Skip to content

Instantly share code, notes, and snippets.

@jthatch

jthatch/nginx block AV user agents

Created July 15, 2021 15:10
Show Gist options
  • Save jthatch/3c9404e0038b90406e184a8c880f034e to your computer and use it in GitHub Desktop.
Save jthatch/3c9404e0038b90406e184a8c880f034e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
nginx block AV user agents
# nginx port of https://gist.github.com/netscylla/23fda41e0de8cc211ef518b6954fed8c
#
# instructions:
# save the map $http_user_agent $bad_bot {..} section as /etc/nginx/conf/map-bad-bots.conf
# save the deny as /etc/nginx/conf/deny-av.conf
# note nginx out the box has no domain name resolver. you'll need to install https://github.com/flant/nginx-http-rdns
#
# inside /etc/nginx/nginx.conf add the following to the nginx {} section.
# include conf/map-bad-bots.conf;
# inside your server location {} add the following:
# include conf/deny-av.conf
#
# restart/reload nginx.
# block dodgy user agents 0 = allowed 1 = blocked
map $http_user_agent $bad_bot {
default 0;
"~*(?:\b)Aboundex(?:\b)" 1;
"~*(?:\b)80legs(?:\b)" 1;
"~*(?:\b)360Spider(?:\b)" 1;
"~*(?:\b)http(?:\b)" 1;
"~*(?:\b)Java(?:\b)" 1;
"~*(?:\b)Cogentbot(?:\b)" 1;
"~*(?:\b)Alexibot(?:\b)" 1;
"~*(?:\b)asterias(?:\b)" 1;
"~*(?:\b)attach(?:\b)" 1;
"~*(?:\b)BackDoorBot(?:\b)" 1;
"~*(?:\b)BackWeb(?:\b)" 1;
"~*(?:\b)Bandit(?:\b)" 1;
"~*(?:\b)BatchFTP(?:\b)" 1;
"~*(?:\b)Bigfoot(?:\b)" 1;
"~*(?:\b)Black.Hole(?:\b)" 1;
"~*(?:\b)BlackWidow(?:\b)" 1;
"~*(?:\b)BlowFish(?:\b)" 1;
"~*(?:\b)BotALot(?:\b)" 1;
"~*(?:\b)Buddy(?:\b)" 1;
"~*(?:\b)BuiltBotTough(?:\b)" 1;
"~*(?:\b)Bullseye(?:\b)" 1;
"~*(?:\b)BunnySlippers(?:\b)" 1;
"~*(?:\b)Cegbfeieh(?:\b)" 1;
"~*(?:\b)CheeseBot(?:\b)" 1;
"~*(?:\b)CherryPicker(?:\b)" 1;
"~*(?:\b)ChinaClaw(?:\b)" 1;
"~*(?:\b)Collector(?:\b)" 1;
"~*(?:\b)Copier(?:\b)" 1;
"~*(?:\b)CopyRightCheck(?:\b)" 1;
"~*(?:\b)cosmos(?:\b)" 1;
"~*(?:\b)Crescent(?:\b)" 1;
"~*(?:\b)Custo(?:\b)" 1;
"~*(?:\b)AIBOT(?:\b)" 1;
"~*(?:\b)DISCo(?:\b)" 1;
"~*(?:\b)DIIbot(?:\b)" 1;
"~*(?:\b)DittoSpyder(?:\b)" 1;
"~*(?:\b)Download\ Demon(?:\b)" 1;
"~*(?:\b)Download\ Devil(?:\b)" 1;
"~*(?:\b)Download\ Wonder(?:\b)" 1;
"~*(?:\b)dragonfly(?:\b)" 1;
"~*(?:\b)Drip(?:\b)" 1;
"~*(?:\b)eCatch(?:\b)" 1;
"~*(?:\b)EasyDL(?:\b)" 1;
"~*(?:\b)ebingbong(?:\b)" 1;
"~*(?:\b)EirGrabber(?:\b)" 1;
"~*(?:\b)EmailCollector(?:\b)" 1;
"~*(?:\b)EmailSiphon(?:\b)" 1;
"~*(?:\b)EmailWolf(?:\b)" 1;
"~*(?:\b)EroCrawler(?:\b)" 1;
"~*(?:\b)Exabot(?:\b)" 1;
