/
/
Блокировка ботов на веб-сервере

Блокировка ботов на веб-сервере

Защита сайта от ботов способствует снижению нагрузки на веб-сервер, сохранению рекламных средств и позиций в поиске.

Для Nginx

В начало конфигурационного файла сайта добавьте следующие строки:

# Определение карты ботов
map $http_user_agent $is_bad_bot {
    default 0;
    "~*SputnikBot|omgili|socialmediascanner|Jooblebot|SeznamBot|Scrapy|CCBot|linkfluence|veoozbot|Leikibot|Seopult|Faraday|hybrid|Go-http-client|SMUrlExpander|SNAPSHOT|getintent|ltx71|Nuzzel|SMTBot|Laserlikebot|facebookexternalhit|mfibot|OptimizationCrawler|crazy|Dispatch|ubermetrics|HTMLParser|musobot|filterdb|InfoSeek|omgilibot|DomainSigma|SafeSearch|CommentReader|meanpathbot|statdom|proximic|spredbot|StatOnlineRuBot|openstat|DeuSu|semantic|postano|masscan|Embedly|NewShareCounts|linkdexbot|GrapeshotCrawler|Digincore|NetSeer|help.jp|PaperLiBot|getprismatic|360Spider|Ahrefs|ApacheBench|Aport|Applebot|archive|BaiduBot|Baiduspider|Birubot|BLEXBot|bsalsa|Butterfly|Buzzbot|BuzzSumo|CamontSpider|dataminr|discobot|DomainTools|DotBot|Exabot|Ezooms|FairShare|FeedFetcher|FlaxCrawler|FlightDeckReportsBot|FlipboardProxy|FyberSpider|Gigabot|HTTrack|ia_archiver|InternetSeer|Jakarta|Java|JS-Kit|km.ru|kmSearchBot|Kraken|larbin|libwww|Lightspeedsystems|Linguee|LinkBot|LinkExchanger|LinkpadBot|LivelapBot|LoadImpactPageAnalyzer|lwp-trivial|majestic|Mediatoolkitbot|MegaIndex|MetaURI|MJ12bot|MLBot|NerdByNature|NING|NjuiceBot|Nutch|OpenHoseBot|Panopta|pflab|pirst|PostRank|crawler|ptd-crawler|Purebot|PycURL|Python|QuerySeekerSpider|rogerbot|Ruby|SearchBot|SemrushBot|SISTRIX|SiteBot|Slurp|Sogou|solomono|Soup|spbot|suggybot|Superfeedr|SurveyBot|SWeb|trendictionbot|TSearcher|ttCrawler|TurnitinBot|TweetmemeBot|UnwindFetchor|urllib|uTorrent|Voyager|WBSearchBot|Wget|WordPress|woriobot|Yeti|YottosBot|Zeus|zitebot|ZmEu|Crowsnest|PaperLiBot|peerindex|Twiceler|BTWebClient|Tagoobot|igdeSpyder|Copier|netvampire|Offline|Teleport|WebCopier" 1;
}

# Разрешние cURL-запросов
map $http_user_agent $is_curl {
    default 0;
    "~*curl" 1;
}

Далее, в конце обеих секции server добавьте строки:

# Блокировка ботов и пропуск cURL-запросов
if ($is_bad_bot = 1) {   
    if ($is_curl = 0) {
        return 403;
    }
}

Для Apache

В конфигурации

В начало конфигурационного файла сайта добавьте следующие строки:

