Subscribe to the "Webmaster Tips: Blocking Selected User-Agents" web feed.Subscription options
Excerpt from:  FAS Talk
.
September 20, 2008

Webmaster Tips: Blocking Selected User-Agents

While blocking access to servers based on user agent strings does not offer absolute security, it is still very worthwhile.
As a webmaster, you definitely should use user-agent headers to manager server traffic. But understand that this is purely a pragmatic tactic and not a serious security measure.

I was just reviewing our server security logs and ran across a questionable request for "/user/soapCaller.bs".  Doing a bit of research on this, I ran across this blog post by Rick Ekle confirming that was, indeed, the work of some script kiddie's "Morfeus F***ing Scanner" (sorry, that's its name—the underbelly of the Internet is a seedy place) looking for exploitable PHP servers.

No big deal; I added a couple new SlimeGate™ rules and all of our servers are protected from this slime ball.

But what struck me as interesting was the debate in the comment thread on Rick's post about whether or not webmasters should block requests bases on user agent names.  IMO, the answer is absolutely, yes!

Why block by user-agent?

securitySome people argue that blocking specific user agents is pointless because user agent names are easily spoofed, thus it is trivial for a hacker to masquerade as any user agent.  Therefore, the argument goes, blocking based on user agent provides only a false sense of security.

But this argument misses an important point.  Specifically, blocking by user agent is not intended to provide reliable security; it is intended to block unwanted traffic.  For example, blocking the user agent "^Morfeus" will not make a vulnerable PHP server secure, but it will prevent at least some unwanted traffic.  Arguing against doing this is like arguing against wearing safety belts on the grounds that doing so does not provide absolute safety.

What about blocking generic user agents like "libwww-perl" or "Java"?

In my opinion, most production servers should block generic user agents.  In my experience, it is very rare when a legitimate, desirable application, browser, or web service makes requests using a generic user agent name.  In the vast majority of cases, these products issue user-agent headers that properly identify themselves.

In years of hosting hundreds of commercial sites, I can count on one hand the times we have made exceptions to permit access by a generic user agent name.  And when such an exception is necessary, it is easily accomplished and the exception can be limited by IP address, referrer address, etc.

The bottom line

As a webmaster, you definitely should use user-agent headers to manager server traffic.  But understand that this is purely a pragmatic tactic and not a serious security measure.  Real security comes only through elimination of exploitable security holes.

.
PermalinkUpdate on Morfeus F***ing Scanner
.Thoughts on computers and health
.http://ekle.us/index.php/2007/05/update_on_morfeus_fucking_scanner
.
PermalinkFighting Back Against Big, Hungry, Orange Alligators | MyST Blogsite®
.Overly aggressive RSS feed aggregators can cause server performance problems; MyST Blogsite introduces new technology to detect (and reject) egregious offenders.
.http://blogsite.com/public/blog/178941
Topic Tags:  , , ,
by F. Andy Seidl|↑top|link to this-
Comments
.

Great Post!

I agree. The bad guys are always one step ahead so security should always be a concern. In my article, I detailed how to write your robots.txt, and I agree that this is should not really be used for security purposes.

How to write robots.txt:
http://sin8.com/tip-3-its-important-to-hide-parts-of-your-site-from-search-engines
Carl

by Carl Stanley|September 21, 2008|↑top|link to this-
.
Syndication OptionsRSS (Rich Site Summary) Feed Atom Feed OPML (Outline Processor Language) Feed MYST-ML (MyST Markup Language) Content Feed MS-Office Smart Tag Subscription