How to block bad bots LieBaoFast, MQQBrowser and Mb2345Browser using Fail2ban

How to block bad bots LieBaoFast, MQQBrowser and Mb2345Browser using Fail2ban

Our server suddenly got big traffic and this traffic detected on Google Analytics.

This spike traffic increase 1000 % – 2000 %. Our server resource very high, and CPU usage about 80 – 90%, usually server load average 10-20%.

On Google Analytics, this high traffic come from Hong Kong and China, even our site is targeted in other specific country.

We found on access log traffic from this user agent:

The request is very high and massive, so our server like under DDOS attack.

We don’t think that our site will have visitor from this country, because our site is specific products and targeted to country in South America.

Block LieBaoFast, MQQBrowser and Mb2345Browser using Modsecurity

Our Nginx has module modsecurity, and we try to add LieBaoFast, MQQBrowser and Mb2345Browser on blocklist user agent.

Then we test it with:

The result is:

But when we check Nginx access log, they still can has access and still got 200. Request still exists on Google Analytics real time.

We don’t know why they can by pass modsecurity, even if we try the result is 403 or forbidden.

Block LieBaoFast, MQQBrowser and Mb2345Browser using Nginx configuration

Second option is block those user agent using Nginx configuration.

Nginx if is Evil, read more on Nginx website that they does not recommended using If.

But if you want to use it, below is Nginx configuration to block user agent LieBaoFast, MQQBrowser and Mb2345Browser, put this on server block.

Or you can use Nginx map to block bad bots

Above Nginx configuration is not optimal. Our Nginx is still got DDOS request, process it and deny request, and don’t forget that Nginx if is not recommended.

Block LieBaoFast, MQQBrowser and Mb2345Browser using Fail2ban

We think best option is using File2ban. Our nginx does not got request from this Chinese bad bots.

Create /etc/fail2ban/filter.d/nginx-badbots.conf and paste the following configuration.

Copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local

Add this code at the bottom of /etc/fail2ban/jail.local

Enable auto start Fail2ban and start service

Check log on /var/log/fail2ban.log

Check IP blocked by Fail2ban with command:

One thought on “How to block bad bots LieBaoFast, MQQBrowser and Mb2345Browser using Fail2ban

  1. Long time supporter, and thought I’d drop a comment.

    Your wordpress site is very sleek – hope you don’t mind
    me asking what theme you’re using? (and don’t mind if I steal it?

    :P)

    I just launched my site –also built in wordpress like yours– but the
    theme slows (!) the site down quite a bit.

    In case you have a minute, you can find it by searching for “royal cbd” on Google (would
    appreciate any feedback) – it’s still in the works.

    Keep up the good work– and hope you all take care of yourself
    during the coronavirus scare!

Leave a Reply

Your email address will not be published. Required fields are marked *