Closed respbuy closed 4 months ago
respbuy
commented
4 months ago Thanks Mitchel for the quick commit. I see you have added " BrowserMatchNoCase "(?:\b)axios(?:\b)" bad_bot " in globalconfig file. I did the same in useragent blacklist file but it didnt work. Just fyi, are you sure if this will work?
mitchellkrogza
commented
4 months ago mitchellkrogza
commented
4 months ago Thanks Mitchel for the quick commit. I see you have added " BrowserMatchNoCase "(?:\b)axios(?:\b)" bad_bot " in globalconfig file. I did the same in useragent blacklist file but it didnt work. Just fyi, are you sure if this will work?
It should work as we match without any numbers on the end which inevitably change all the time. Please test and confirm and let me know.
respbuy
commented
4 months ago Hello Mitchell
It is not working, i am still getting flood , see below: 13.201.19.39 - - [02/Mar/2024:06:15:30 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.201.19.39 - - [02/Mar/2024:06:15:31 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 3676 "https://respbuy.com/my-account/" "axios/1.6.7" 13.201.19.39 - - [02/Mar/2024:06:15:31 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 3676 "https://respbuy.com/my-account/" "axios/1.6.7" 13.201.19.39 - - [02/Mar/2024:06:15:31 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 3676 "https://respbuy.com/my-account/" "axios/1.6.7" 13.201.19.39 - - [02/Mar/2024:06:15:31 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 3676 "https://respbuy.com/my-account/" "axios/1.6.7" 13.201.19.39 - - [02/Mar/2024:06:15:31 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.201.19.39 - - [02/Mar/2024:06:15:32 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 3676 "https://respbuy.com/my-account/" "axios/1.6.7" 13.201.19.39 - - [02/Mar/2024:06:15:32 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.201.19.39 - - [02/Mar/2024:06:15:33 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 3676 "https://respbuy.com/my-account/" "axios/1.6.7" 13.201.19.39 - - [02/Mar/2024:06:15:33 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 3676 "https://respbuy.com/my-account/" "axios/1.6.7" 13.201.19.39 - - [02/Mar/2024:06:15:33 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 3676 "https://respbuy.com/my-account/" "axios/1.6.7"
RespBuy
mitchellkrogza
commented
4 months ago Have you tested other agents in my lists to see it's catching them?
curl -A "Discobot" http://yourdomain.com
curl -A "Octopus" http://yourdomain.comAlso scan your logs for all "403" errors to see others are being caught and if it's only axios that's not
respbuy
commented
4 months ago Please see below the curl outcome.
root@respbuy-mumbai:~# curl -A "Discobot" https://respbuy.com <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
You don't have permission to access this resource.
root@respbuy-mumbai:~# curl -A "Octopus" https://respbuy.comYou don't have permission to access this resource.
Respbuy is the largest online store for medical equipment, products, supplies, and medical devices. Genuine Price | Warranty | Free Shipping*
mitchellkrogza
commented
4 months ago I added two new tests to the build script and it is blocking it in both forms
<title>403 Forbidden</title>
<h1>Forbidden</h1>
PASSED - AXIOS BAD BOT DETECTED
<title>403 Forbidden</title>
<h1>Forbidden</h1>
PASSED - AXIOS BAD BOT DETECTEDthe tests
run_curltest13 () {
if curl -A "axios" http://localhost:80/index.html 2>&1 | grep -i 'Forbidden'; then
echo "${bold}${green}PASSED - ${red}AXIOS BAD BOT DETECTED"
else
echo "${bold}${red}FAILED - ${red}AXIOS BAD BOT NOT DETECTED"
exit 1
fi
}
run_curltest14 () {
if curl -A "axios/1.6.7" http://localhost:80/index.html 2>&1 | grep -i 'Forbidden'; then
echo "${bold}${green}PASSED - ${red}AXIOS BAD BOT DETECTED"
else
echo "${bold}${red}FAILED - ${red}AXIOS BAD BOT NOT DETECTED"
exit 1
fi
}Thanks Mitchel for the quick commit. I see you have added " BrowserMatchNoCase "(?:\b)axios(?:\b)" bad_bot " in globalconfig file. I did the same in useragent blacklist file but it didnt work. Just fyi, are you sure if this will work?
Remove them from any other include files and just leave the one that is now in globalblacklist.conf
mitchellkrogza
commented
4 months ago Please see below the curl outcome.
root@respbuy-mumbai:~# curl -A "Discobot" https://respbuy.com
403 Forbidden Forbidden
You don't have permission to access this resource.
root@respbuy-mumbai:~# curl -A "Octopus" https://respbuy.com
403 Forbidden Forbidden
You don't have permission to access this resource.
