{"id":1313,"date":"2010-10-21T22:43:33","date_gmt":"2010-10-21T15:43:33","guid":{"rendered":"http:\/\/www.jfdesignnet.com\/?p=1313"},"modified":"2010-10-21T22:43:33","modified_gmt":"2010-10-21T15:43:33","slug":"applying-anti-bandwidth-sucker-measure-into-apache","status":"publish","type":"post","link":"https:\/\/www.jfdesignnet.com\/?p=1313","title":{"rendered":"applying anti-bandwidth-sucker measure into apache"},"content":{"rendered":"<p><a href=\"http:\/\/www.jfdesignnet.com\/wp-content\/uploads\/2010\/10\/top_pic2d.jpg\" rel=\"lightbox[1313]\"><img decoding=\"async\" loading=\"lazy\" class=\"alignright size-full wp-image-1318\" title=\"leech\" src=\"http:\/\/www.jfdesignnet.com\/wp-content\/uploads\/2010\/10\/top_pic2d.jpg\" alt=\"\" width=\"211\" height=\"116\" \/><\/a><\/p>\n<p style=\"text-align: justify;\">This time I have to deal with another form of leech other than woman I know of &#8230; he he he. Some user hogging my server bandwidth for several time, and this abuse couldn&#8217;t continue. Here is some tricks that can denying the bandwidth sucker user by detecting their browser user agent. Fortunately, apache has a built-in  directive called BrowserMatch, and its sister BrowserMatchNoCase. These allow you to block clients based on their UserAgent string, and they  will work without mod_rewrite module. Yeahh &#8230; I know &#8230; the UserAgent string itself can be spoofed, but hell yeah &#8230; just like in real life &#8230; she can be very deceiving also with cosmetic and tears, the most lethal weapon from women \ud83d\ude42 &#8230; but, back to topics, this will take care of the vast majority of your would-be bandwidth  hogs.<\/p>\n<p><strong>Looking for web spiders and site suckers :<\/strong><br \/>\nHere&#8217;s a shortcut for identifying all user agents in your logs.<br \/>\n{code}cat access.log | awk -F &#8220;&#8221;&#8221; {&#8216;print $6&#8217;} | sort | uniq | grep -v Mozilla{\/code}<\/p>\n<p style=\"text-align: justify;\"><strong><span style=\"text-decoration: underline;\">Translation:<\/span><\/strong> Run the  logfile through a filter, treating double-quotes as field separators,  pick out the 6th field (which is the UserAgent field), sort the  resulting list, toss out all duplicates, and don&#8217;t show me anything  containing &#8220;Mozilla&#8221;. NOTE that many programs include &#8220;Mozilla&#8221; in their  useragent strings; also, some download accelerators operate as plugins  to the regular browser and then append their useragent specifics to the  browser&#8217;s string. So, if you want to be more thorough than this, leave  off everything after &#8220;uniq&#8221; and you&#8217;ll see it all &#8212; including stuff  like :<br \/>\n<em>Mozilla\/5.0 (Windows; U; Windows NT 5.1; vi; rv:1.9.2.10) Gecko\/20100914 Firefox\/3.6.10 ;ShopperReports<br \/>\nMozilla\/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.472.63 Safari\/534.3<br \/>\nMozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.13) Gecko\/20100914 Ant.com Toolbar 2.0.1 Firefox\/3.5.13<\/em><\/p>\n<p style=\"text-align: justify;\">which may or may not be legit, but are definitely unusual.<\/p>\n<p style=\"text-align: justify;\">This will take awhile for large logs. Leave off everything after &#8220;uniq&#8221; to see <strong>all<\/strong> of the UserAgents; I filter out Mozilla since it is what appears for most normal browsers, including IE.<\/p>\n<p style=\"text-align: justify;\">Also,  this assumes you are using &#8220;combined&#8221; log format. If you don&#8217;t get the  results you expect (see below), then try replacing the &#8220;$6&#8221; with another  number &#8212; your log format may order the fields differently.