What User Agents to block?

#1

Does anyone have a list of recommended user agents to block using User Agent Blocking rules? Like a top ten list of the most evil, malicious user agents. If so, please let me know exactly what to type into the User Agent field, because this is a little over my head. Thanks in advance.

#2

Everything since NCSA_Mosaic/2.0 (Windows 3.1) :slight_smile:

1 Like
#3

I used to have 10 UA block rules, all taken from my own server logs as UAs used by malicious bots at some point. But after I adopted a few Firewall Rules based on behavior, rather then IP or UA, I have a better protection (based on the number of hits being blocked) and my UA block list became unnecessary.

I started by adapting the recipe in this list, which is for WordPress websites but may as well be used by any site. The hackers don’t know you are not using WP until the see the result of their probing, and by using those rules you deflect the visitors before they hit your origin server, whether or not you are using WP.

If you implement a Firewall Rule such as the above linked, from the Firewall Events log, you’ll see a daily dose of blocks being performed, and by clicking on Details you can easily add a block rule for the UA that attempted to reach your website.

The Firewall Rules can be combined with a few Access Policies to protect your site administration area

2 Likes
#4

For URI Path contains /wp-login.php I’d remove .php and also add /wp-login to the block everything to that directory and whitelist your business IP(s) or AS Number using AS Num or IP does not equal so you can access the backend.

(http.request.uri.path contains “/wp-admin” and ip.geoip.asnum ne 1234) or (http.request.uri.path contains “/wp-login” and ip.geoip.asnum ne 1234 and ip.src ne 192.168.1.1)

1 Like
#5

Thank you floripare and Withheld. This is very helpful, responses much appreciated. I have already been playing around with firewall rules. The link you provided has some good stuff I will add. I also tried playing around with Access Policies - a bit complex for me - but that’s a different topic. Would still appreciate anyone’s top ten most wanted evil UAs to block.

1 Like
#6

I do have Access Policies to protect access to /wp-login.php and /wp-admin, and since I’m on shared hosting I cannot (and also AFAIK need not) to restrict access via IP/ASN. Also, since I work from home and my IP address is dynamic, it changes every time a turn on the computer, so I wouldn’t be able to apply a whitelist. But thanks for the advice, which may apply to the OP and other community members.

Since I have the protection of the Access Policy for /wp-login.php, I have actually changed that rule in my case to something like: URI Path contains wp-login.php and URI Path is not equal to /wp-login.php, so that it blocks any attempts at guessing where my login access is (/wp/wp-login.php, /wordpress/wp-login.php etc)

1 Like
#7

As for bad browsers, it seems to be site specific. I have a few personal sites, help a few friends with small businesses and the one for work. I’ve found no consistency with USER Agents and they change often anyways.

2 Likes
#8

Yes, can’t forget :slight_smile:

closed #9

This topic was automatically closed after 30 days. New replies are no longer allowed.