Blocking User Agent

Try though I might, I cannot seem to stop someone from scanning my site using openVAS. The user agent remains the same but I can’t seem to block them… htaccess or on CF, please tell me someone, do i need to escape the non-ascii in the string if i block via CF? Ive also a bunch of other modrewrite rules in htaccess which i need to keep, one of which is redirecting all non resolveable paths to index.php

The UA I want gone is this -

Mozilla/5.0 [en] (X11, U; OpenVAS 9.0.2)

And you’ve tried blocking this User Agent on the Cloudflare Firewall settings page?

What’s the non-ASCII part you’re trying to escape?

Hey, yeah… Thats kind of my question I guess… Not sure in what format to add it to the firewall page. Tried just OpenVAS & the full string but still they come…

The full string you want to block, substrings are not supported. Can you post a screenshot of the firewall entry?

Also, as @sdayman already mentioned, what ASCII thing are you referring to?

Hi Sandro, and cheers for responding… Ref Ascii comment… In Htaccess, from memory, non ascii characters need to be escaped. Spaces included…

Ref my firewall entries, see image attached,

And also the scanning bot in the log

Space is a normal ASCII character, even though you typically need to wrap a string containing spaces in quotes.

As for your rules, the first one wont fire as it seems to aim for a substring match. Assuming the second contains the full string (hard to tell as it is cut off) it should fire and block requests in question.

Are you sure your site is going via Cloudflare in the first place? Can you post the URL?

Hi Sandro, the cut off log is identical to the entry, and yes the site is wholly going through CF. Hence why im here asking why this agent isn’t being stopped at the DNS / firewall level… I wondered therefore if why its not working is because of the non-ascii chars or spaces etc. Kind of hoping someone would confirm as you just suggested that UA with spaces may need to be entered wrapped in some way. Maybe I’ll give that a try, but something is amiss…

If the entry is identical and the site is going through Cloudflare it should get blocked - at least it does in my case. Spaces should not be relevant in this case and there are no non-ASCII characters as far as I can tell.

I just configured a block with that precise configuration and ran a test and it got blocked as expected

If you want try it yourself by setting your user-agent to the desired value (in Firefox specify it under general.useragent.override) and then try opening I’ll still leave the block in place for a couple of hours.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.