How can I block a user agent from all sites on my server?

I originally this posted at webmasters.stackexchange.com, but was told I'd get a better reception here.


For the last few days, I've been suffering from what appears to be a (presumably inadvertent) DDOS attack. I've been getting so many requests from an agent identifying as "Mozilla/4.0 (compatible; ICS)" that apache eats through all the available memory.

Consequently, I'd like to block all requests accompanied by this user agent, so I tried doing this in httpd.conf:

SetEnvIfNoCase User-Agent "Mozilla/4.0 (compatible; ICS)" bad_user
Deny from env=bad_user

But when I restart apache it complains about using deny here. Without having to wrap it in a location or directory block, which would mean I'd have to add a new block for each site, is there any way I can deny access to the whole server?


UPDATE: The error I get

  • Restarting web server apache2
    Syntax error on line 4 of /etc/apache2/httpd.conf: deny not allowed here [fail]

Looks like an old question now, but I wanted to do the same and found the answer from nerve above. It's not quite right as is - seems to me that it should be <Location "/">, and the SetEnvIf needs a regular expression so the parentheses need to be quoted.

This worked for me to apply the access control across all vhosts:

SetEnvIfNoCase User-Agent "^Mozilla/4.0 \(compatible; Synapse\)" bad_ua
<Location "/">
    Deny from env=bad_ua
</Location>

Just include that before the vhost definitions.


mod_rewrite can be configured at the server level according to the docs:

RewriteCond %{HTTP_USER_AGENT} "Mozilla/4\.0 \(compatible; ICS\)" [nocase]
RewriteRule ^.*$ - [forbidden,last]

Don't forget to escape the regex in the RewriteCond