SecFilterSelective not working?

Discussion in 'General' started by MisterNinja, Jun 22, 2012.

  1. MisterNinja

    MisterNinja New Member

    I'm trying to block users who don't have a user agent:
    SecFilterSelective HEADER_USER_AGENT "^$"
    SecFilterSelective HTTP_USER_AGENT "^$"

    Neither work and yes I am using vhosts, no Apache. Any suggestions?
  2. NiteWave

    NiteWave Administrator

    I tested
    SecFilterSelective HEADER_USER_AGENT "^$"
    and
    SecFilterSelective HEADER_USER_AGENT ""
    not working.the test command is
    #curl -A "" -I 127.0.0.1/test.html

    however, if not empty, e.g.
    SecFilterSelective HEADER_USER_AGENT "chome"
    will work as expected -- will forbid Chrome browser to access.

    however, you can use rewrite rule to archive the same goal, and much simpler.
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule . - [F]

    rewriterule is widely used and well tested, it's simpler yet powerful.
  3. MisterNinja

    MisterNinja New Member

    I think the issue is I am trying to grab the access my site by the domain (root) - that goes through, but everything else doesn't. For some reason that rule isn't applying to /.

    77.9.186.5 - - [22/Jun/2012:19:20:55 +0200] "GET / HTTP/1.1" 200 25992 "-" "-"
    77.9.186.5 - - [22/Jun/2012:19:20:55 +0200] "GET / HTTP/1.1" 200 25992 "-" "-"
    77.9.186.5 - - [22/Jun/2012:19:20:56 +0200] "GET / HTTP/1.1" 200 25992 "-" "-"
    77.9.186.5 - - [22/Jun/2012:19:20:56 +0200] "GET / HTTP/1.1" 200 25992 "-" "-"

    vs

    77.9.186.5 - - [22/Jun/2012:19:20:55 +0200] "GET /index.php HTTP/1.1" 403 25992 "-" "-"

    Is there a reason why rules aren't applying to the root?
    Last edited: Jun 22, 2012
  4. NiteWave

    NiteWave Administrator

    then please try:
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule .* - [F]
  5. MisterNinja

    MisterNinja New Member

    This doesn't seem to be effective enough to block a DDOS. In fact attacking IPs spam the access logs and don't seem to be blocked lsws's firewall.
  6. NiteWave

    NiteWave Administrator

    Code:
    77.9.186.5 - - [22/Jun/2012:19:20:55 +0200] "GET /index.php HTTP/1.1" 403 25992 "-" "-"
    looks problem. above "25992" should be "380" ?
    i.e., response body's size is 380 bytes. content is
    although it's not most efficient, but only return 380 bytes instead of 25,992 bytes; more importantly, PHP is not triggered. php/mysql usually to be bottle-neck especially under attack.
  7. MisterNinja

    MisterNinja New Member

    I just edited the code, because I was too lazy to find the request. The same is there though.

Share This Page