Programs: Lock up your servers against Fusker

raymor · 2005-03-29, 07:24 PM

That long anti-ripper .htaccess is bad/wrong
in at least a couple ways. All of those rules will
impact performance. Even with all of those rules,
though, it's not nearly complete, so it won't block
more than half of the rippers.
The first rule of security is to disallow everything
that isn't specifically allowed.
That .htaccess violates that rule, leading to
the two problems I mentioned.
Rather, it would be better to list the 3 or 4 user agents
that are allowed and disallow everything else.
You'd allow IE, the Gecko browsers (Mozilla, Firefox and Safari are all Gecko and
thus would probably use just one rule),
Opera and perhaps you'd come up with a couple more.
Anything besides IE, Firefox, Safari, Mozilla, and Opera would be redirected.
Of course you may wish to also allow the main SE spiders.

This also has the inherent flaw that you're
assuming one thing based on another thing,
and in fact based on what the user tells you.
The major rippers will let the user set the User-agent
however they want, so just because it
SAYS it's IE doesn't mean that it is.
In fact several rippers are IE based and will therefore report as IE.
On the other hand some people using IE, Mozilla, or Firefox set their user-agent
to something else, such as "None of Your Business Version 0".
But in fact it's not the software name that you're
concerned with, it's a particular BEHAVIOR of the software.
So why not blocked based on that behavior?
That's what Strongbox does. Strongbox blocks
anyone who goes ripping your site, blindly following every single link.
On the other hand it does not block any browser where
the user actually clicks on the links.
THAT is what you really want to block, so that's
what Strongbox looks at, rather than the reported
name of the software.

Verbal · 2005-04-01, 11:41 AM

Quote:

Originally Posted by raymor

Rather, it would be better to list the 3 or 4 user agents that are allowed and disallow everything else.

This is some sound advice right here, instead of maintaining a huge blocked list.

2005-03-29, 07:24 PM	#1
raymor The only guys who wear Hawaiian shirts are gay guys and big fat party animals Join Date: Jan 2004 Posts: 178	That long anti-ripper .htaccess is bad/wrong in at least a couple ways. All of those rules will impact performance. Even with all of those rules, though, it's not nearly complete, so it won't block more than half of the rippers. The first rule of security is to disallow everything that isn't specifically allowed. That .htaccess violates that rule, leading to the two problems I mentioned. Rather, it would be better to list the 3 or 4 user agents that are allowed and disallow everything else. You'd allow IE, the Gecko browsers (Mozilla, Firefox and Safari are all Gecko and thus would probably use just one rule), Opera and perhaps you'd come up with a couple more. Anything besides IE, Firefox, Safari, Mozilla, and Opera would be redirected. Of course you may wish to also allow the main SE spiders. This also has the inherent flaw that you're assuming one thing based on another thing, and in fact based on what the user tells you. The major rippers will let the user set the User-agent however they want, so just because it SAYS it's IE doesn't mean that it is. In fact several rippers are IE based and will therefore report as IE. On the other hand some people using IE, Mozilla, or Firefox set their user-agent to something else, such as "None of Your Business Version 0". But in fact it's not the software name that you're concerned with, it's a particular BEHAVIOR of the software. So why not blocked based on that behavior? That's what Strongbox does. Strongbox blocks anyone who goes ripping your site, blindly following every single link. On the other hand it does not block any browser where the user actually clicks on the links. THAT is what you really want to block, so that's what Strongbox looks at, rather than the reported name of the software. __________________ Ray Morris support@bettercgi.com Strongbox/Throttlebox & more TXDPS #A14012