blocking user agents via IPTables?


Recommended Posts

What proxy are you using. I don't see how you could do with that sort of thing without a proxy, or layer 7 type of firewall. So what are you using to filter/block? Or is this on your server and your wanting to block specific useragents from accessing your service/httpd?

You need Layer 7 support 

 

http://l7-filter.sourceforge.net/ might help with that.

 

If I remember rightly it uses REGEX to match which is a bit of pain to get right (Well that could just be I'm not very good at writing regex patterns)

  On 05/08/2014 at 13:54, BudMan said:

What proxy are you using. I don't see how you could do with that sort of thing without a proxy, or layer 7 type of firewall. So what are you using to filter/block? Or is this on your server and your wanting to block specific useragents from accessing your service/httpd?

correct this is my proxy server (squid), but everyone is going via the server to access the internet so there is a linux machine between the clients and the interwebs so I was going to use IP tables to block everything but (lets say safari) if they are not using safari not forwarding to the interwebs

 

to summarise to clear up confusion

 

user -> server (IPtables->squid) -> internet

in squid its simple acl that matches the UA you want to allow, and deny all others.

acl aclname browser [-i] regexp ...

# pattern match on User-Agent header (see also req_header below) [fast]

acl aclname req_header header-name [-i] any\.regex\.here

# regex match against any of the known request headers. May be

# thought of as a superset of "browser", "referer" and "mime-type"

# ACL [fast]

  On 05/08/2014 at 14:40, BudMan said:

in squid its simple acl that matches the UA you want to allow, and deny all others.

acl aclname browser [-i] regexp ...

# pattern match on User-Agent header (see also req_header below) [fast]

acl aclname req_header header-name [-i] any\.regex\.here

# regex match against any of the known request headers. May be

# thought of as a superset of "browser", "referer" and "mime-type"

# ACL [fast]

ok I will do it this way then thanks :) was actually just trying it out but I cannot seem to get it working... do you have an example (e.g.... MSIE?) or a useful link?

do google for blocking browser useragent squid and you should find a couple of walk thru's - you are running what version of squid? I recall a previous thread with you about squid and you were running really old version - but I think you updated?

  On 05/08/2014 at 15:23, BudMan said:

do google for blocking browser useragent squid and you should find a couple of walk thru's - you are running what version of squid? I recall a previous thread with you about squid and you were running really old version - but I think you updated?

*cough* I am still using squid 2.4 :D I have latest squid 3 on the system from the other thread but for now this one is using 2.4. I will most likely upgrade after I have the browsers blocked

Well 2.4 doesn't have the acls - believe they were added in 2.6, so like that last thread would explain why not working. At a loss to why anyone would be using such an old version?? 2.4 is like 2002 ;)

  On 05/08/2014 at 15:37, BudMan said:

Well 2.4 doesn't have the acls - believe they were added in 2.6, so like that last thread would explain why not working. At a loss to why anyone would be using such an old version?? 2.4 is like 2002 ;)

ah I meant i am using 2.7!? :p I am using the acls for blocking sites, but I cannot seem to get the blocking of browsers, just donot think I know enough about squid to block them/get it working http://gaugusch.at/squid.shtml i tried this guide but seemed to cause me issues

Well that should work then.. But still why not using current 3.4? At a loss why anyone - especially in security area type software would use outdated versions, I can see being a version behind or so.. But 2.7 was released in 2008, and last change I see to that branch was 2011

  On 05/08/2014 at 15:45, BudMan said:

Well that should work then.. But still why not using current 3.4? At a loss why anyone - especially in security area type software would use outdated versions, I can see being a version behind or so.. But 2.7 was released in 2008, and last change I see to that branch was 2011

 

I will be upgrading, very shortly once i work out exactly what I need to do, I do not want to upgrade half way through experimenting for it not to work and me be confused as to why once I have finished this task and have the my prototype setup I will upgrade and will only use squid3 from then on (I also used squid 2.7 caching as squid3 cache refused to work if you remember from my previous post, and I could not seem to solve it) either way! im going to have to keep trying this out

  On 05/08/2014 at 15:45, BudMan said:

Well that should work then.. But still why not using current 3.4? At a loss why anyone - especially in security area type software would use outdated versions, I can see being a version behind or so.. But 2.7 was released in 2008, and last change I see to that branch was 2011

got it working! (upgrading tomorrow)

  On 05/08/2014 at 16:39, BudMan said:

so what were you doing wrong for the next guy that might have same sort of issue?

ah good point probably should say, thank you for reminding me.