"~*(?:\b)Express\ WebPictures(?:\b)" 1;
"~*(?:\b)Extractor(?:\b)" 1;
"~*(?:\b)EyeNetIE(?:\b)" 1;
"~*(?:\b)Foobot(?:\b)" 1;
"~*(?:\b)flunky(?:\b)" 1;
"~*(?:\b)FrontPage(?:\b)" 1;
"~*(?:\b)Go-Ahead-Got-It(?:\b)" 1;
"~*(?:\b)gotit(?:\b)" 1;
"~*(?:\b)GrabNet(?:\b)" 1;
"~*(?:\b)Grafula(?:\b)" 1;
"~*(?:\b)Harvest(?:\b)" 1;
"~*(?:\b)hloader(?:\b)" 1;
"~*(?:\b)HMView(?:\b)" 1;
"~*(?:\b)HTTrack(?:\b)" 1;
"~*(?:\b)humanlinks(?:\b)" 1;
"~*(?:\b)IlseBot(?:\b)" 1;
"~*(?:\b)Image\ Stripper(?:\b)" 1;
"~*(?:\b)Image\ Sucker(?:\b)" 1;
"~*(?:\b)Indy\ Library(?:\b)" 1;
"~*(?:\b)InfoNaviRobot(?:\b)" 1;
"~*(?:\b)InfoTekies(?:\b)" 1;
"~*(?:\b)Intelliseek(?:\b)" 1;
"~*(?:\b)InterGET(?:\b)" 1;
"~*(?:\b)Internet\ Ninja(?:\b)" 1;
"~*(?:\b)Iria(?:\b)" 1;
"~*(?:\b)Jakarta(?:\b)" 1;
"~*(?:\b)JennyBot(?:\b)" 1;
"~*(?:\b)JetCar(?:\b)" 1;
"~*(?:\b)JOC(?:\b)" 1;
"~*(?:\b)JustView(?:\b)" 1;
"~*(?:\b)Jyxobot(?:\b)" 1;
"~*(?:\b)Kenjin.Spider(?:\b)" 1;
"~*(?:\b)Keyword.Density(?:\b)" 1;
"~*(?:\b)larbin(?:\b)" 1;
"~*(?:\b)LexiBot(?:\b)" 1;
"~*(?:\b)lftp(?:\b)" 1;
"~*(?:\b)libWeb/clsHTTP(?:\b)" 1;
"~*(?:\b)likse(?:\b)" 1;
"~*(?:\b)LinkextractorPro(?:\b)" 1;
"~*(?:\b)LinkScan/8.1a.Unix(?:\b)" 1;
"~*(?:\b)LNSpiderguy(?:\b)" 1;
"~*(?:\b)LinkWalker(?:\b)" 1;
"~*(?:\b)lwp-trivial(?:\b)" 1;
"~*(?:\b)LWP::Simple(?:\b)" 1;
"~*(?:\b)Magnet(?:\b)" 1;
"~*(?:\b)Mag-Net(?:\b)" 1;
"~*(?:\b)MarkWatch(?:\b)" 1;
"~*(?:\b)Mass\ Downloader(?:\b)" 1;
"~*(?:\b)Mata.Hari(?:\b)" 1;
"~*(?:\b)Memo(?:\b)" 1;
"~*(?:\b)Microsoft.URL(?:\b)" 1;
"~*(?:\b)Microsoft\ URL\ Control(?:\b)" 1;
"~*(?:\b)MIDown\ tool(?:\b)" 1;
"~*(?:\b)MIIxpc(?:\b)" 1;
"~*(?:\b)Mirror(?:\b)" 1;
"~*(?:\b)Missigua\ Locator(?:\b)" 1;
"~*(?:\b)Mister\ PiX(?:\b)" 1;
"~*(?:\b)moget(?:\b)" 1;
"~*(?:\b)Mozilla/3.Mozilla/2.01(?:\b)" 1;
"~*(?:\b)Mozilla.*NEWT(?:\b)" 1;
"~*(?:\b)NAMEPROTECT(?:\b)" 1;
"~*(?:\b)Navroad(?:\b)" 1;
"~*(?:\b)NearSite(?:\b)" 1;
"~*(?:\b)NetAnts(?:\b)" 1;
"~*(?:\b)Netcraft(?:\b)" 1;
"~*(?:\b)NetMechanic(?:\b)" 1;
"~*(?:\b)NetSpider(?:\b)" 1;
"~*(?:\b)Net\ Vampire(?:\b)" 1;
"~*(?:\b)NetZIP(?:\b)" 1;
"~*(?:\b)NextGenSearchBot(?:\b)" 1;
"~*(?:\b)NG(?:\b)" 1;
"~*(?:\b)NICErsPRO(?:\b)" 1;
"~*(?:\b)niki-bot(?:\b)" 1;
"~*(?:\b)NimbleCrawler(?:\b)" 1;
"~*(?:\b)Ninja(?:\b)" 1;
"~*(?:\b)NPbot(?:\b)" 1;
"~*(?:\b)Octopus(?:\b)" 1;
"~*(?:\b)Offline\ Explorer(?:\b)" 1;
"~*(?:\b)Offline\ Navigator(?:\b)" 1;
"~*(?:\b)Openfind(?:\b)" 1;
"~*(?:\b)OutfoxBot(?:\b)" 1;
"~*(?:\b)PageGrabber(?:\b)" 1;
"~*(?:\b)Papa\ Foto(?:\b)" 1;