<IfModule mod_setenvif.c>
    # Определение карты ботов
    SetEnvIfNoCase User-Agent "SputnikBot|omgili|socialmediascanner|Jooblebot|SeznamBot|Scrapy|CCBot|linkfluence|veoozbot|Leikibot|Seopult|Faraday|hybrid|Go-http-client|SMUrlExpander|SNAPSHOT|getintent|ltx71|Nuzzel|SMTBot|Laserlikebot|facebookexternalhit|mfibot|OptimizationCrawler|crazy|Dispatch|ubermetrics|HTMLParser|musobot|filterdb|InfoSeek|omgilibot|DomainSigma|SafeSearch|CommentReader|meanpathbot|statdom|proximic|spredbot|StatOnlineRuBot|openstat|DeuSu|semantic|postano|masscan|Embedly|NewShareCounts|linkdexbot|GrapeshotCrawler|Digincore|NetSeer|help.jp|PaperLiBot|getprismatic|360Spider|Ahrefs|ApacheBench|Aport|Applebot|archive|BaiduBot|Baiduspider|Birubot|BLEXBot|bsalsa|Butterfly|Buzzbot|BuzzSumo|CamontSpider|dataminr|discobot|DomainTools|DotBot|Exabot|Ezooms|FairShare|FeedFetcher|FlaxCrawler|FlightDeckReportsBot|FlipboardProxy|FyberSpider|Gigabot|HTTrack|ia_archiver|InternetSeer|Jakarta|Java|JS-Kit|km.ru|kmSearchBot|Kraken|larbin|libwww|Lightspeedsystems|Linguee|LinkBot|LinkExchanger|LinkpadBot|LivelapBot|LoadImpactPageAnalyzer|lwp-trivial|majestic|Mediatoolkitbot|MegaIndex|MetaURI|MJ12bot|MLBot|NerdByNature|NING|NjuiceBot|Nutch|OpenHoseBot|Panopta|pflab|pirst|PostRank|crawler|ptd-crawler|Purebot|PycURL|Python|QuerySeekerSpider|rogerbot|Ruby|SearchBot|SemrushBot|SISTRIX|SiteBot|Slurp|Sogou|solomono|Soup|spbot|suggybot|Superfeedr|SurveyBot|SWeb|trendictionbot|TSearcher|ttCrawler|TurnitinBot|TweetmemeBot|UnwindFetchor|urllib|uTorrent|Voyager|WBSearchBot|Wget|WordPress|woriobot|Yeti|YottosBot|Zeus|zitebot|ZmEu|Crowsnest|PaperLiBot|peerindex|Twiceler|BTWebClient|Tagoobot|igdeSpyder|Copier|netvampire|Offline|Teleport|WebCopier" bad_bot
    
    # Разрешение cURL-запросов
    SetEnvIfNoCase User-Agent "curl" allow_curl
    
    SetEnvIf bad_bot "1" block_bot
    SetEnvIf allow_curl "1" !block_bot
</IfModule>

# Примение блокировки ботов
<IfModule mod_authz_core.c>
    <RequireAll>
        Require all granted
        Require not env block_bot
    </RequireAll>
</IfModule>

В .htacccess

Добавьте в файл .htaccess следующие правила:

<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Разрешение cURL-запросов
    RewriteCond %{HTTP_USER_AGENT} "curl" [NC]
    RewriteRule .* - [S=1]
    
    # Блокирование ботов
    RewriteCond %{HTTP_USER_AGENT} "SputnikBot|omgili|socialmediascanner|Jooblebot|SeznamBot|Scrapy|CCBot|linkfluence|veoozbot|Leikibot|Seopult|Faraday|hybrid|Go-http-client|SMUrlExpander|SNAPSHOT|getintent|ltx71|Nuzzel|SMTBot|Laserlikebot|facebookexternalhit|mfibot|OptimizationCrawler|crazy|Dispatch|ubermetrics|HTMLParser|musobot|filterdb|InfoSeek|omgilibot|DomainSigma|SafeSearch|CommentReader|meanpathbot|statdom|proximic|spredbot|StatOnlineRuBot|openstat|DeuSu|semantic|postano|masscan|Embedly|NewShareCounts|linkdexbot|GrapeshotCrawler|Digincore|NetSeer|help.jp|PaperLiBot|getprismatic|360Spider|Ahrefs|ApacheBench|Aport|Applebot|archive|BaiduBot|Baiduspider|Birubot|BLEXBot|bsalsa|Butterfly|Buzzbot|BuzzSumo|CamontSpider|dataminr|discobot|DomainTools|DotBot|Exabot|Ezooms|FairShare|FeedFetcher|FlaxCrawler|FlightDeckReportsBot|FlipboardProxy|FyberSpider|Gigabot|HTTrack|ia_archiver|InternetSeer|Jakarta|Java|JS-Kit|km.ru|kmSearchBot|Kraken|larbin|libwww|Lightspeedsystems|Linguee|LinkBot|LinkExchanger|LinkpadBot|LivelapBot|LoadImpactPageAnalyzer|lwp-trivial|majestic|Mediatoolkitbot|MegaIndex|MetaURI|MJ12bot|MLBot|NerdByNature|NING|NjuiceBot|Nutch|OpenHoseBot|Panopta|pflab|pirst|PostRank|crawler|ptd-crawler|Purebot|PycURL|Python|QuerySeekerSpider|rogerbot|Ruby|SearchBot|SemrushBot|SISTRIX|SiteBot|Slurp|Sogou|solomono|Soup|spbot|suggybot|Superfeedr|SurveyBot|SWeb|trendictionbot|TSearcher|ttCrawler|TurnitinBot|TweetmemeBot|UnwindFetchor|urllib|uTorrent|Voyager|WBSearchBot|Wget|WordPress|woriobot|Yeti|YottosBot|Zeus|zitebot|ZmEu|Crowsnest|PaperLiBot|peerindex|Twiceler|BTWebClient|Tagoobot|igdeSpyder|Copier|netvampire|Offline|Teleport|WebCopier" [NC]
    RewriteRule .* - [F,L]
</IfModule>

Для WAF (ModSecurity)

Добавьте конфигурационный файл на уровне домена или на уровне сервера с тремя правилами:

  1. Разрешение cURL-запросов
  2. Блокировка запросов с пустым UserAgent
  3. Блокировка ботов из списка

Для Fail2Ban

В Fail2Ban для Apache уже существуют правила, однако для Nginx необходимо указать правила вручную.

