Welcome to WebmasterWorld Guest from 54.198.60.39

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Banning by User-Agent

     
1:45 am on Jan 31, 2011 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 21, 2004
posts: 135
votes: 0


I have a number of existing entries in my .htaccess file such as:

<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|bin|spd|theme|module)$">
deny from all
</FilesMatch>

but I now need to ban the use of an automated SQL injection tool which (handily) seems to identify itself in the User-Agent request header. My question is, can I simply add the following to my .htaccess file:

SetEnvIfNoCase User-Agent "Tool name here" bad_bot

<Files *>
Deny from env=bad_bot
</Files>

Does the above syntax look correct? Can I safely add <Files *></Files> to a htaccess file which already contains <FilesMatch></FilesMatch> without confusing things? (I'm guessing yes but want to be sure)
1:33 pm on Jan 31, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 25, 2011
posts:51
votes: 0


Why not use the user-agent deny with mod_rewrite like so:

RewriteCond %{HTTP_USER_AGENT} goof|Extractor|GrabNet|InterGET [NC]
RewriteRule .* - [F]
1:46 pm on Jan 31, 2011 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 21, 2004
posts: 135
votes: 0


Thanks mrtonyg, although to be honest I don't have the knowledge/experience to know which method is better. Very happy to hear further thoughts/comments!
2:24 pm on Jan 31, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5459
votes: 3


Close to perfect a basic tutorial [webmasterworld.com]

Please note; many of the participants in this very old thread were actually making inquires and using badly formatted syntax.
Most of the UA's were even invalid at the time, forget about using most of them today
3:41 am on Feb 1, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Usually the best and fastest approach to finding out if something will work is to test it...

However, the answer to the initially-posted question is "Yes, that SetEnvIfNoCase construct should work."

Jim
10:40 am on Feb 1, 2011 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 21, 2004
posts: 135
votes: 0


Thanks both, appreciate the replies.

PS Jim - could you check your inbox(es) for a couple of mails from me recently? Not sure if they made it through.