<\/p>\n<p><strong><span style=\"text-decoration: underline;\">Sample results:<\/span><\/strong><br \/>\n{code}cat \/var\/log\/httpd\/access.log | awk -F &#8220;&#8221;&#8221; {&#8216;print $6&#8217;} | sort | uniq | grep -v Mozilla{\/code}<\/p>\n<p><em>Feedfetcher-Google; (+http:\/\/www.google.com\/feedfetcher.html; feed-id=17527023618099803589)<br \/>\nFeedfetcher-Google; (+http:\/\/www.google.com\/feedfetcher.html; feed-id=7166567229941680435)<br \/>\nFeedjit Favicon Crawler 1.0<br \/>\nFirefox (SBUA)<br \/>\nFlashGet<br \/>\nGetGo Download Manager 4.0 (www.getgosoft.com)Pragma: no-cache<br \/>\nGooglebot-Image\/1.0<br \/>\nGooglebot\/2.1 (+http:\/\/www.google.com\/bot.html)<br \/>\nAxel 1.0b (Linux)<br \/>\nBaiduImagespider+(+http:\/\/www.baidu.jp\/spider\/)<br \/>\nBaiduspider+(+http:\/\/www.baidu.com\/search\/spider.htm)<br \/>\nBaiduspider+(+http:\/\/www.baidu.jp\/spider\/)<br \/>\nBlackBerry8520\/4.6.1.314 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/123<br \/>\nBlackBerry8520\/4.6.1.314 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/611<br \/>\nBlackBerry8520\/4.6.1.314 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/613<br \/>\nIRLbot\/1.0 (+http:\/\/irl.cs.tamu.edu\/crawler)<br \/>\nIltrovatore-Setaccio\/1.2 (It-bot; http:\/\/www.iltrovatore.it\/bot.html; info@iltrovatore.it)<br \/>\nJava1.3.1<br \/>\nLWP::Simple\/5.64<br \/>\nLeechGet 2004 (www.leechget.net)<br \/>\nLinks (2.1pre15; Linux 2.6.7-hardened-r16 i686; 80&#215;40)<br \/>\nLynx\/2.8.4rel.1 libwww-FM\/2.14<br \/>\nMediapartners-Google\/2.1<br \/>\nMonica\/1.4<br \/>\nOpera\/7.50 (X11; Linux i386; U)  [en]<br \/>\nRealDownload\/4.0.0.40<br \/>\nSIE-M55\/10 UP.Browser\/6.1.0.5.c.6 (GUI) MMP\/1.0 (Google WAP Proxy\/1.0)<br \/>\nSafariBookmarkChecker\/1.26 (+http:\/\/www.coriolis.ch\/)<br \/>\nSiteBar\/3.2.6<br \/>\nOpera\/9.80 (S60; SymbOS; Opera Mobi\/499; U; en) Presto\/2.4.18 Version\/10.00<br \/>\nOpera\/9.80 (Windows Mobile; Opera Mini\/5.1.21594\/20.2497; U; en) Presto\/2.5.25<br \/>\nWget\/1.10.2 (Red Hat modified)<br \/>\nWget\/1.11.4<br \/>\nWget\/1.12 (linux-gnu)<br \/>\nMWG Atom Life Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UNTRUSTED\/1.0<br \/>\nMxAgent<br \/>\nNetScape\/0.02 [fu] (MAC OS; X; SK)<br \/>\nNokia5300\/2.0 (05.51) Profile\/MIDP-2.0 Configuration\/CLDC-1.1<br \/>\nNokia6070\/2.0 (03.20) Profile\/MIDP-2.0 Configuration\/CLDC-1.1<br \/>\nNokia6085\/2.0 (03.71) Profile\/MIDP-2.0 Configuration\/CLDC-1.1<br \/>\nNokia6235\/1.0 (S190V0200.nep) UP.Browser\/6.2.3.2 MMP\/2.0<br \/>\niCab\/2.9.8 (Macintosh; U; 68K)<br \/>\nSonyEricssonG502\/R1FA Browser\/NetFront\/3.4 Profile\/MIDP-2.1 Configuration\/CLDC-1.1<br \/>\nSonyEricssonK510i\/R4EA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1<br \/>\nSonyEricssonW380i\/R10CA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1<br \/>\nSonyEricssonX2\/R3AA Browser\/Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 8.12; MSIEMobile 6.5) Profile\/MIDP-2.1 Configuration\/CLDC-1.1<br \/>\nSosospider+(+http:\/\/help.soso.com\/webspider.htm)<br \/>\nStackRambler\/2.0 (MSIE incompatible)<br \/>\nmsnbot\/1.0 (+http:\/\/search.msn.com\/msnbot.htm)<br \/>\nWindows-Media-Player\/10.00.00.3993<br \/>\nWindows-Media-Player\/11.0.6000.6352<br \/>\nWordPress\/3.0.1; http:\/\/trik-fb.co.cc<br \/>\nWordPress\/3.0; http:\/\/www.ahlidesain.com<br \/>\nXunlei@Http Download<br \/>\nYahooMobile\/1.0 (Resource; Server; 1.0.0)<br \/>\nYeti\/1.0 (NHN Corp.; http:\/\/help.naver.com\/robots\/)<\/em><\/p>\n<p>When you see  something odd or suspicious (like &#8220;LeechGet&#8221;, gee I wonder what that  does), Google around for it. If the name is too general, add &#8220;user  agent&#8221; or &#8220;spider&#8221; or &#8220;search engine&#8221; to your query.