How to Block a Bot Attack

Your server may experience heavy hits from bots. Here are three different examples of bot attacks and how to block them.

Example 1: "BUbiNG" bot

“BUbiNG” bot BUbiNG can cause a massive load spike in the server. To prevent further problems, we can deny that user agent globally.

An easy solution is to use a rewrite rule to detect the user agent, and then set environment with the action [E=blockbot]. This will drop the direct connection from that client IP.

Add the following to the .htaccess of your example.com domain:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "BUbiNG"
RewriteRule .* - [E=blockbot:1]

To verify, you can run:

curl -A "BUbiNG" example.com

If your rules need further debugging, you can enable the rewrite log for more details.

Example 2: "xmlrpc.php" Bot

On a server, after configuring cPanel Piped Logging to push entries to /usr/local/apache/logs/error_log, you can see many 404 File not found [/var/www/html/xmlrpc.php] entries coming through. 404 will not trigger the LSWS WordPress protection feature, because the requests look like they're being processed by the default vhost.

Locate the virtual host serving the requests, and add a vhost-level rewrite rule to drop the connection using [E=blockbot].

RewriteRule ^/xmlrpc.php - [E=blockbot:1]

Note: Do not apply the above at the server level since it will block everyone accessing xmlrpc.php globally.

Example 3: Cookie Bots

If the bots are cookie related, you can also try something like the following and tailor it to what you need.

RewriteCond %{HTTP_COOKIE} yourcookiename
RewriteRule .* - [F]
 
litespeed_wiki/config/xmlrpc.php_bot_attack_block.txt · Last modified: 2018/10/05 18:52 by Lisa Clarke