2014 Micro Blacklist
Over the past several months, I’ve assembled a “micro” blacklist to keep some recent threats at bay. Eventually, this will be integrated into the next nG Blacklist, but for now I just wanted to post and share with anyone else who is actively monitoring their server logs and aware of the recent spike in malicious activity.
The 2014 Micro Blacklist blocks some particularly persistent user agents and hosts, as well as a handful of resource-wasting IP addresses that just won’t stop scanning and sniffing around where they don’t belong. Lastly, there a couple of lines for blocking some relentless 404 requests.
2014 Micro Blacklist
To implement this blacklist, just copy/paste into the root .htaccess file of your website. If the .htaccess file doesn’t exist, check that you’re on an Apache server (and that .htaccess is enabled), and then go ahead and create one. Check out my .htaccess book if you need help with anything .htaccess related, and/or to learn WAY more about securing your site.
# 2014 Micro Blacklist
<IfModule mod_setenvif.c>
Order Allow,Deny
Allow from all
Deny from 123.151.39.
Deny from 77.172.210.
Deny from 174.94.131.
Deny from 89.238.137.59
Deny from 212.90.148.101
Deny from 91.207.61.129
Deny from 202.46.52.120
Deny from 128.73.60.194
Deny from 68.108.17.141
Deny from 27.54.93.178
Deny from 194.9.94.213
Deny from 122.166.169.127
Deny from 96.9.163.49
Deny from 54.229.73.40
Deny from 203.109.158.201
Deny from 46.105.113.8
Deny from 183.60.244.
Deny from 54.232.102.193
Deny from 195.157.124.186
Deny from 118.39.113.219
Deny from 27.255.56.87
Deny from 69.161.138.1
Deny from 192.96.204.42
Deny from 178.63.52.200
Deny from 27.252.92.103
Deny from 37.59.65.58
Deny from 186.202.126.94
Deny from 186.213.72.146
Deny from 186.219.44.6
</IfModule>
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_HOST} (.*)\.crimea\.com [NC,OR]
RewriteCond %{HTTP_HOST} s368\.loopia\.se [NC,OR]
RewriteCond %{HTTP_HOST} kanagawa\.ocn [NC,OR]
RewriteCond %{HTTP_HOST} g00g1e [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (ia_archiver|g00g1e|seekerspider|siclab|spam|sqlmap) [NC]
RewriteRule .* - [F,L]
</IfModule>
<IfModule mod_alias.c>
RedirectMatch 403 router\.php
RedirectMatch 403 /\)\.html\(
</IfModule>
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} http\:\/\/www\.google\.com\/humans\.txt\? [NC]
RewriteRule .* - [F,L]
</IfModule>
Notes: ia_archiver
was a tough call — they do some legit stuff, but lots of illicit/malicious requests are made claiming that UA or some derivitive thereof.. so it’s your call on that, feel free to remove it if the wayback machine is important to you or whatever.
About the IPs, normally I don’t bother blocking individual IPs because they are frequently spoofed and/or changing constantly. When it looks like an IP is directly tied to the perpetrator, blocking by IP can be an effective remedy for the endless scanning and malicious HTTP requests that ail you.
<IfModule>
block from the Micro Blacklist.Lastly, this “micro” blacklist serves as a good starting point for building up your own mini-firewall that’s tuned to your particular server and traffic profile.
Have fun and keep those sites secure people.
5 responses to “2014 Micro Blacklist”
I see this line in the blacklist:
RewriteCond %{HTTP_HOST} s368\.loopia\.se [NC,OR]
Does this mean the large Swedish ISP loopia.se is involved/used in the majority of the attacks?
Nope. It means that the log files showed consistent, predictable patterns of malicious behavior with requests reporting that particular host. Feel free to remove the line if desired or if you aren’t seeing any matches in your own server logs.
Thanks for this. Shall check my server logs and apply.
Cam this be used in the apache config for global use?
Yes it cam, but it may require some slight changes to the syntax to work from the config file.