1 files changed, 229 insertions, 0 deletions

diff --git a/files/mod_security/custom_rules/useragents.conf b/files/mod_security/custom_rules/useragents.conf
new file mode 100644
index 0000000..d969960
--- /dev/null
+++ b/files/mod_security/custom_rules/useragents.conf
@@ -0,0 +1,229 @@
+# http://www.gotroot.com/mod_security+rules
+# Gotroot.com ModSecurity rules
+# User Agent Security Rules for modsec 2.x
+#
+# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/useragents.conf
+#
+# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
+# Copyright 2005 and 2006 by the Michael Shinn and the Prometheus Group, all rights reserved.
+# Redistribution is strictly prohibited in any form, including whole or in part.
+#
+# Version: N-20061022-01
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+# THE POSSIBILITY OF SUCH DAMAGE.
+
+
+#Comment spam header line
+SecRule REQUEST_HEADERS "x-aaaaaa.*"
+SecRule REQUEST_BODY "X-AAAAAA.*"
+
+#check for bad meta characters in User-Agent field
+#SecRule HTTP_User-Agent ".*\'"
+
+#XSS in the UA field
+SecRule HTTP_User-Agent "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)"
+
+#PHP code injection attack
+SecRule HTTP_User-Agent "(<\?php|<[[:space:]]*\?[[:space:]]*php)" 
+SecRule HTTP_User-Agent ".*HTTP_GET_VARS"
+
+#recursion attack in UA field
+SecRule HTTP_User-Agent "\.\./\.\."
+
+#May cause false positives with some software, comment out if it does
+#SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'"
+#SecRule "HTTP_User-Agent|HTTP_HOST|HTTP_Accept" "^$"
+
+#Exploit agent
+SecRule HTTP_User-Agent "Mosiac 1\.*"
+
+#Bad agent
+SecRule HTTP_User-Agent "Brutus/AET"
+
+#CGI vuln scan tool
+SecRule HTTP_User-Agent cgichk
+SecRule HTTP_User-Agent "DataCha0s/2\.0"
+
+#Damn fine UA
+SecRule HTTP_User-Agent ".*THIS IS AN EXPLOIT*"
+SecRule HTTP_User-Agent "Morzilla"
+
+#CIRT.DK Webroot auditing tool
+SecRule HTTP_User-Agent ".*WebRoot "
+
+#Exploit UA
+SecRule HTTP_User-Agent ".*T H A T \' S  G O T T A  H U R T*"
+
+#XML RPC exploit tool
+SecRule HTTP_User-Agent "xmlrpc exploit*"
+
+#A friendly little exploit banner for a WP vuln
+SecRule HTTP_User-Agent "Wordpress Hash Grabber"
+
+#Blocks scripts
+SecRule HTTP_User-Agent lwp
+
+#Web leaches
+SecRule HTTP_User-Agent "Web Downloader"
+SecRule HTTP_User-Agent WebZIP
+SecRule HTTP_User-Agent WebCopier
+SecRule HTTP_User-Agent Webster
+SecRule HTTP_User-Agent WebZIP
+SecRule HTTP_User-Agent WebStripper
+SecRule HTTP_User-Agent "teleport pro"
+SecRule HTTP_User-Agent combine
+SecRule HTTP_User-Agent "Black Hole"
+SecRule HTTP_User-Agent "SiteSnagger" 
+SecRule HTTP_User-Agent "ProWebWalker" 
+SecRule HTTP_User-Agent "CheeseBot" 
+
+#Bogus Mozilla UA lines
+SecRule HTTP_User-Agent "Mozilla/(4|5)\.0$"
+SecRule HTTP_User-Agent "Mozilla/3\.Mozilla/2\.01$"
+
+#Bogus IE UA line
+SecRule HTTP_User-Agent "Microsoft Internet Explorer/5\.0$"
+
+#Bogus UA
+SecRule HTTP_User-Agent "FooBar/42"
+
+#Nessus Vuln scanner UA
+SecRule HTTP_User-Agent "Mozilla.*Nessus"
+
+#Nikto vuln scanner UA
+SecRule HTTP_User-Agent ".*Nikto"
+
+#BAd/Bogus UAs
+SecRule HTTP_User-Agent "Indy Library"
+SecRule HTTP_User-Agent "Faxobot"
+SecRule HTTP_User-Agent ".*SAFEXPLORER TL"
+
+#Spam spinder UAs
+SecRule HTTP_User-Agent ".*fantomBrowser"
+SecRule HTTP_User-Agent ".*fantomCrew Browser"
+
+#VB development library used by many spammers, might block legite VBscripts
+#comment out if you have problems
+SecRule HTTP_User-Agent "Crescent Internet ToolPak"
+
+#Borland Delphi signature, as above, comment out if it gives you problems
+#spammers sometimes use these UAs
+SecRule HTTP_User-Agent "NEWT ActiveX\; Win32"
+SecRule HTTP_User-Agent "Mozilla.*NEWT"
+
+#Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if
+#it causes problems, comment out.  If you are a member of the Microsoft Site 
+#Builder Network, you probably do NOT want to block this ID.
