How can I block requests without a User-Agent?

[glio]

Hi, I want to know how can I block requests without a User-Agent header or without a Host: header?

because 99% of them is trying to hack in to server

Thank you so much

 

[Simonlo]

I want to know too, I got this kind of error everyday:

103.210.20.112 - - [20/Sep/2022:09:14:02 +0800] "GET / HTTP/1.1" 200 604 "-" "-"
103.210.20.112 - - [20/Sep/2022:09:14:02 +0800] "GET / HTTP/1.1" 421 3837 "-" "-"
103.210.20.112 - - [20/Sep/2022:09:14:02 +0800] "GET / HTTP/1.1" 200 604 "-" "-"
103.210.20.112 - - [20/Sep/2022:09:14:04 +0800] "GET / HTTP/1.1" 421 4315 "-" "-"

someone know how to block them?
Thanks

 

[glio]

Anyone can help?

 

[Zhenyapan]

in such case I block them manually, just grep from log, sort, count, and block top requesting IPs

 

[BillyS]

Do you use CSF? Could you do this by creating a custom REGEX rule?

Custom REGEX rules for CSF. - ConfigServer Community Forum

 

[glio]

Do you use CSF? Could you do this by creating a custom REGEX rule?

Custom REGEX rules for CSF. - ConfigServer Community Forum

I was try this rule, but don't know why they here and without blocked

SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "id:330001,msg:'Blocked empty user agent for USERAGENT_IP',phase:1,severity:WARNING,capture,nolog,auditlog,logdata:'%{TX.0}',t:none,deny,status:406"
SecRule REQUEST_HEADERS:User-Agent "^$" "id:330002,msg:'Blocked empty user agent for USERAGENT_IP',phase:1,severity:WARNING,capture,nolog,auditlog,logdata:'%{TX.0}',t:none,deny,status:406"

or

SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "id:330001,msg:'Blocked empty user agent for USERAGENT_IP',phase:2,severity:WARNING,capture,nolog,auditlog,logdata:'%{TX.0}',t:none,deny,status:406"
SecRule REQUEST_HEADERS:User-Agent "^$" "id:330002,msg:'Blocked empty user agent for USERAGENT_IP',phase:2,severity:WARNING,capture,nolog,auditlog,logdata:'%{TX.0}',t:none,deny,status:406"

 

[glio]

in such case I block them manually, just grep from log, sort, count, and block top requesting IPs

if they're just few ip, but everyday they have randomly ips

 

[Ohm J]

try using "phase:2" like this

SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
     "id:'13009',phase:2,t:none,deny,status:406"
SecRule REQUEST_HEADERS:User-Agent "^$" \
     "id:'13006',phase:2,t:none,deny,status:406"

makesure to restart nginx/apache after add rules
it should throw error code 406, and wait a minute, BFM will triggered block later

if request count not enought, it not triggered block. that why it not block by BFM.

 

[glio]

try using "phase:2" like this

SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
     "id:'13009',phase:2,t:none,deny,status:406"
SecRule REQUEST_HEADERS:User-Agent "^$" \
     "id:'13006',phase:2,t:none,deny,status:406"

makesure to restart nginx/apache after add rules
it should throw error code 406, and wait a minute, BFM will triggered block later

if request count not enought, it not triggered block. that why it not block by BFM.

Thank you, I just make some change:
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "id:330001,msg:'Blocked empty user agent for USERAGENT_IP',phase:1,severity:2,log,t:none,deny,status:406"
SecRule REQUEST_HEADERS:User-Agent "^$" "id:330002,msg:'Blocked empty user agent for USERAGENT_IP',phase:1,severity:2,log,t:none,deny,status:406"

And it work now, hope this will help more people like me (some empty use-agent hacking tool attacking)

 

[glio]

one more thing:
any one know how can I log ip inside?
beacause my rule: USERAGENT_IP
it not work, the log text is "Blocked empty user agent for USERAGENT_IP" and not the ip

 

[Ohm J]

msg:'blocked by empty Agent from %{REMOTE_ADDR}'

this vars should work fine.

 

[glio]

msg:'blocked by empty Agent from %{REMOTE_ADDR}'

this vars should work fine.

Thank you so much.