#Blacklist IPs User Agents and Referrers # The name says it all. # # Check to make sure that the following classes exist before using this iRule: #-Note that the below data groups should have their data stored in the data group key name. The datagroup # key value is not used # blacklist_IPs - Disallowed true client IP addresses # blacklist_user_agents - Disallowed user agent headers - all entries should be lowercase # blacklist_referer - Disallowed referer headers - all entries should be lowercase # blacklist_sid - Disallowed SESSIONID - all entries should be lowercase # NOTE - Turn off logging with debug set to 0. Turn on with 1 when CLIENT_ACCEPTED priority 620 { # 0 - NONE, 1 - LOW, 2 - MEDIUM, 3 - VERBOSE set BAIU_LOG_LVL 1 set n_tip "" set n_user_agent "" # #set n_refer "" set n_sid "" set allowed "" } when HTTP_REQUEST priority 621 { ######TroubleShooting Headers ###### log local0. "TIP: $tip EdgeIP: [IP::client_addr] VIP: [virtual name] - True-Client-IP Header value: [HTTP::header "True-Client-IP"]." set t_user_agent [string tolower [HTTP::header "User-Agent"]] # #set t_refer [string tolower [HTTP::header "Referer"]] # Set user cookie as Session ID set sid [string range [HTTP::cookie AKAMTMXSID] 0 18 ] set jsid [string range [HTTP::cookie JSESSIONID_AUTHENTICATION] 52 75 ] # Set URI value set baiu_host [HTTP::host] set uri [HTTP::path] set allowed 1 # The below if blocks are for blacklisting functionality # Some of the if branches below are redundant, but this setup allows for more granular logging if {$tip ne ""} { if { [class match $tip equals blacklist_IPs] } { set n_tip $tip set allowed 0 if { $BAIU_LOG_LVL >= 1 } { log local0. "BLACKLISTING: IP: $tip EdgeIP: [IP::client_addr] VIP: [virtual name] SID: $sid~$jsid UID: $waf_uid HOST: [HTTP::host] HOST: $baiu_host HOST: $baiu_host URI: $uri ~ Blacklisted client IP matched: $n_tip" } } if { [class match $t_user_agent contains blacklist_user_agents] } { set n_user_agent $t_user_agent set allowed 0 if { $BAIU_LOG_LVL >= 1 } { log local0. "BLACKLISTING: IP: $tip EdgeIP: [IP::client_addr] VIP: [virtual name] SID: $sid~$jsid UID: $waf_uid HOST: [HTTP::host] HOST: $baiu_host HOST: $baiu_host URI: $uri ~ Blacklisted user agent matched: $n_user_agent" } } if { [class match $sid equals blacklist_sid] } { set n_sid $sid set allowed 0 if { $BAIU_LOG_LVL >= 1 } { log local0. "BLACKLISTING: IP: $tip EdgeIP: [IP::client_addr] VIP: [virtual name] SID: $sid~$jsid UID: $waf_uid HOST: [HTTP::host] HOST: $baiu_host HOST: $baiu_host URI: $uri ~ Blacklisted SID matched: $n_sid" } } if { [class match $jsid equals blacklist_sid] } { set n_sid $jsid set allowed 0 if { $BAIU_LOG_LVL >= 1 } { log local0. "BLACKLISTING: IP: $tip EdgeIP: [IP::client_addr] VIP: [virtual name] SID: $sid~$jsid UID: $waf_uid HOST: [HTTP::host] HOST: $baiu_host HOST: $baiu_host URI: $uri ~ Blacklisted JSESSIONID matched: $n_sid" } } # #if { [class match $t_refer equals blacklist_referer] } { # #set n_refer $t_refer # #set allowed 0 # #if { $BAIU_LOG_LVL >= 3 } { log local0. "BLACKLISTING: IP: $tip EdgeIP: [IP::client_addr] VIP: [virtual name] SID: $sid~$jsid UID: $waf_uid HOST: [HTTP::host] HOST: $baiu_host HOST: $baiu_host URI: $uri ~ Blacklisted referer matched: $n_refer" } # #} if {$allowed ne "1"}{ # Change the below line to "drop" to drop the TCP connection instead HTTP::respond 403 content { ٩(͡๏̯͡๏)۶ blocked ¯\_(ツ)_/¯ } noserver # Close TCP connection so client can't make further requests reject } else { #Request has been allowed if { $BAIU_LOG_LVL >= 3 } { log local0. "ALLOWING-BLOCKING: Request allowed for $tip" } } } }