How to block useragent?

Website DDoS such requests:
127.0.0.1 - - [27/Feb/2018:00:16:23 +0300] "POST /payment.php HTTP/1.0" 302 0 "-" "-"

127.0.0.1 - - [27/Feb/2018:00:16:24 +0300] "GET // HTTP/1.0" 200 33183 "https://XXXX.ru/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"

How to ban them at the level of iptables?
June 7th 19 at 14:48
4 answers
June 7th 19 at 14:50
Parse the user agent at the level of iptables is not a good idea - there is the check will take place each package and it will be very expensive on resources. To the same, this will not work for https.
Blocking user agent can be done at the level of the web server.
Or log the web server attempts, and block using iptables with fail2ban, for example already at.
June 7th 19 at 14:52
Solve this problem with nginx using "limit_req" and not using UserAgent. If You have connected an external payment, then when you filter UA will not be reached by the queries with it, because starinnie services are not sabotase about entering the UA, when you are informed of payment status.
Attack speed is about 200 000 queries per second (L7)
XS pull on whether nginx is - nikita.Stracke commented on June 7th 19 at 14:55
, how to pull, You the main thing do not overdo it with the basic restriction. This is the fine line in which it is necessary to cut off the illegal requests and write legal. You have some "regular" attendance in the sec ? - Gonzalo.Hane39 commented on June 7th 19 at 14:58
, 1500 uniques per day - nikita.Stracke commented on June 7th 19 at 15:01
well the attack is not exactly UA and IP have to use... - Abdullah commented on June 7th 19 at 15:04
Agree with
Try using iptables for IP zablocie (if the attack from the same IP), and configure advanced "limit_req" - Gonzalo.Hane39 commented on June 7th 19 at 15:07
That's the power
YifPcXz.png - nikita.Stracke commented on June 7th 19 at 15:10
June 7th 19 at 14:54
If there is an Apache web server, it is possible through htaccess to block:
SetEnvIfNoCase user-Agent *Slurp* [NC,OR]
SetEnvIfNoCase user-Agent. *Baiduspider* [NC,OR]
SetEnvIfNoCase user-Agent ^DuckDuckBot [NC,OR]
SetEnvIfNoCase user-Agent ^Sogou [NC]

Order Allow,Deny
Allow from all
Deny from env=bad_bot
Nginx - nikita.Stracke commented on June 7th 19 at 14:57
, # vim /etc/nginx/nginx.conf

if ($http_user_agent ~* (Windows 95|Windows 98|wget|curl|libwww - -perl) ) {
return 403;
}
- Gonzalo.Hane39 commented on June 7th 19 at 15:00
June 7th 19 at 14:56
grep-om choose addresses of interest to UA, and in iptables to DROP

Find more questions by tags NginxSystem administrationNetwork administration