User-agents come and go, and are easily spoofed, but it’s worth a few lines of htaccess to block the more persistent bots that repeatedly scan your site with malicious requests.
# Nov 2010 User Agents SetEnvIfNoCase User-Agent "MaMa " keep_out SetEnvIfNoCase User-Agent "choppy" keep_out SetEnvIfNoCase User-Agent "heritrix" keep_out SetEnvIfNoCase User-Agent "Purebot" keep_out SetEnvIfNoCase User-Agent "PostRank" keep_out SetEnvIfNoCase User-Agent "archive.org_bot" keep_out SetEnvIfNoCase User-Agent "msnbot.htm)._" keep_out <Limit GET POST PUT> Order Allow,Deny Allow from all Deny from env=keep_out </Limit>
The first line blocks any user-agent containing “
MaMa ”. If that scares you, then replace that line with these two:
SetEnvIfNoCase User-Agent "MaMa CyBer" keep_out
SetEnvIfNoCase User-Agent "MaMa Xirio" keep_out
The other lines block the latest batch of “loser-agents,” which may completely disappear overnight. My current strategy is to block for a few months and then start fresh. Stuff like
PostRank have made the list numerous times.
There must be some exciting new vulnerability, because suddenly I’m seeing TONS of requests for the following resources in just about every virtual directory imaginable:
What’s the best way to deal with endless requests for non-existent resources? I prefer to respond with
Forbidden and call it done:
# Nov 2010 Char Strings <IfModule mod_alias.c> RedirectMatch 403 fpw.php RedirectMatch 403 xmlpc.php RedirectMatch 403 pingserver.php RedirectMatch 403 test00.comze.com </IfModule>
Of course, make sure you aren’t actually using any of these files anywhere on your site before using this code.
Last but not least, here’s the latest batch of nefarious IP addresses. There’s no reason to block random botnet IPs, so only the most rogue static addresses make the list:
# Nov 2010 IPs <Limit GET POST PUT> Order Allow,Deny Allow from all Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 </Limit>
As with the user-agents, I like to block IPs for a month or so at a time. Implement (or not) as you see fit.
Bonus IPs! – Looking for more bad IPs to block? Check out Vladimir’s post in the comments.
Just one fix..
Don’t take my word for it. Check your own logs and see what shouldn’t be there. “Know thy enemy,” as they say ;)
For more help on blacklisting, check out Eight Ways to Blacklist with Apache’s mod_rewrite.