D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
proc
/
3
/
task
/
3
/
root
/
etc
/
apache2
/
conf.d
/
imh-modsec
/
Filename :
19_bad_bots.conf
back
Copy
# all.conf # Bad Bots and User Agents # Deny Googlebot crawling temp mod_userdir URLs and falsely flagging # the IMH/WHH corp site as hacked SecRule REQUEST_HEADERS:User-Agent "Googlebot" \ "chain,deny,log,auditlog,status:404,\ msg:'Googlebot user agent crawling a temp url',id:13394" SecRule REQUEST_HEADERS:Host "(webhostinghub|inmotionhosting|servconfig)\.com" "chain" SecRule REQUEST_URI "^/~" # Rule to prevent user agents identifying themselves as bingbot from POSTing SecRule REQUEST_METHOD "^POST$" \ "chain,deny,log,auditlog,status:406,\ msg:'Bingbot user agent making POST requests',id:'13382',\ tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'" SecRule REQUEST_HEADERS:User-Agent "bingbot/2\.0;[+]http://www\.bing\.com/bingbot\.htm" \ "t:lowercase,t:removeWhitespace" # Block user agents identifying themselves as "Mozilla/5.0" when they POST to # PHP scripts in a particular path SecRule REQUEST_METHOD "^POST$" \ "chain,deny,log,auditlog,status:406,\ msg:'Suspicious user agent making POST requests',id:'13383',\ tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'" SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0$" "t:removeWhitespace,chain" SecRule REQUEST_URI "/images/.*\.php" # Block BLEXbot user agent SecRule HTTP_User-Agent "BLEXBot" "deny,log,auditlog,status:406,\ msg:'Malicious user agent BLEXBot',id:'13072',\ tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'" # Block GbPlugin user agent SecRule REQUEST_HEADERS:User-Agent "GbPlugin" \ "deny,log,auditlog,status:406,msg:'Malicious user agent GbPlugin',id:'13066',\ tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'" # Block GSLFbot user agent SecRule HTTP_User-Agent "GSLFbot" "deny,log,auditlog,status:406,\ msg:'Malicious user agent GSLFbot',id:'13067',\ tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'" # Block "Indy Library" UA SecRule REQUEST_METHOD "GET|POST" "chain,deny,log,auditlog,status:406,\ msg:'Indy Library agent making POST requests',id:'13401',\ tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'" SecRule REQUEST_HEADERS:User-Agent "indylibrary" t:lowercase,t:removeWhitespace # Block common bittorrent user agents SecRule HTTP_User-Agent \ "uTorrent|Bittorrent|BitComet|BitTorrent|qqdownload|NP0202_0_0|Azureus"\ "deny,log,auditlog,status:406,msg:'Bit torrent user agent',id:'13728',\ tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'" #https://trac.imhtech.net/T3/ticket/5850 : Malicious robot, attacks Joomla 1.5 com_jce SecRule HTTP_User-Agent \ "BOT/0.1\(BOTforJCE\)"\ "deny,log,auditlog,t:removeWhitespace,status:406,msg:'Malicious robot',id:'13729',\ tag:'WEB_ATTACK/INJECTION',severity:'4'" # https://jira.imhdev.com/browse/T3O-4239 SecRule HTTP_User-Agent "Mozilla/5\.0 \(X11; Ubuntu; Linux x86_64; rv:62\.0\) Gecko/20100101 Firefox/62\.0" \ "deny,log,auditlog,t:none,status:406,msg:'EOL Firefox',\ msg:'T3O-4239',id:'13730',\ tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'" # https://imh-internal.atlassian.net/browse/T3O2-3624 SecRule HTTP_User-Agent "Mozilla/5\.0 \(X11; Fedora; Linux x86_64; rv:94\.0\) Gecko/20100101 Firefox/95\.0" \ "deny,log,auditlog,t:none,status:406,msg:'EOL Firefox',\ msg:'https://imh-internal.atlassian.net/browse/T3O2-3624',id:'13731',\ tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'" # both.conf # shared and v/dedicated rules # Holds rules to block malicious or otherwise un-wanted bots and to # control bad behavior (e.g. Bingbot trying to log into WordPress) # --- Collective bot budget --- # AI crawlers share a collective budget per domain. # Bot list in bot_budget_bots.txt, bot table injected into Lua by assembler. # To add a bot: add one line to bot_budget_bots.txt. # # Per-bot: X requests per Y min window (see lua) # Total: shared budget across all bots (calculated from bot count) # Lua handles per-bot + total counters with fixed-window decay. SecRule REQUEST_HEADERS:User-Agent "@pmFromFile bot_budget_bots.txt" \ "id:13075,phase:2,nolog,pass,\ setuid:%{request_headers.host},\ setvar:tx.bot_ua=%{request_headers.user-agent},\ exec:/etc/apache2/conf.d/imh-modsec/bot_ratelimit.lua" SecRule TX:BOT_BLOCK "@streq 1" \ "id:13076,phase:2,deny,status:429,log,\ msg:'BOT RATELIMITED %{tx.bot_block_reason} for %{request_headers.host}'" # --- Hard ratelimits (1 req/3s) --- # Limit Scrapy hits by user agent to one hit per 3 seconds SecRule REQUEST_HEADERS:User-Agent "@pm Scrapy" \ "id:13085,phase:2,nolog,pass,setuid:%{request_headers.host},setvar:user.ratelimit_scrapy=+1,expirevar:user.ratelimit_scrapy=3" SecRule USER:RATELIMIT_SCRAPY "@gt 1" \ "chain,id:13086,phase:2,deny,status:429,setenv:RATELIMITED_SCRAPY,log,msg:'RATELIMITED SCRAPY'" SecRule REQUEST_HEADERS:User-Agent "@pm Scrapy" Header always set Retry-After "3" env=RATELIMITED_SCRAPY