"~*(?:\b)pavuk(?:\b)" 1;
"~*(?:\b)pcBrowser(?:\b)" 1;
"~*(?:\b)PHP\ version\ tracker(?:\b)" 1;
"~*(?:\b)Pockey(?:\b)" 1;
"~*(?:\b)ProPowerBot/2.14(?:\b)" 1;
"~*(?:\b)ProWebWalker(?:\b)" 1;
"~*(?:\b)psbot(?:\b)" 1;
"~*(?:\b)Pump(?:\b)" 1;
"~*(?:\b)QueryN.Metasearch(?:\b)" 1;
"~*(?:\b)RealDownload(?:\b)" 1;
"~*(?:\b)Reaper(?:\b)" 1;
"~*(?:\b)Recorder(?:\b)" 1;
"~*(?:\b)ReGet(?:\b)" 1;
"~*(?:\b)RepoMonkey(?:\b)" 1;
"~*(?:\b)RMA(?:\b)" 1;
"~*(?:\b)Siphon(?:\b)" 1;
"~*(?:\b)SiteSnagger(?:\b)" 1;
"~*(?:\b)SlySearch(?:\b)" 1;
"~*(?:\b)SmartDownload(?:\b)" 1;
"~*(?:\b)Snake(?:\b)" 1;
"~*(?:\b)Snapbot(?:\b)" 1;
"~*(?:\b)Snoopy(?:\b)" 1;
"~*(?:\b)sogou(?:\b)" 1;
"~*(?:\b)SpaceBison(?:\b)" 1;
"~*(?:\b)SpankBot(?:\b)" 1;
"~*(?:\b)spanner(?:\b)" 1;
"~*(?:\b)Sqworm(?:\b)" 1;
"~*(?:\b)Stripper(?:\b)" 1;
"~*(?:\b)Sucker(?:\b)" 1;
"~*(?:\b)SuperBot(?:\b)" 1;
"~*(?:\b)SuperHTTP(?:\b)" 1;
"~*(?:\b)Surfbot(?:\b)" 1;
"~*(?:\b)suzuran(?:\b)" 1;
"~*(?:\b)Szukacz/1.4(?:\b)" 1;
"~*(?:\b)tAkeOut(?:\b)" 1;
"~*(?:\b)Teleport(?:\b)" 1;
"~*(?:\b)Telesoft(?:\b)" 1;
"~*(?:\b)TurnitinBot/1.5(?:\b)" 1;
"~*(?:\b)The.Intraformant(?:\b)" 1;
"~*(?:\b)TheNomad(?:\b)" 1;
"~*(?:\b)TightTwatBot(?:\b)" 1;
"~*(?:\b)Titan(?:\b)" 1;
"~*(?:\b)True_Robot(?:\b)" 1;
"~*(?:\b)turingos(?:\b)" 1;
"~*(?:\b)TurnitinBot(?:\b)" 1;
"~*(?:\b)URLy.Warning(?:\b)" 1;
"~*(?:\b)Vacuum(?:\b)" 1;
"~*(?:\b)VCI(?:\b)" 1;
"~*(?:\b)VoidEYE(?:\b)" 1;
"~*(?:\b)Web\ Image\ Collector(?:\b)" 1;
"~*(?:\b)Web\ Sucker(?:\b)" 1;
"~*(?:\b)WebAuto(?:\b)" 1;
"~*(?:\b)WebBandit(?:\b)" 1;
"~*(?:\b)Webclipping.com(?:\b)" 1;
"~*(?:\b)WebCopier(?:\b)" 1;
"~*(?:\b)WebEMailExtrac.*(?:\b)" 1;
"~*(?:\b)WebEnhancer(?:\b)" 1;
"~*(?:\b)WebFetch(?:\b)" 1;
"~*(?:\b)WebGo\ IS(?:\b)" 1;
"~*(?:\b)Web.Image.Collector(?:\b)" 1;
"~*(?:\b)WebLeacher(?:\b)" 1;
"~*(?:\b)WebmasterWorldForumBot(?:\b)" 1;
"~*(?:\b)WebReaper(?:\b)" 1;
"~*(?:\b)WebSauger(?:\b)" 1;
"~*(?:\b)Website\ eXtractor(?:\b)" 1;
"~*(?:\b)Website\ Quester(?:\b)" 1;
"~*(?:\b)Webster(?:\b)" 1;
"~*(?:\b)WebStripper(?:\b)" 1;
"~*(?:\b)WebWhacker(?:\b)" 1;
"~*(?:\b)WebZIP(?:\b)" 1;
"~*(?:\b)Whacker(?:\b)" 1;
"~*(?:\b)Widow(?:\b)" 1;
"~*(?:\b)WISENutbot(?:\b)" 1;
"~*(?:\b)WWWOFFLE(?:\b)" 1;
"~*(?:\b)WWW-Collector-E(?:\b)" 1;
"~*(?:\b)Xaldon(?:\b)" 1;
"~*(?:\b)Xenu(?:\b)" 1;
"~*(?:\b)Zeus(?:\b)" 1;
"~*(?:\b)http(?:\b)" 1;
"~*(?:\b)google(?:\b)" 1;
"~*(?:\b)paypal(?:\b)" 1;
"~*(?:\b)ZmEu(?:\b)" 1;
"~*(?:\b)paypal(?:\b)" 1;
"~*(?:\b)Zyborg(?:\b)" 1;
"~*(?:\b)bot(?:\b)" 1;
