How to block empty headers and user agents server wide

Hi,

I have a server with some WordPress sites. These often get (d)dos attacks by requests with 90% of the time empty headers and user agents.
So as these are most likely all unwanted requests, i was wondering how to block these server wide?

I'm using apache 2.2 and 2.4. I would like to add the code to httpd-includes as this won't get overwritten.
Is this possible, if yes, how?

Thanks!
peps03Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Indeed this is "common" as for below:- and they are usually sent from scanner or "hack" tools or even search engine robots etc. Web app FW (WAF) detecting such focus on rule signature based on Request Missing a User Agent Header and Request Missing an Accept Header. It is much better to handle at WAF level holistically with rules to configure and block the baseline on those low hanging and tune it for exception cases...

Will be good if you can leverage on mod_security core ruleset as it already has the below to block it default
[file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
[id "960015"], [msg "Request Missing an Accept Header"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"]

trustwave has a blog even on the setting and is a good headup

Traditional vs. Anomaly Scoring Detection Modes - https://www.trustwave.com/Resources/SpiderLabs-Blog/Advanced-Topic-of-the-Week--Traditional-vs--Anomaly-Scoring-Detection-Modes/
Exception Handling - https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/
0
peps03Author Commented:
Hi btan,

Thanks for your reply. At the moment, mod_security isn't installed. Is there an apache httpd or other method to block these requests in the meanwhile?

Thanks
0
btanExec ConsultantCommented:
It is then likely from directives (in "httpd.conf" or "apache2.conf" in the directory "<APACHE_HOME>\conf") such as the use of "Allow" or "Deny" from all|host|env=env-variable
The useful field in your use case is from env=env-variable to be specified. The HTTP request will be granted or denied if the environment variable env-variable exists. The variable can be based on the clients User-Agent (browser type), Referer, request method, or other HTTP request header. Hence for the case of Empty Accept and User Agent
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
   
<Directory /docroot>
    Order Deny,Allow
    Deny from all
    Allow from env=Mozilla4_browser
</Directory>
In this example, browsers with a User-Agent string beginning with Mozilla/4.0 will be allowed access. All other type of browsers will be denied.
> https://www3.ntu.edu.sg/home/ehchua/programming/howto/Apache_HowToConfigure.html#zz-2.

And some go into htaccess file to configure the deny or allow as required.
 E.g "SetEnvIf User-Agent ^$ keep_out #block blank UA " 
As to banning blank User Agents with modRewrite, yes you can do that, but be careful. Some Search Engines "sneak into" your site using different user agents and possibly even blank user agents, to see if you are cloaking. If you block too indiscriminately, your site will look like it's cloaked, and you could get dropped from search engines!

I ban "foreign" Referers, not specific or blank User-Agents, from copying or including my gifs and jpegs.
> https://www.webmasterworld.com/forum11/1219.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
peps03Author Commented:
Ok great! I'll try this, thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.