Blocking Malicious Requests in Apache: Comprehensive Guide to User Agent Blacklisting with mod_rewrite


2 views

When dealing with automated attacks, User-Agent strings often reveal the attacker's tools. The Havij SQL injection tool (and similar malicious software) typically includes identifiable patterns in its User-Agent header. While sophisticated attackers can spoof these strings, blocking known malicious patterns significantly raises their operational costs.

The most effective approach combines mod_rewrite with Apache's logging system:


<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} Havij [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} sqlmap [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} nikto [NC]
    RewriteRule ^.* - [F,L]
</IfModule>

For persistent attackers, integrate with Fail2Ban:


# /etc/fail2ban/filter.d/apache-havij.conf
[Definition]
failregex = <HOST>.*"GET.*HTTP.*" 403.*"Mozilla.*Havij"

# /etc/fail2ban/jail.local
[apache-havij]
enabled = true
port = http,https
filter = apache-havij
logpath = /var/log/apache*/*access.log
maxretry = 1
bantime = 86400

More sophisticated regex patterns can catch variants:


RewriteCond %{HTTP_USER_AGENT} ^.*(Havij|sqlmap|nikto|w3af|acunetix).*$ [NC]
RewriteRule ^ - [F,L,env=blockUA:1]

Add this to your VirtualHost to log blocked attempts separately:


CustomLog /var/log/apache2/blocked_agents.log combined env=blockUA
SetEnvIfNoCase User-Agent ".*(Havij|sqlmap).*" blockUA

Combine with mod_evasive for comprehensive protection:


<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 5
    DOSSiteCount 100
    DOSPageInterval 1
    DOSSiteInterval 2
    DOSBlockingPeriod 600
</IfModule>

When dealing with web security, one of the most common attack vectors comes through automated tools with identifiable user agent strings. In this case, we're seeing attacks from "Havij advanced SQL injection software" with the distinctive user agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij

The most effective way to block specific user agents is through Apache's mod_rewrite or mod_setenvif modules. Here are two implementation approaches:

Method 1: Using mod_rewrite


<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} Havij [NC]
    RewriteRule ^.*$ - [F,L]
</IfModule>

Method 2: Using mod_setenvif


<IfModule mod_setenvif.c>
    SetEnvIfNoCase User-Agent "Havij" bad_bot
    Deny from env=bad_bot
</IfModule>

For more robust protection, consider maintaining a list of known malicious user agents:


<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteMap badagents txt:/path/to/bad_agents.txt
    RewriteCond %{HTTP_USER_AGENT} ^(.*)$ [NC]
    RewriteCond ${badagents:%1|NOT_FOUND} !NOT_FOUND
    RewriteRule ^.*$ - [F,L]
</IfModule>

Enhance your security by logging blocked attempts:


CustomLog /var/log/apache2/bad_agents.log "%h %{User-Agent}i" env=bad_bot

Combine Apache blocking with Fail2Ban for IP-based blocking:


# /etc/fail2ban/filter.d/apache-badagents.conf
[Definition]
failregex = ^<HOST>.*"GET.*" 403.*"Havij"
            ^<HOST>.*"GET.*" 403.*"sqlmap"

# /etc/fail2ban/jail.local
[apache-badagents]
enabled  = true
port     = http,https
filter   = apache-badagents
logpath  = /var/log/apache2/access.log
maxretry = 3
bantime  = 86400

Verify your setup works using curl:


curl -A "Havij test" http://yoursite.com -I
# Should return HTTP 403 Forbidden