<\/p>\n<p>Now, it&#8217;s time to applying those knowledge :<\/p>\n<p>1. To apache2.conf, add the following<\/p>\n<p>{code}BrowserMatchNoCase ^NameOfBadProgram1 nameofenv<br \/>\nBrowserMatchNoCase ^NameOfBadProgram2 nameofenv<br \/>\nBrowserMatchNoCase ^NameOfBadProgram3 nameofenv{\/code}<\/p>\n<p>Use the same &#8220;nameofenv&#8221; value for all of the agents you want to block. I added this section to some preexisting BrowserMatch directives that had to do with forcing HTTP responses to certain browser versions. Here&#8217;s what mine looks like right now, I will be adding to it as my logs reveal new twits:<\/p>\n<p>{code}# anti-bandwidth-sucker measures by jfdesign added<br \/>\nBrowserMatchNoCase ^wget suckers<br \/>\nBrowserMatchNoCase ^SiteSucker suckers<br \/>\nBrowserMatchNoCase ^iGetter suckers<br \/>\nBrowserMatchNoCase ^larbin suckers<br \/>\nBrowserMatchNoCase ^LeechGet suckers<br \/>\nBrowserMatchNoCase ^RealDownload suckers<br \/>\nBrowserMatchNoCase ^Teleport suckers<br \/>\nBrowserMatchNoCase ^Webwhacker suckers<br \/>\nBrowserMatchNoCase ^WebDevil suckers<br \/>\nBrowserMatchNoCase ^Webzip suckers<br \/>\nBrowserMatchNoCase ^Attache suckers<br \/>\nBrowserMatchNoCase ^SiteSnagger suckers<br \/>\nBrowserMatchNoCase ^WX_mail suckers<br \/>\nBrowserMatchNoCase ^EmailCollector suckers<br \/>\nBrowserMatchNoCase ^WhoWhere suckers<br \/>\nBrowserMatchNoCase ^Roverbot suckers<br \/>\nBrowserMatchNoCase ^ActiveAgent suckers<br \/>\nBrowserMatchNoCase ^EmailSiphon suckers{\/code}<\/p>\n<p>2. Now, inside the Directory blocks for each directory you want to apply these to, put<\/p>\n<p>{code}deny from env=suckers{\/code}<\/p>\n<p>You could also add this to individual directories&#8217; .htaccess files, but I have not tried this yet. I simply added it at the end of my main Directory block:<\/p>\n<p>{code}Options Indexes FollowSymLinks<br \/>\nAllowOverride AuthConfig<br \/>\ndeny from env=suckers{\/code}<\/p>\n<p>You can create other environments for things like known email-harvesting bots, known-evil web spiders, etc. and do more creative things based on which type of malicious visitors they are. I am content to just refuse connections from all of them.<\/p>\n<p>Don&#8217;t forget to restart apache (service apache2 restart) after applying any of these changes.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This time I have to deal with another form of leech other than woman I know of &#8230; he he he. Some user hogging my server bandwidth for several time, and this abuse couldn&#8217;t continue. Here is some tricks that can denying the bandwidth sucker user by detecting their browser user agent. Fortunately, apache has [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1318,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,9],"tags":[34,36],"_links":{"self":[{"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/posts\/1313"}],"collection":[{"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1313"}],"version-history":[{"count":0,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/posts\/1313\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=\/wp\/v2\/media\/1318"}],"wp:attachment":[{"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jfdesignnet.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}