Frameworks 2/3 installed on their computers. It's mostly known through users using the Avant webbrowser, which is a type of "copy" of Internet Explorer. Don't ban useragenets, only ban if they are robots and they are eating up bandwidth. If you can, install CSF firewall and enter rules to prevent lots of connections. I don't think this is a DDoS attack, it could be either a very nosy user, individual users (Since we have no info as far as IPs go.) or it could be a scanner. Oh also InfoPath 2 comes in the Microsoft Office 2003 and 2007 bundle. It's just a software app. __________________ -Stephen. JavaKrypt.com - Antsta.com
Posted by Ibrahim6oct, 12-17-2008, 11:29 PM
thanks guys for this useful info

Add to Favourites Print this Article

Client Navigation

Useful Pages

Support Center

About 02link

02link provides enterprise hosting and server services at an amazing price. Don't see something that suits your needs? Get a free custom quote from one of our hosting experts.