Создайте файл по пути /etc/fail2ban/filter.d/nginx-badbots.conf и добавьте в него следующее содержимое:

[Definition]
failregex = ^(?:\S+ )?<HOST> - - \[.*\] "GET .*(wp-login|wp-admin|xmlrpc|setup|config|\.env|\.git|sslvpn).* HTTP/.*" \d{3}
            ^(?:\S+ )?<HOST> - - \[.*\] ".*" (400|444|403|405|502)
            ^(?:\S+ )?<HOST> - - \[.*\] ".*" .* "(AhrefsBot|SemrushBot|DotBot|YandexBot|PaloAltoNetworks|omgili|socialmediascanner|Jooblebot|SeznamBot|Scrapy|CCBot|linkfluence|veoozbot|Leikibot|Seopult|Faraday|hybrid|Go-http-client|SMUrlExpander|SNAPSHOT|getintent|ltx71|Nuzzel|SMTBot|Laserlikebot|facebookexternalhit|mfibot|OptimizationCrawler|crazy|Dispatch|ubermetrics|HTMLParser|musobot|filterdb|InfoSeek|omgilibot|DomainSigma|SafeSearch|CommentReader|meanpathbot|statdom|proximic|spredbot|StatOnlineRuBot|openstat|DeuSu|semantic|postano|masscan|Embedly|NewShareCounts|linkdexbot|GrapeshotCrawler|Digincore|NetSeer|help.jp|PaperLiBot|getprismatic|360Spider|Ahrefs|ApacheBench|Aport|Applebot|archive|BaiduBot|Baiduspider|Birubot|BLEXBot|bsalsa|Butterfly|Buzzbot|BuzzSumo|CamontSpider|dataminr|discobot|DomainTools|DotBot|Exabot|Ezooms|FairShare|FeedFetcher|FlaxCrawler|FlightDeckReportsBot|FlipboardProxy|FyberSpider|Gigabot|HTTrack|ia_archiver|InternetSeer|Jakarta|Java|JS-Kit|km.ru|kmSearchBot|Kraken|larbin|libwww|Lightspeedsystems|Linguee|LinkBot|LinkExchanger|LinkpadBot|LivelapBot|LoadImpactPageAnalyzer|lwp-trivial|majestic|Mediatoolkitbot|MegaIndex|MetaURI|MJ12bot|MLBot|NerdByNature|NING|NjuiceBot|Nutch|OpenHoseBot|Panopta|pflab|pirst|PostRank|crawler|ptd-crawler|Purebot|PycURL|Python|QuerySeekerSpider|rogerbot|Ruby|SearchBot|SemrushBot|SISTRIX|SiteBot|Slurp|Sogou|solomono|Soup|spbot|suggybot|Superfeedr|SurveyBot|SWeb|trendictionbot|TSearcher|ttCrawler|TurnitinBot|TweetmemeBot|UnwindFetchor|urllib|uTorrent|Voyager|WBSearchBot|Wget|WordPress|woriobot|Yeti|YottosBot|Zeus|zitebot|ZmEu|Crowsnest|PaperLiBot|peerindex|Twiceler|BTWebClient|Tagoobot|igdeSpyder|Copier|netvampire|Offline|Teleport|WebCopier)"
ignoreregex =

В файле /etc/fail2ban/jail.conf создайте блок для ботов, заблокированных для Nginx:

....
[nginx-badbots]
enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /var/log/nginx/*access.log
           /var/www/httpd-logs/*access.log
maxretry = 5
findtime = 60
bantime  = 1h
action   = iptables-multiport[name=BadBots, port="http,https", protocol=tcp]
....

Проверьте корректность регулярных выражений на реальных записях в журнале:

fail2ban-regex /var/www/httpd-logs/<имя_сайта>.access.log /etc/fail2ban/filter.d/nginx-badbots.conf

При правильном синтаксисе выражений, в журнале должны быть найдены совпадения с именами ботов.

Если в выводе есть совпадения, проверьте весь синтаксис конфигурации Fail2Ban и перезапустите службу:

fail2ban-server -t
systemctl restart fail2ban

Проверьте работу нового правила:

fail2ban-client status nginx-badbots
tail -f /var/log/fail2ban.log