+#SecRule HTTP_User-Agent "Microsoft URL Control"
+#SecRule HTTP_User-Agent  "^Microsoft URL"
+
+#e-mail collectors and spammers
+SecRule HTTP_User-Agent "WebBandit"
+SecRule HTTP_User-Agent "WEBMOLE"
+SecRule HTTP_User-Agent "Telesoft*"
+SecRule HTTP_User-Agent "WebEMailExtractor"
+SecRule HTTP_User-Agent "CherryPicker*"
+SecRule HTTP_User-Agent NICErsPRO
+SecRule HTTP_User-Agent "Advanced Email Extractor*"
+SecRule HTTP_User-Agent EmailSiphon
+SecRule HTTP_User-Agent Extractorpro
+SecRule HTTP_User-Agent webbandit
+SecRule HTTP_User-Agent EmailCollector
+SecRule HTTP_User-Agent "WebEMailExtrac*"
+SecRule HTTP_User-Agent EmailWolf
+
+#Spiders that eat up bandwidth for their customers
+#Not a spammer, just a spider, comment out if you like
+SecRule HTTP_User-Agent "CopyRightCheck"
+SecRule HTTP_User-Agent "CopyGuard"
+SecRule HTTP_User-Agent "Digimarc WebReader"
+
+#MArketing spiders
+SecRule HTTP_User-Agent  "Zeus .*Webster Pro*"
+
+#Poker spam
+SecRule HTTP_User-Agent  "8484 Boston Project"
+
+#collectors
+SecRule HTTP_User-Agent  "autoemailspider"
+SecRule HTTP_User-Agent  "ecollector"
+SecRule HTTP_User-Agent  "grub crawler"
+
+#referrer spam, not the real weblogs
+SecRule HTTP_User-Agent  "^www\.weblogs\.com"
+
+#spam bots
+SecRule HTTP_User-Agent  "DTS Agent"
+SecRule HTTP_User-Agent  "POE-Component-Client"
+SecRule HTTP_User-Agent  "WISEbot"
+SecRule HTTP_User-Agent  "^Shockwave Flash"
+SecRule HTTP_User-Agent  "Missigua"
+
+#comment spam sign
+SecRule HTTP_User-Agent  "compatible \; MSIE"
+
+#Some regexps to catch silly bots
+SecRule REQUEST_URI "!/ps(zones\|comp).txt1" chain
+SecRule HTTP_User-Agent "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$"
+SecRule HTTP_User-Agent "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$"
+SecRule HTTP_User-Agent "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$"
+SecRule HTTP_User-Agent "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$"
+SecRule HTTP_User-Agent "^Mozilla/.+[. ]+$"
+
+#spammer
+SecRule HTTP_User-Agent "Butch__2\.1\.1"
+SecRule HTTP_User-Agent "agdm79@mail\.ru"
+
+#Fake Gameboy UA
+SecRule HTTP_User-Agent "GameBoy\, Powered by Nintendo"
+
+#bogus amiga UA
+SecRule HTTP_User-Agent "Amiga-AWeb/3\.4"
+
+#exploit UA
+SecRule HTTP_User-Agent "Internet Ninja x\.0"
+
+#bogus googlebot UA
+SecRule HTTP_User-Agent "Nokia-WAPToolkit.* googlebot.*googlebot"
+
+#recently caught sending spam referrals, from their actual crawler IP
+SecRule HTTP_User-Agent "BecomeBot"
+
+#Suverybot
+#SecRule HTTP_User-Agent "SurveyBot"
+
+#exploit
+SecRule HTTP_User-Agent "S\.T\.A\.L\.K\.E\.R\."
+SecRule HTTP_User-Agent "NeuralBot/0\.2"
+SecRule HTTP_User-Agent "Kenjin Spider"
+
+#WebvulnScan
+SecRule HTTP_User-Agent "WebVulnScan"
+
+#broken spam tool
+SecRule HTTP_User-Agent "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$"
+
+#PHPBB worm UA
+SecRule HTTP_User-Agent "INTERNET EXPLOITER SUX"
+
+#fake UA
+SecRule HTTP_User-Agent "Windows-Update-Agent"
+
+#exploit
+SecRule HTTP_User-Agent "Internet-exprorer"
+
+# Bad Spider
+SecRule HTTP_User-Agent "hl_ftien_spider"
+
+# PMAFind 
+SecRule HTTP_User-Agent "PMAFind"