Search code examples
.htaccessuser-agentblockingagent

Setting up User-Agent blocking in .htaccess or my site is being attacked

My site is being attacked. What I've done: In the .htaccess file, about 4200 IP-addresses are blocked, with which requests were sent in batches in this way: allow from all deny from 200.6.169.250 deny from 85.109.127.48

All requests come from a single user agent.

How to block the user agent correctly Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 OPR/71.0.3770.284?

Yes, at the moment I wrote this and I do not know if there is a correct option here?

# Blocking user agents:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 OPR/71.0.3770.284" [OR]
RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36" [OR]
RewriteCond %{HTTP_USER_AGENT} "^Mozilla/5\.0 (Windows NT 10\.0; Win64; x64) AppleWebKit/537\.36 (KHTML, like Gecko) Chrome/85\.0\.4183\.121 Safari/537\.36" [OR]
RewriteCond %{HTTP_USER_AGENT} "^Mozilla\/5\.0 \(Windows NT 10\.0; Win64; x64\) AppleWebKit\/537\.36 \(KHTML, like Gecko\) Chrome\/85\.0\.4183\.121 Safari\/537\.36$"
RewriteRule ^ - [F]
Solution

  • I am seeing this same attack. Blocking that browser string (as opposed to the IP's, which are all over the place) seems like the best call. I tend to suspect a browser or some exploit as a potential cause, given the pace of the attack, IP variability, and network speed differences. Unless it is a bot network that is attacking many places at once?

    Note that we've seen what looks to be legitimate traffic from the longer versions of the browser string: i.e. additional info in the agent string beyond the Safari/537.36 appear legitimate, while only those that end at that exact point appear to be definite bots of some sort - at least, at this time.

    If you'd like to block all the variations, the following works:

    # Blocking user agents:
RewriteEngine On
RewriteCond "%{HTTP_USER_AGENT}" "^Mozilla/5\.0 \(Windows NT 10\.0; Win64; x64\) AppleWebKit/537\.36 \(KHTML, like Gecko\) Chrome/85\.0\.4183\.121 Safari/537\.36.*$"
RewriteRule ^ - [F]

    Escaping the parenthesis is required (as you did in your last condition) since the RewriteCond expects regular expressions by default. While the dots would have been fine, I preferred being explicit. (For whatever reason, Apache doesn't care that /'s are not escaped - their documentation even includes examples like this too.)

    Note that you don't have to use Regex if you want to block just one specific string, by using = as follows. No escaping needed in this case, but the quotes are:

    RewriteCond "%{HTTP_USER_AGENT}" "=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36"

    I recommend doing testing with something like https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/ Other common tools (e.g. curl) are great for it too: https://www.cyberciti.biz/faq/curl-set-user-agent-command-linux-unix/