9

I originally this posted at webmasters.stackexchange.com, but was told I'd get a better reception here.

For the last few days, I've been suffering from what appears to be a (presumably inadvertent) DDOS attack. I've been getting so many requests from an agent identifying as "Mozilla/4.0 (compatible; ICS)" that apache eats through all the available memory.

Consequently, I'd like to block all requests accompanied by this user agent, so I tried doing this in httpd.conf:

SetEnvIfNoCase User-Agent "Mozilla/4.0 (compatible; ICS)" bad_user
Deny from env=bad_user

But when I restart apache it complains about using deny here. Without having to wrap it in a location or directory block, which would mean I'd have to add a new block for each site, is there any way I can deny access to the whole server?

UPDATE: The error I get

  • Restarting web server apache2
    Syntax error on line 4 of /etc/apache2/httpd.conf: deny not allowed here [fail]
Community
  • 1
Tom Wright
  • 914
  • 3
  • 12
  • 25

3 Answers3

8

Looks like an old question now, but I wanted to do the same and found the answer from nerve above. It's not quite right as is - seems to me that it should be <Location "/">, and the SetEnvIf needs a regular expression so the parentheses need to be quoted.

This worked for me to apply the access control across all vhosts:

SetEnvIfNoCase User-Agent "^Mozilla/4.0 \(compatible; Synapse\)" bad_ua
<Location "/">
    Deny from env=bad_ua
</Location>

Just include that before the vhost definitions.

Community
  • 1
user3061288
  • 96
  • 1
  • 3
  • (For the equivalent in Apache 2.4) Be careful using `` as it overrides any other authorisation restrictions in ``, unless you add `AuthMerging And`. See the security warning about `Require` in the apache docs: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require – Cedric Knight Nov 15 '18 at 14:26
  • `BrowserMatchNoCase` also works, maybe even better – smac89 Jun 18 '22 at 09:34
4

mod_rewrite can be configured at the server level according to the docs:

RewriteCond %{HTTP_USER_AGENT} "Mozilla/4\.0 \(compatible; ICS\)" [nocase]
RewriteRule ^.*$ - [forbidden,last]

Don't forget to escape the regex in the RewriteCond

fukawi2
  • 5,327
  • 3
  • 30
  • 51
  • 1
    Caution: the dash is not a real dash when copied. I tried editing, but SF will complain that my edit is too small. Thanks anyway, works a treat! – Thibaut Barrère Jul 21 '14 at 12:48
  • @ThibautBarrère if you really need to, you can bypass the small edit limit by adding an invisible `` to the edit – hanshenrik Jul 10 '18 at 10:31
1

Provided the syntax on the SetEnv lines is correct, you should be able to throw that in the conf like so:

<Location *>
SetEnvIfNoCase User-Agent "Mozilla/4.0 (compatible; ICS)" bad_user
Deny from env=bad_user
</Location>

Should allow that to operate across all the virtual hosts - just tested on 2.2.24, worked like a charm.

nerve
  • 176
  • 5
  • This is better in that there aren't any errors, but whilst spoofing my user agent I don't get denied. Any idea why that might be? – Tom Wright Apr 15 '13 at 12:44