X

Blocking Bad UserAgents with ModSecurity and Fail2ban

Many bots crawl websites that do nothing to generate positive traffic for the site. They just use up available resources and bandwidth of the server. You can reduce this drastically by implementing blocking using ModSecurity to detect the bad agents and then fail2ban to block them in iptables for a period of time.  This guide assumes you already have ModSecurity Installed. If you do not, follow our guide to get it installed then proceed with this.

Configure ModSecurity to Block  User Agents

In our Apache configuration setup, we already have a include directory for ModSecurity rules

Include /etc/httpd/conf/modsecurity.d/rules/*.conf

So we are going to create a new .conf to start detecting agents

nano /etc/httpd/conf/modsecurity.d/rules/block_user_agents.conf

We are going to add the following and save the file

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile badbots.txt" "id:350001,rev:1,severity:2,log,msg:'BAD BOT - Detected and Blocked. '"

We are then going to create the list of User Agents to be detected and blocked:

nano /etc/httpd/conf/modsecurity.d/rules/badbots.txt

And insert the following user agents. If you want to let some of these in feel free to edit the list as you see fit.

AhrefsBot
Anonymizer
Attributor
Baidu
Bandit
BatchFTP
Bigfoot
Black.Hole
Bork-edition
DataCha0s
Deepnet Explorer
desktopsmiley
DigExt
feedfinder
gamingharbor
heritrix
ia_archiver
Indy Library
Jakarta
Java
juicyaccess
larbin
linkdex
Missigua
MRSPUTNIK
Nutch
panscient
plaNETWORK
Snapbot
Sogou
TinEye
TwengaBot
Twitturly
User-Agent
Viewzi
WebCapture
XX
Yandex
YebolBot
MJ12bot
masscan
baidu
Yandex
RSSingBot
Scanbot
betaBot
DotBot
SemrushBot
mj12bot
FeedFetcher
seoscanners.net
Moreover
ltx71
inboundlinks.win
sitebot

Configure Fail2Ban

First you will need to install Fail2ban

yum  -y install fail2ban

After that has finished installing, you will want to create a new jail file

nano /etc/fail2ban/jail.local

Creating a local jail will allow the main fail2ban configuration to be updated with new updates.

[apache-modsecblock-badbots]
enabled = true
filter = apache-useragent
logpath = /var/log/httpd/error_log
action = iptables-multiport[name=apache-badbots, port="http,https", protocol=tcp]
 postback[name=BADBOT, port="http,https", protocol=tcp]
maxretry = 2
bantime = 172800
ignoreip = 127.0.0.0/8 10.0.0.0/8 192.168.1.0/24

Update ignoreip with any local IPs or any others you want to allow in regardless of the UserAgent. This allows each IP to access twice with the a UserAgent indicated in the list, after that it will be banned.

You will then want to create the failregex pattern

nano /etc/fail2ban/filter.d/apache-useragent.conf

And add the following

# Fail2Ban configuration file
#

[Definition]


# Option: failregex
# Notes.: Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# abovementioned bots.
# Values: TEXT
#

failregex = [[]client <HOST>[]] ModSecurity: Access denied with code 406 .* [[]msg "BAD BOT - Detected and Blocked. "[]] .*$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#

Go ahead and restart fail2ban and apache

service httpd restart

service fail2ban restart

You should now be able to watch the apache error log /var/log/httpd/error.log to see if any bans are picked up.

 

 

 

LinuxAdmin.io
0 0 votes
Article Rating
LinuxAdmin.io:

View Comments (2)

  • Hi,
    very interesting approach - but have not managed to get rid of ahrefs bot so far with this method.
    Followed your instructions, albeit slightly modified since on Debian. Badbots are detected and written into the error.log alright, but fail2ban fails to pick on them ... maybe something wrong with the regex? It looks good to me, but since I am zero on regex I might be overlooking something ...
    Here a sample of what is written into the error.log:
    [Tue Nov 28 16:34:54.520349 2017] [:error] [pid 30083] [client 51.255.65.33:49402] [client 51.255.65.33] ModSecurity: Warning. Matched phrase "AhrefsBot" at REQUEST_HEADERS:User-Agent. [file "/etc/modsecurity/block_user_agents.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"] [hostname "www.ferbern.de"] [uri "/manual/ja/mod/prefork.html"] [unique_id "Wh2CHiXdxw0AAHWD91wAAAAD"]
    [Tue Nov 28 16:35:09.681786 2017] [:error] [pid 30084] [client 217.182.132.79:53668] [client 217.182.132.79] ModSecurity: Warning. Matched phrase "AhrefsBot" at REQUEST_HEADERS:User-Agent. [file "/etc/modsecurity/block_user_agents.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"] [hostname "ferbern.de"] [uri "/manual/ko/mod/mod_log_forensic.html"] [unique_id "Wh2CLSXdxw0AAHWELFMAAAAE"]
    [Tue Nov 28 16:40:17.601603 2017] [:error] [pid 30082] [client 51.255.65.76:60427] [client 51.255.65.76] ModSecurity: Warning. Matched phrase "AhrefsBot" at REQUEST_HEADERS:User-Agent. [file "/etc/modsecurity/block_user_agents.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"] [hostname "www.ferbern.de"] [uri "/manual/ko/mod/mod_ext_filter.html"] [unique_id "Wh2DYSXdxw0AAHWCVjsAAAAC"]
    [Tue Nov 28 16:45:12.370997 2017] [:error] [pid 30084] [client 164.132.161.45:18922] [client 164.132.161.45] ModSecurity: Warning. Matched phrase "AhrefsBot" at REQUEST_HEADERS:User-Agent. [file "/etc/modsecurity/block_user_agents.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"] [hostname "www.ferbern.de"] [uri "/manual/fr/programs/htdbm.html"] [unique_id "Wh2EiCXdxw0AAHWELFQAAAAE"]
    [Tue Nov 28 16:46:49.313264 2017] [:error] [pid 30080] [client 51.255.65.62:18172] [client 51.255.65.62] ModSecurity: Warning. Matched phrase "AhrefsBot" at REQUEST_HEADERS:User-Agent. [file "/etc/modsecurity/block_user_agents.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"] [hostname "www.ferbern.de"] [uri "/manual/es/content-negotiation.html"] [unique_id "Wh2E6SXdxw0AAHWAEpMAAAAA"]
    Any ideas?
    Cheers
    Chris

    • Hello Chris,
      It might be the format, have tried doing a fail2ban-regex on the jail and log file to confirm its matching the hit through mod security?

Related Post