"~*(?:\b)Acunetix(?:\b)" 1;
"~*(?:\b)FHscan(?:\b)" 1;
"~*(?:\b)Baiduspider(?:\b)" 1;
"~*(?:\b)Yandex(?:\b)" 1;
"~*(?:\b)}(?:\b)" 1;
}
if ($bad_bot = '1') {
return 444;
}
# block av hosts
deny zeustracker.abuse.ch;
deny virustotal.com;
deny adminus.net;
deny aegislab.com;
deny alienvault.com;
deny antiy.net;
deny avast.com;
deny team-cymru.org;
deny eset.com;
deny fireeye.com;
deny microsoft.com;
deny kernelmode.info;
deny malwaredomainlist.com;
deny wilderssecurity.com;
deny eset-la.com;
deny blogs.eset-la.com;
deny welivesecurity.com;
deny urlquery.net;
deny anubis.iseclab.org;
deny reclassify.url.trendmicro.com;
deny dragonjar.org;
deny vpro.su;
deny cclub.su;
deny securitybydefault.com;
deny matthewfl.com;
deny garyshood.com;
deny virscan.org;
deny malwarebytes.org;
deny community.norton.com;
deny avira.com;
deny bitdefender.com;
deny c-sirt.org;
deny clean-mx.de;
deny crdfglobal.org;
deny comodo.com;
deny fbi.gov;
deny interpol.int;
deny cybercitizenship.org;
deny cybercrime-tracker.net;
deny drweb.com;
deny kaspersky.com;
deny bitdefender.com;
deny malwares.com;
deny zvelo.com;
deny zcloudsec.com;
deny yandex.com;
deny facebook.com;
deny hotmail.com;
deny google.com;
deny wepawet.iseclab.org;
deny websense.com;
deny vxvault.siri-urz.net;
deny tekdefense.com;
deny malc0de.com;
deny malwareblacklist.com;
deny minotauranalysis.com;
deny Sacour.cn;
deny scoop.it;
deny tencent.com;
deny spyeyetracker.abuse.ch;
deny abuse.ch;
deny SCUMWARE.org;
deny scumware.org;
deny sophos.com;
deny securebrain.co.jp;
deny quttera.com;
deny hosts-file.net;
deny amada.abuse.ch;
deny palevotracker.abuse.ch;
deny blogger.com;
deny phishtank.com;
deny netcraft.com;
deny google.com;
deny yahoo.com;
deny malwared.ru;
deny malware.com.br;
deny malekal.com;
deny k7computing.com ;
deny gdata.com;
deny gdatasoftware.com;
deny fortinet.com;
deny emsisoft.com;
deny quttera.com;
deny opera.com;
deny infospyware.com;
deny kaspersky.com;
deny Kaspersky;
deny Avira;
deny yahoo.com;
deny search.com;
deny bing.com;
deny lloyds;
deny PayPal;
deny .co.uk;
deny .gov.uk;
deny bezeqint.net;
deny barak-online.net;
deny internetidentity.com;
deny phish-inspector.com;
deny netcraft.com;
deny spamcop.net;
deny veritas.com;
deny .edu;
deny crawl;
deny verisign-dbms.com;
deny verisign.com;
deny phishingsite-collector;
deny netcraft.com;
deny net.il;
deny com.il;
deny co.il;
deny org.il;
deny mcafee;
deny spam;
deny phish;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment