Hi,
Do you have the firewall enabled? Please check the Wordfence options page to confirm.
Regards,
Mark.
Thread Starter
Thin_
(@thin_)
thanks for your reply, mark
– and yes, everything is enabled..
meanwhile i’ve found out that putting the grey signatures or parts of them – like *mozilla 4.0/* or *MJ12Bot* works, (MJ12 at least sometimes) but rarely using the browser: ‘chrome running on linux’ (example) that is written above in black. regarding bots i found that blocking certain signatures is more effective than blocking ip ranges .. but the signature blocking is not as self explaining as the ip-ranges, since it is hard to guess (still i don’t really know) what the ‘ * ‘ stands for.
as tracking method i used the php ‘remote_addr’ and the ‘choose this if you see fake addresses’ in the last days, because i got ‘bookmark buddy’ shown as a browser if a googlebot 2.1 from a google ip came along – with both settings. any idea why they send this?
and something strange happened recently – i got blocked ‘admin’ login attempt messages after a bot from another ip scanned my site, but the there never was a direct call for the login page before the login attempt was blocked. in the blocked ips the attacking ip was visible (different from the scan bot) but it never showed up in the traffic log. can people somehow hide themselves or operate invisibly?
several bots seem to mimic the big ones in order to bypass the firewall – they have exactly the signature as bing, msn, google or baidu, but the wrong ip.. is there a way to filter those bad bots in an intelligent way, although they have exactly the same signature – something like crosschecking the ip in relation to the signature?
thanks a lot for your efforts – without wordfence i would probably have never found out what people try to do every day.
regards,
peter
Ah, I see the problem. Yes the grey line that contains the long browser string in live traffic is the actual user-agent string that identifies the browser and THAT is what you must use for blocking. So if you want to block:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:22.0) Gecko/20100101 Firefox/22.0
For example, you can use:
*Macintosh*
or *Gecko*
Which will block anything containing Macintosh or anything containing Gecko, but it will block a lot of other browsers too that contain those words. So if you just want to block one specific culprit just put the whole browser string in there without any asterisks.
But always use the grey browser string, not the text next to “Browser:”.
Regards,
Mark.
Thread Starter
Thin_
(@thin_)
Thanks a lot for your help.. !
is there a way to block user agents that purposedly leave their string empty or that use unnormal short strings like only ‘ruby’ or ‘python’?
strings that are shorter than (let’s say) 10-15 letters?
It would be easier to use regex and mod_rewrite in your .htaccess file:
RewriteCond %{HTTP_USER_AGENT} ^.{0,9}$
RewriteRule ^ - [F]
So if there are only 9 characters or less in the User Agent string they will get a 403 Forbidden. Make sure to check your server logs so that no legit bots like Google are getting blocked.
