Spam blocking in htaccess

[Administrator]

Again, to upload files you are better off not using your cPanel but a FTP program such as WinSCP That will ensure that your files are uploaded correctly and the file structure stays intact

[Rickf1985]

I did download the Notepad++ and I have Core FTP and Filezilla configured to work with the control panel but I have not been able to figure out how to use the FTP to download and upload the files to and from the File manager.
So I will will copy your version of the 7g you provided here and paste it to the Notepad++. Then what do I need to do to CORRECTLY remove the bad file from the htaccess folder and upload the correct file to the folder?

[Administrator]

If you have the FTP program connected to your webhosting then you are 90% of the way there. As your existing HTACCESS has become corrupted I suggest that you use a fresh one, either downloaded from phpBB or the one I have already edited with the 7G data with the ssl addition as your site is HTTPS

Then edit it in notepad++ to add the edits I have made to add bytespider etc, saving it to your computer.

Open your FTP program and you will see your computer on the left pane and you server on the right. Ensuring that you have the correct directory open on the server (ie the phpBB one) drag and drop the 'new' HTACCESS file from your computer to an empty space your servers directory, agree to overwrite the existing one and the file will be copied leaving the original on your computer

screenshot_191.png

[Rickf1985]

Ok, I was trying to upload it directly to the htaccess file. According to raw access that brandwatch bot and bytespider is still getting through on multiple ips. I will try to upload as you show.

Here is the user agent section of the 7g that is copied from the htaccess file.

# 7G:[USER AGENT]
<IfModule mod_rewrite.c>

RewriteCond %{HTTP_USER_AGENT} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (&lt;|%0a|%0d|%27|%3c|%3e|%00|0x00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (ahrefs|alexibot|majestic|mj12bot|rogerbot) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ((c99|php|web)shell|remoteview|site((.){0,2})copier) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (econtext|eolasbot|eventures|liebaofast|nominet|oppo\sa33) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (base64_decode|bin/bash|disconnect|eval|lwp-download|unserialize|\\\x22) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (acapbot|acoonbot|asterias|attackbot|backdorbot|becomebot|binlar|blackwidow|blekkobot|blexbot|blowfish|bullseye|bunnys|butterfly|bytedance|bytespider|careerbot|casper|checkpriv|cheesebot|cherrypick|chinaclaw|choppy|clshttp|cmsworld|copernic|copyrightcheck|cosmos|crescent|cy_cho|datacha|demon|diavol|discobot|dittospyder|dotbot|dotnetdotcom|dumbot|emailcollector|emailsiphon|emailwolf|extract|eyenetie|feedfinder|flaming|flashget|flicky|foobot|g00g1e|getright|gigabot|go-ahead-got|gozilla|grabnet|grafula|harvest|heritrix|httrack|icarus6j|jetbot|jetcar|jikespider|kmccrew|leechftp|libweb|linkextractor|linkscan|linkwalker|loader|magpie-crawler|masscan|miner|mechanize|morfeus|moveoverbot|netmechanic|netspider|nicerspro|nikto|ninja|nutch|octopus|pagegrabber|petalbot|planetwork|postrank|proximic|purebot|pycurl|python|queryn|queryseeker|radian6|radiation|realdownload|scooter|seekerspider|semalt|siclab|sindice|sistrix|sitebot|siteexplorer|sitesnagger|skygrid|smartdownload|snoopy|sosospider|spankbot|spbot|sqlmap|stackrambler|stripper|sucker|surftbot|sux0r|suzukacz|suzuran|takeout|teleport|telesoft|true_robots|turingos|turnit|vampire|vikspider|voideye|webleacher|webreaper|webstripper|webvac|webviewer|webwhacker|winhttp|wwwoffle|woxbot|xaldon|xxxyy|yamanalab|yioopbot|youda|zeus|zmeu|zune|zyborg) [NC]

RewriteRule .* - [F,L]

# RewriteRule .* /7G_log.php?log [END,NE,E=7G_USER_AGENT:%1]

</IfModule>

[Rickf1985]

Ok, I uploaded it as you said ant it worked. So now I will see if that takes care of the problem. Looking at the raw access I can see that the bots just moved to different ip's. Still coming in just as bad but from different addresses. I think I asked this before but will the ip blocks through the CP be affecting the 7g any? Conflict possibly?

[Administrator]

Looking at the raw access I can see that the bots just moved to different ip's

... which is why it is never recommended to ban by ip. Bots move around, as do the majority if home ip's when you reboot your router. Blocking the useragent (as 7G does) stops them no matter what ip they are using (ie bytespider is always bytespider no matter where it originates)

HTACCESS rules are run before any rules in the software, so there will not be a conflict but you may as well clear the ip ban list in phpBB because of the above (I have no ip's banned at forum level on my boards)

[Rickf1985]

Well, I must still be doing something wrong because they are still coming in hot and heavy. Even using the same ip plus more. I do notice some are starting out with "control Panel". Does that mean they are coming in from the server side? Either way it appears that they are still getting in, htaccess rules or not. Here is the last bit of the raw access log showing the bytespyder entries. That is about 45 minutes after the latest upload.

[Administrator]

I really don't understand whats going on except there must be something really odd with your server (which is way beyond my knowledge) I added bytespider to my HTACCESS and it stopped them dead.

If you would like me to take a deeper look feel free to PM me your cPanel address and logon details and a full admin account for your board (I fully understand and will not take offence if you would rather not)

[Rickf1985]

I really feel like I am becoming a real burden with all of this crap. The info you requested is in a pm. Thank you. I went into the htaccess file and deleted all of the individual ip deletes and redid them through the control panel with two entries covering entire ranges I saw in the raw access. I figured this can't hurt since they were already getting through and it would have the night to see if it works. Well, night for me, it is almost 03:00 for you so you will see this and it will have been in effect for about 5 hours. I finished up about 20:00 my time.

[Rickf1985]

In checking the raw access this evening I found that nothing had changed so I hit the internet looking for answers. I came across this. So I copied and added this to the end of the htaccess file. I even did it by your approved method of downloading the file by FTP, editing it with Notepad++ and uploading it with FTP. See, I can learn quickly if given the chance and good tutoring. If you get a chance take a look in the morning and see if it made a difference.

Re: Bytespider Attack
Post by foxiedog » Fri Jun 23, 2023 7:48 am

i have also been getting hit by byetspider bots at the rate of thousands per day,
i tried the above code in htaccess, but they were still getting through in large numbers,
i also tried deny from ip blocks from singapore, which was also ineffective in blocking them,
(they appeared to be mainly from singapore via amazonaws.com)

after much searching on the subject i came across this bit of code,
CODE: SELECT ALL

# DENY ACCESS TO amazonaws.com

# Apache 2.2
Order Allow,Deny
Allow from all
Deny from amazonaws.com

# Apache 2.4+
<RequireAll>
Require all granted
Require not host amazonaws.com
</RequireAll>
which so far seems to have done the trick in blocking bytespider. perhaps a little drastic i know, as it blocks all amazonaws traffic from the forum,
but visits from bytespider have dropped to zero now
Top