How to block bad bots LieBaoFast, MQQBrowser and Mb2345Browser using Fail2ban

How to block bad bots LieBaoFast, MQQBrowser and Mb2345Browser using Fail2ban

Our server suddenly got big traffic and this traffic detected on Google Analytics.

This spike traffic increase 1000 % – 2000 %. Our server resource very high, and CPU usage about 80 – 90%, usually server load average 10-20%.

On Google Analytics, this high traffic come from Hong Kong and China, even our site is targeted in other specific country.

We found on access log traffic from this user agent:

The request is very high and massive, so our server like under DDOS attack.

We don’t think that our site will have visitor from this country, because our site is specific products and targeted to country in South America.

Block LieBaoFast, MQQBrowser and Mb2345Browser using Modsecurity

Our Nginx has module modsecurity, and we try to add LieBaoFast, MQQBrowser and Mb2345Browser on blocklist user agent.

Then we test it with:

The result is:

But when we check Nginx access log, they still can has access and still got 200. Request still exists on Google Analytics real time.

We don’t know why they can by pass modsecurity, even if we try the result is 403 or forbidden.

Block LieBaoFast, MQQBrowser and Mb2345Browser using Nginx configuration

Second option is block those user agent using Nginx configuration.

Nginx if is Evil, read more on Nginx website that they does not recommended using If.

But if you want to use it, below is Nginx configuration to block user agent LieBaoFast, MQQBrowser and Mb2345Browser, put this on server block.

Or you can use Nginx map to block bad bots

Above Nginx configuration is not optimal. Our Nginx is still got DDOS request, process it and deny request, and don’t forget that Nginx if is not recommended.

Block LieBaoFast, MQQBrowser and Mb2345Browser using Fail2ban

We think best option is using File2ban. Our nginx does not got request from this Chinese bad bots.

Create /etc/fail2ban/filter.d/nginx-badbots.conf and paste the following configuration.

Copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local

Add this code at the bottom of /etc/fail2ban/jail.local

Enable auto start Fail2ban and start service

Check log on /var/log/fail2ban.log

Check IP blocked by Fail2ban with command:

Leave a Reply

Your email address will not be published. Required fields are marked *