RewriteCond %{HTTP_USER_AGENT} ^DTS\ Agent$ [NC]

You forgot the OR flag on this one. The correct entry would look like this:

RewriteCond %{HTTP_USER_AGENT} ^DTS\ Agent$ [NC,OR]

I was looking to use rewritemaps. Also, can you block ip-ranges with rewritemaps? Is there a website somewhere with a complete list of bad agents and IP's?

Does anyone has a more manageble sollution for blocking bad IP's/agents? Having all those entries in my httpd.conf or vhosts.conf is a bit much (.htaccess is not an option since I want it serverwide, and without much performance loss).

There are many solutions - mod_rewrite in .htaccess is just the most powerful solution available to Webmasters who do not have root priveleges - the majority. The performance hit of using mod_rewrite is comparitively small, considering the number of sites using complex and lengthy scripts to serve pages.

mod_rewrite in httpd.conf is more efficient.

The above blocks can be made much more efficient by combining the patterns of several RewriteConds to save on overhead. That is instead of:

RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR] 

use:

 RewriteCond %{HTTP_USER_AGENT} ^Web(\ Image\ Collector¦\ Sucker¦Auto¦Copier¦Fetch) [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web(Reaper¦Sauger¦site\ eXtractor¦Stripper¦Whacker¦ZIP) [OR] 

The two lines above can be concatenated as well - I just wanted to avoid a wrapping problem in this post. Some favor using a single RewriteCond containing patterns for all of their "bad bots", while others prefer to organize them alphabetically and by required-anchor type to ease maintenance. In the above example, the patterns are alphabetic, and all are start-anchored.

Remember to replace the broken vertical pipe "¦" characters with solid vertical pipe characters before attempting to use the RewriteConds above.

Is there a website somewhere with a complete list of bad agents and IP's?

No, for two reasons: First, there is no universally-agreed definition of "bad agents," and second, new ones appear every day, making a comprehensive list impossible. A good approach is to combine a static ban list like the one above with an active approach - a spider trap - that will detect and block UAs and IPs which do not honor robots.txt. There are other traps you might implement as well, e.g. bandwidth hog detectors, etc.

I'll leave your question about IP-range blocking with rewrite maps for someone who's actually done it.

Jim

The easiest route is to write a REXX script to handle all HTML requests... all it needs to do it read the file and send - namely send whatever you want, based off IP address, user agent or any other http header info you want. Very simple to do for any Apache, Domino, DominoGo or WebSphere server. The entirety of the script would probably be 10-15 lines and should be cross platform for any of those web servers. (Dont ask me about IIS... we no longer touch it, not after a client ignored our suggestions to NOT use it on their server (singular) and ended up needing a farm of dual CPU servers (9) to handle the traffic one DominoGo/WarpServer single CPU machine did. So, never tried a REXX implementation under IIS and dont know if it works).

php should also run on just about everything as well, including all the web servers I mentioned (and I am pretty sure, also IIS). It shouldnt require much scripting to do the same thing either.

(For your own purposes, you can substitute php for REXX in this paragraph since they should be equally as capable in this respect) I use REXX to do the dynamic page sending, none of the pages ever need to look dynamic to a web browser (in the URL field) or to a bot/search engine (url or links)... (including ones that are run by other scripts and programs, unless I want them to)... and I can also log all such requests on the fly, including real time updating of "should be blocked", "auto-blocked", and "normal" requests.

Because content on our sites is often dynamically served based off cookies or referrers, this, for us, is even more important when it comes to log analysis. There is no log tool I know of that can do what we do because I have yet to find one that can know what content is served because a script put together a page differently based off any combination of (1) cookie(s), (2) referrer, (3) referrer search query parsing (for instance, when people jump to our site from google), (4) browser's UA string, (5) time of day, specific "next served based off info from #1-4 above", (6) affiliate content that gets included dynamically based off a variety of factors, or any combination thereof. REXX (php) can, since you determine what gets logged, how, where, when or if.

Supposedly Apache will soon (or does in the newer releases - or platform specific?) allow module loading... (ie: load once, use for any requests that handle it). That generally may make using something like REXX/php a much mroe suitable alternative for dynamic blocking than having Apache need to read the .htaccess file.

Also, this method, as I noted, will also allow you to dynamically generate your pages for normal users as well AND handle attack requests too... (we pass all requests to formmail.pl, "Latest-MS-IIS-hole-of-the-week-exploit" and so on to a dynamic page, or for logging purposes and some "fun" to a REXX script or REXX exe that is designed to send back neat, custom chosen data to the attacking machine(s)).

Just my one cent...

- Rob

Compression of Rewriterules is an option (used it already) but less manageble as something like a RewriteMap.

Perhaps REXX is then. It uses negligble overhead and runs on virtually every OS I can think of. I havent used it much on any other platform, though I do know that on Warp and eComStation it is amazingly fast. On most platforms, it can be compiled to Java/NetREXX or to an exe. On many, it can be compiled to a DLL file that some web servers can call.

Robert

I do not know if this is an option for you or not.... but for me it works. I took a basic Apache::Block_Agent and installed that in every virtual server. I modded it to block IP's, too, and installed that. Now I have one master text bad_agent file, and one master bad_ip file for all my servers.

dave