 

the httpd_accel comman in the guide was not liked by squid in a very much shortened version of his guide assuming you can connect via the proxy just put this in under acl CONNECT method CONNECT line tested on an older MSIE version and it 403 errored tried it on chrome worked fine

 

acl CONNECT method CONNECT

acl ie_browser browser ^Mozilla/4\.0 .compatible; MSIE 

acl bad_browser browser ^Gator

http_access deny bad_browser

http_access deny ie_browser

http_access allow manager localhost #you will have this bold config already in place do not copy this over your working config

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow all

cache_mgr hostmaster@mycompany.at

append_domain .mycompany.at

deny_info ERR_IEBROWSER ie_browser

wccp_router 172.16.0.1

ie_refresh on

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Tariffs have nothing to do with this pricing. It was always intended to be slightly more expensive then the S25+
    • Hello, The static link still downloads 10.3.2040.0 from May 22, 2025. The 10.3.2412.0 version can be downloaded directly from emclient.com/dist/v10.3.2412/setup.msi. Regards, Aryeh Goretsky
    • Hello, Yes, and yes. More specifically, there are lots of features in Windows that I do not use--I cannot recall the last time I needed to run EUDCEDIT.EXE or ODBCAD32.EXE on a computer I own, but I'm sure that for some people they are useful, and for a smaller set of people they might even be indispensable. I don't begrudge Microsoft for including them as part of the standard Windows installation nor the people who need such tools; sometimes it is convenient to have some little utility or feature readily available. One thing I do begrudge is Microsoft's over-reliance on its own telemetry, and perhaps surpisingly on the flip side, customers who disable it. Collecting telemetry is generally a good thing, if it is done for good reasons and does not include any customer PII. However, how you interpret that telemetry is even more important, as that can lead to all sorts of disastrous decisions. On the customer side of things, telemetry is your "vote:" it's how you tell companies what features you use in the program, and lets them prioritize things appropriately. One glaring example is Windows 8, which shipped with the full-screen Start Screen because Microsoft's telemetry told them the average Windows user pressed the Windows key to bring up the Start Menu less than once a day. I have often wondered how many "power users" of previous versions of Windows (XP, Vista, and 7) that relied on the Start Menu disabled the telemetry that would have told Microsoft a difference story about its usage. More recently, I came across a young lady who had a problem with a third-party sync program on her computer running Windows 7. An update for the utility removed Windows 7 compatibility, and broke her backup process. Now, support for Windows 7 ended over 5 years ago in 2020, but there are ISVs who still support their software on it, but decisions about stuff like that are made, in part, by knowing what percentage of your customer base is on what operating system version. When I asked about that, she mentioned she had specifically disabled the telemetry from the sync program to its developers, which was optional to begin with. What made things even worse was that this was an open source utility, and its authors had a very clear, well-designed and scoped policy on the telemetry they collected, the pains they went through to avoid collecting any PII, and even other ancillary risks involving information disclosure (like just using of the software) because of the network connection made for the checks. Yet, she took herself out of telling the project maintainers "Hey, I use your software and I'm running Windows 7" by disabling the telemetry checks, which could have let them know they needed to continue supporting it. In a sense, sending telemetry is just like voting: Individually, you may not think it matters much, but it is often the basis for very important decisions. Regards, Aryeh Goretsky
    • Hello, My thoughts on this are mixed. Microsoft has hosted malicious code in the Microsoft Update Catalog where third party device drivers are stored; I wrote about one such incident about fifteen years ago, so if there are any other old malicious drivers floating around in the catalog, this will be a good step towards preventing any infestations from reoccurring. Another thing, which surprisingly is not mentioned in Microsoft's announcement, is that this helps protect against BYOVD (Bring Your Own Vulnerable Driver) attacks, where malware either comes with or downloads an older device drivers with vulnerabilities in it that can be exploited to gain access to kernel memory. Removing all those old device drivers from the Windows Update Catalog, potentially with all sorts of undisclosed vulnerabilities in them, means an attacker can no longer leisurely count on being able to download them from Microsoft's servers--something that may go unnoticed or ignored by security analysts. This makes the adversary attack a little more noisy, since they have to either include the device driver with the rest of their initial payload or download it from a third-party site at some point prior to beginning their BYOVD attack. On the other hand, it means that people who are looking for a specific version of an older device driver for whatever legitimate reasons, like compatibility, performance or stability, may end up going to dodgy third-party sites in search of older drivers, which increases the risk of exposure to everything from nuisance advertisements and unwanted software to actual malicious code. As for me, I have keeping copies of all the device drivers, firmware updates, etc. I have downloaded over the years, some dating back to DOS and Windows 3.x era, not just for hardware I won, but popular things like unified chipset and video card drivers, just in case I ever needed it. It might seem silly to collect such a thing, but the hardware drivers, firmware updates, and documentation are just about 2 TB in size. From my perspective, it is an inexpensive form of insurance, especially given that disk space is always getting cheaper over time. Regards, Aryeh Goretsky
    • @Raze Bold it boy. (I admit, we all did it from time to time..)
  • Recent Achievements

    • Contributor
      GravityDead went up a rank
      Contributor
    • Week One Done
      BlakeBringer earned a badge
      Week One Done
    • Week One Done
      Helen Shafer earned a badge
      Week One Done
    • First Post
      emptyother earned a badge
      First Post
    • Week One Done
      Crunchy6 earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      660
    2. 2
      ATLien_0
      266
    3. 3
      Michael Scrip
      235
    4. 4
      Steven P.
      164
    5. 5
      +FloatingFatMan
      149
  • Tell a friend

    Love Neowin? Tell a friend!