Bad Bot Blocker¶
The Nginx Ultimate Bad Bot Blocker is a set of configuration files for Nginx that block over 4000 bad referers, spam referrers, user-agents, bad bots, bad IP's, porn, gambling and clickjacking sites, lucrative seo companies, and wordpress theme detectors. It is regularly maintained and easily updateable.
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
Installing Bad Bot Blocker¶
Obtain the globalblacklist.conf file and place into your /etc/nginx/conf.d folder.
sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/conf.d/globalblacklist.conf -O /etc/nginx/conf.d/globalblacklist.conf
Create a config directory to store the include files:
sudo mkdir /etc/nginx/bots.d
Download and place the following files into that folder:
sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/bots.d/blockbots.conf -O /etc/nginx/bots.d/blockbots.conf
sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/bots.d/ddos.conf -O /etc/nginx/bots.d/ddos.conf
Download the whitelist configuration files:
sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/bots.d/whitelist-ips.conf -O /etc/nginx/bots.d/whitelist-ips.conf
sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/bots.d/whitelist-domains.conf -O /etc/nginx/bots.d/whitelist-domains.conf
Add your static IPs' to the whitelist-ips.conf
file and your domains to the whitelist-domains.conf
file.
Now download custom blacklist files for bad user-agents, bad referrers, and bad IP addresses or ranges:
sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/bots.d/blacklist-user-agents.conf -O /etc/nginx/bots.d/blacklist-user-agents.conf
sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/bots.d/custom-bad-referrers.conf -O /etc/nginx/bots.d/custom-bad-referrers.conf
sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/bots.d/blacklist-ips.conf -O /etc/nginx/bots.d/blacklist-ips.conf
sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/bots.d/bad-referrer-words.conf -O /etc/nginx/bots.d/bad-referrer-words.conf
These files are for you to edit with your own additions and won't be overwritten when you update the lists. The instructions on how to use them are within the comments in the files. Just open in nano to read.
Now we get the botblocker-nginx-settings.conf file. This file contains Nginx settings for rate limiting:
sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/conf.d/botblocker-nginx-settings.conf -O /etc/nginx/conf.d/botblocker-nginx-settings.conf
Open up the Nginx config file:
sudo nano /etc/nginx/nginx.conf
and ensure it contains the following directive. Add it if not:
include /etc/nginx/conf.d/*;
And ensure you have the following 2 lines added to your virtual host files within a server block:
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
Adding a dedicated log file¶
Now we'll create a seperate log in nginx specifically for badbots, which we can then use in fail2ban. First make the following changes in the blockbots.conf file:
sudo nano /etc/nginx/bots.d/blockbots.conf
# UNCOMMENT THE NEXT 4 LINES TO ACTIVATE THE SUPER WHITELIST
#if ($remote_addr ~ "(127.0.0.1)|(192.168.0.1)" ) {
#set $bad_bot '0'; #Uncommenting this line will disable bad_bots functionality for specified IP(s)
#set $validate_client '0'; #Uncommenting this line will disable validate_client ip blocking functionality for specified IP(s)
#}
set $bbcode '0';
# --------------
# BLOCK BAD BOTS
# --------------
# Section bot_1 Unused
#limit_conn bot1_connlimit 100;
#limit_req zone=bot1_reqlimitip burst=50;
limit_conn bot2_connlimit 10;
limit_req zone=bot2_reqlimitip burst=10;
if ($bad_bot = '3') {
set $logbb 1;
set $bbcode 'Type: Bad Bot';
return 444;
}
# ---------------------
# BLOCK BAD REFER WORDS
# ---------------------
if ($bad_words) {
set $logbb 1;
set $bbcode 'Type: Bad Word';
return 444;
}
# ------------------
# BLOCK BAD REFERERS
# ------------------
if ($bad_referer) {
set $logbb 1;
set $bbcode 'Type: Bad Referrer';
return 444;
}
# -----------------------------
# BLOCK IP ADDRESSES and RANGES
# -----------------------------
if ($validate_client) {
set $logbb 1;
set $bbcode 'Type: Bad IP Address';
return 444;
}
# Additional log for Bad Bots
access_log /var/log/nginx/access_badbots.log bb if=$logbb;
# If we have a global access log, we need to re-declare it here
access_log /var/log/nginx/access.log main;
Now create the custom log format in /etc/nginx/nginx.conf and also create a default value for the $logbb variable:
sudo nano /etc/nginx/nginx.conf
http {
...
log_format bb '$remote_addr - $remote_user [$time_local] $host "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$bbcode"';
...
map $host $logbb {
default 0;
}
}
Check the configuration with:
sudo nginx -t
And apply changes (if no errors) with:
sudo service nginx reload
Testing¶
Run the following commands one by one from a terminal on another linux machine against your own domain name. Substitute example.com in the examples below with your real domain name
curl -A "googlebot" http://example.com
Should respond with 200 OK
curl -A "80legs" http://example.com
curl -A "masscan" http://example.com
Should respond with: curl: (52) Empty reply from server
curl -I http://example.com -e http://100dollars-seo.com
curl -I http://example.com -e http://zx6.ru
Should respond with: curl: (52) Empty reply from server
Check the log:
sudo tail -n 10 /var/log/nginx/access_badbots.log
Updating¶
To update to the latest version automatically, create a script:
sudo nano /usr/local/sbin/update-badbotsblocker.sh
and enter the following:
wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/conf.d/globalblacklist.conf -O /etc/nginx/conf.d/globalblacklist.conf
service nginx reload
exit 0
Schedule it with a cron job:
sudo crontab -e
0 22 * * * /usr/local/sbin/update-badbotsblocker.sh > /dev/null 2>&1
Blocking bots with fail2ban¶
We can block persistent bad bots at firewall level using fail2ban in order to prevent excess stress on the Nginx server.
Create a filter:
sudo nano /etc/fail2ban/filter.d/nginx-badbots.conf
[Definition]
failregex = ^<HOST> .* 444 .*"Type: Bad Bot"$
ignoreregex =
Create a jail:
sudo nano /etc/fail2ban/jail.d/nginx-badbots.local
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access_badbots.log
maxretry = 1
findtime = 36000
bantime = 86400
action = iptables-allports
Reload fail2ban:
sudo fail2ban-client reload