RespBuyRespbuy - Online Store for Medical Equipment & AccessoriesRespbuy is the largest online store for medical equipment, products, supplies, and medical devices. Genuine Price | Warranty | Free Shipping*
My test
curl -A "axios" https://respbuy.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>Respbuy is the largest online store for medical equipment, products, supplies, and medical devices. Genuine Price | Warranty | Free Shipping*
respbuy
commented
4 months ago Ok, I have now removed the config from other file (blacklist-user-agents.conf). Let me test and come back.
mitchellkrogza
commented
4 months ago Seems fine from my side
$ curl -A "axios" https://respbuy.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>
$ curl -A "axios/1.6.7" https://respbuy.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>
$ curl -A "axios/1.6.7.10.22.555" https://respbuy.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>
Thanks for checking but i still see many floods in access.log
13.232.155.149 - - [02/Mar/2024:07:18:55 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:57 +0000] "GET /product/respbuy-xzgkrasuowwrs/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:56 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:58 +0000] "GET /product/respbuy-ajynkafxhsdqebframysqmkjqlwoplcggdjlwihmqyjbu/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:57 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:59 +0000] "GET /product/respbuy-wltjhvzzxloibakyknkuxdm/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:58 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:00 +0000] "GET /product/respbuy-udmtpldzacpnccqqdzsyjpvzoffbnhprhecxuz/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:59 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:01 +0000] "GET /product/respbuy-qqbuzoohjfvxjpgdzdianjikqzgnoeiwzuysvugtzesxpvfbq/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:00 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:02 +0000] "GET /product/respbuy-yjoawbruscdpftohzuzkunb/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:01 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:02 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:12 +0000] "GET /product/respbuy-cjgrywfvcxffnrdwjhnhtssuppafdnhevekfbupwastrvnonzhyspvzbcwnllgzokwavftgvluxwqhlclaffywrmow/ HTTP/1.1" 403 3494 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:12 +0000] "GET /product/respbuy-krxclwemuiftnyrahtfnydpztlfvxoqimrmpgrjwibazrf/ HTTP/1.1" 403 3494 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:13 +0000] "GET /product/respbuy-uwidfhbmxnqlqm/ HTTP/1.1" 403 3494 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:12 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:14 +0000] "GET /product/respbuy-tjrgybszkalojgdlnczpebhawdjwtkbjvywcpujhqozneqjcrnylkvurxtmbygzhvlifikkmrim/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:13 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:12 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 3676 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:15 +0000] "GET /product/respbuy-bvvnuwwocbjbfpkjtpvzmwhxvthgjcltrmwjbvasvzvktcdveoqeicifboszlbyxonzsjdzf/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:14 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:16 +0000] "GET /product/respbuy-zsfeiqqqjibohbnvquoonfbxywgmkdgzygogawynccoxkaqcrdofzxqwloepaxq/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:15 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:17 +0000] "GET /product/respbuy-ztcrohytinytqyopedhaiohsawpobzpgqjnzukwppknxahbayidwhmaddzlcehpwwsklqbkugke/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:16 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7"
mitchellkrogza
commented
4 months ago Thanks for checking but i still see many floods in access.log
13.232.155.149 - - [02/Mar/2024:07:18:55 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:57 +0000] "GET /product/respbuy-xzgkrasuowwrs/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:56 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:58 +0000] "GET /product/respbuy-ajynkafxhsdqebframysqmkjqlwoplcggdjlwihmqyjbu/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:57 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:59 +0000] "GET /product/respbuy-wltjhvzzxloibakyknkuxdm/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:58 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:00 +0000] "GET /product/respbuy-udmtpldzacpnccqqdzsyjpvzoffbnhprhecxuz/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:18:59 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:01 +0000] "GET /product/respbuy-qqbuzoohjfvxjpgdzdianjikqzgnoeiwzuysvugtzesxpvfbq/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:00 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:02 +0000] "GET /product/respbuy-yjoawbruscdpftohzuzkunb/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:01 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.232.155.149 - - [02/Mar/2024:07:19:02 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:12 +0000] "GET /product/respbuy-cjgrywfvcxffnrdwjhnhtssuppafdnhevekfbupwastrvnonzhyspvzbcwnllgzokwavftgvluxwqhlclaffywrmow/ HTTP/1.1" 403 3494 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:12 +0000] "GET /product/respbuy-krxclwemuiftnyrahtfnydpztlfvxoqimrmpgrjwibazrf/ HTTP/1.1" 403 3494 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:13 +0000] "GET /product/respbuy-uwidfhbmxnqlqm/ HTTP/1.1" 403 3494 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:12 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:14 +0000] "GET /product/respbuy-tjrgybszkalojgdlnczpebhawdjwtkbjvywcpujhqozneqjcrnylkvurxtmbygzhvlifikkmrim/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:13 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:12 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 3676 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:15 +0000] "GET /product/respbuy-bvvnuwwocbjbfpkjtpvzmwhxvthgjcltrmwjbvasvzvktcdveoqeicifboszlbyxonzsjdzf/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:14 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:16 +0000] "GET /product/respbuy-zsfeiqqqjibohbnvquoonfbxywgmkdgzygogawynccoxkaqcrdofzxqwloepaxq/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:15 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:17 +0000] "GET /product/respbuy-ztcrohytinytqyopedhaiohsawpobzpgqjnzukwppknxahbayidwhmaddzlcehpwwsklqbkugke/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 43.204.218.232 - - [02/Mar/2024:07:21:16 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7"
Its blocking the GET requests not the POST requests to admin-ajax.php
43.204.218.232 - - [02/Mar/2024:07:21:16 +0000] "**GET** /product/respbuy-zsfeiqqqjibohbnvquoonfbxywgmkdgzygogawynccoxkaqcrdofzxqwloepaxq/ HTTP/1.1" **403** 428 "-" "axios/1.6.7"
43.204.218.232 - - [02/Mar/2024:07:21:15 +0000] "**POST** /wp-admin/admin-ajax.php HTTP/1.1" **200** 610 "https://respbuy.com/my-account/" "axios/1.6.7"You will need to figure out an .htaccess rule to block access to admin-ajax.php or only allow your own / local IP's to access it. I can't add that kind of blocking to the blocker as it will be undesirable for many
ryantcarter
commented
4 months ago We use axios to fetch data from our headless WordPress instances in Nuxt.
Is there potential to add a whitelist for UA's?
mitchellkrogza
commented
4 months ago We use axios to fetch data from our headless WordPress instances in Nuxt.
Is there potential to add a whitelist for UA's?
Please add axios to https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/blob/master/Apache_2.4/custom.d/blacklist-user-agents.conf
This file is both a black & whitelist for users to add their own, it will override the globalblacklist.conf Once added reload apache, test and let me know if resolved.
respbuy
commented
4 months ago Hi Mitchell, Though i see 403 for this UA, however its still eating up server resources to 100%, specially memory.
mitchellkrogza
commented
4 months ago Hi Mitchell, Though i see 403 for this UA, however its still eating up server resources to 100%, specially memory.
That's because it's abusing your admin-ajax.php and overloading your server. Try block all outside access to admin-ajax.php and only allow your local server IP and your own IP access. You will need to Google for a fix to that. Alternatively block their IP in the custom include file for IP's and keep adding new ones as they change them.
mitchellkrogza
commented
4 months ago We use axios to fetch data from our headless WordPress instances in Nuxt.
Is there potential to add a whitelist for UA's?
Any update?
mitchellkrogza
commented
4 months ago Axios has been removed from the globalblacklist due to complaints. It is a popular nodejs library. You will need to block it in your own custom blacklist, instead.
mitchellkrogza
commented
4 months ago
addition as a bad bot..
Started since yesterday.. nasty one.. coming up with dynamic ips (approx 250 ips noted till now)
access.log prints: 13.233.254.45 - - [02/Mar/2024:04:35:25 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.233.254.45 - - [02/Mar/2024:04:35:27 +0000] "GET /product/respbuy-utbjmmtrjhbtlnbxbcrdxmqbllvacwtms/ HTTP/1.1" 403 428 "-" "axios/1.6.7" 13.233.254.45 - - [02/Mar/2024:04:35:26 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 610 "https://respbuy.com/my-account/" "axios/1.6.7" 13.233.254.45 - - [02/Mar/2024:04:35:28 +0000] "GET /product/respbuy-neexvvpqzhawnpoofmcjnopwwwwtxttykzbqqxypkjrhkymurisdyrsrrrvpurdwxyndseeoteyt/ HTTP/1.1" 403 428 "-" "axios/1.6.7"
eats up entire sever memory in second by the DDoS attack.