How to block request "Cookie: mstshash=NCRACK_USER"?

ExtensionsApp picture ExtensionsApp · Sep 16, 2017 · Viewed 8.2k times · Source

Today there were a lot of requests from bots. How can I block them in Nginx or Fail2ban?

# tail -f -n 100 /var/log/nginx/access.log
176.28.122.158 - - [16/Sep/2017:16:00:16 +0300] "GET /actor/%D0%A2%D0%B8%D0%BC%D0%BE%D1%82%D0%B8%20%D0%A0%D0%B5%D0%B4%D1%84%D0%BE%D1%80%D0%B4 HTTP/1.1" 200 18298 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:16 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:16 +0300] "GET /actor/%D0%99%D0%BE%D1%85%D0%B0%D0%BD%20%D0%A5%D0%B5%D0%BB%D0%B4%D0%B5%D0%BD%D0%B1%D0%B5%D1%80%D0%B3 HTTP/1.1" 200 18390 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:16 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:16 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:16 +0300] "GET /movie/id569071-zhena-smotritelya-zooparka-the-zookeeper-s-wife HTTP/1.1" 200 33660 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:16 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:17 +0300] "GET /movie/id885658-dzhon-uik-2-john-wick-chapter-two HTTP/1.1" 200 32346 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:17 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:17 +0300] "GET /movie/id885658-dzhon-uik-2-john-wick-chapter-two HTTP/1.1" 200 32346 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:17 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:17 +0300] "GET /year/2017 HTTP/1.1" 200 72389 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:17 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:17 +0300] "GET /country/%D0%A1%D0%A8%D0%90 HTTP/1.1" 200 71408 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:17 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:17 +0300] "GET /genre/%D1%82%D1%80%D0%B8%D0%BB%D0%BB%D0%B5%D1%80 HTTP/1.1" 200 73832 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:17 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:17 +0300] "GET /genre/%D0%B1%D0%BE%D0%B5%D0%B2%D0%B8%D0%BA HTTP/1.1" 200 72251 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:18 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:18 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:18 +0300] "GET /genre/%D0%BA%D1%80%D0%B8%D0%BC%D0%B8%D0%BD%D0%B0%D0%BB HTTP/1.1" 200 62785 "-" "Java/1.6.0_24" "-"
176.28.122.158 - - [16/Sep/2017:16:00:18 +0300] "GET /director/%D0%A7%D0%B0%D0%B4%20%D0%A1%D1%82%D0%B0%D1%85%D0%B5%D0%BB%D1%81%D0%BA%D0%B8 HTTP/1.1" 200 17674 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:18 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:18 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:18 +0300] "GET /actor/%D0%9A%D0%B8%D0%B0%D0%BD%D1%83%20%D0%A0%D0%B8%D0%B2%D0%B7 HTTP/1.1" 200 17408 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:18 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:18 +0300] "GET /actor/%D0%A0%D1%83%D0%B1%D0%B8%20%D0%A0%D0%BE%D1%83%D0%B7 HTTP/1.1" 200 17362 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:18 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:18 +0300] "GET /actor/%D0%98%D1%8D%D0%BD%20%D0%9C%D0%B0%D0%BA%D0%A8%D0%B5%D0%B9%D0%BD HTTP/1.1" 200 17454 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:19 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:19 +0300] "GET /actor/%D0%9A%D0%BE%D0%BC%D0%BC%D0%BE%D0%BD HTTP/1.1" 200 17247 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:19 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:19 +0300] "GET /actor/%D0%A0%D0%B8%D0%BA%D0%BA%D0%B0%D1%80%D0%B4%D0%BE%20%D0%A1%D0%BA%D0%B0%D0%BC%D0%B0%D1%80%D1%87%D0%BE HTTP/1.1" 200 17730 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:19 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:19 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:19 +0300] "GET /movie/id885658-dzhon-uik-2-john-wick-chapter-two HTTP/1.1" 200 32346 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:19 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:19 +0300] "GET /type/%D1%84%D0%B8%D0%BB%D1%8C%D0%BC%D1%8B/2 HTTP/1.1" 200 71649 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:19 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:20 +0300] "GET /type/%D1%84%D0%B8%D0%BB%D1%8C%D0%BC%D1%8B/3 HTTP/1.1" 200 51007 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:20 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:20 +0300] "GET /type/%D1%84%D0%B8%D0%BB%D1%8C%D0%BC%D1%8B/4 HTTP/1.1" 200 18296 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:20 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:20 +0300] "GET /type/%D1%84%D0%B8%D0%BB%D1%8C%D0%BC%D1%8B/5 HTTP/1.1" 200 18296 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:20 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:20 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:20 +0300] "GET /movie/id589290-begushii-po-lezviyu-2049-blade-runner-2049 HTTP/1.1" 200 33391 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:20 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:20 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:21 +0300] "GET /movie/id623250-chernaya-pantera-black-panther HTTP/1.1" 200 32793 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:21 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:21 +0300] "GET /content/8-y-sezon-kultovogo-seriala-igra-prestolov-vyydet-ne-ranshe-2019-goda HTTP/1.1" 200 36418 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:21 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:21 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
176.28.122.158 - - [16/Sep/2017:16:00:21 +0300] "GET /content/vankuver-nodovolen-semkami-filma-dedpul-2 HTTP/1.1" 200 35782 "-" "Java/1.6.0_24" "-"
199.168.139.211 - - [16/Sep/2017:16:00:21 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:21 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:21 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:22 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:22 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:22 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:22 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
199.168.139.211 - - [16/Sep/2017:16:00:22 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"

There is a mention of this bot in 2012 year.

11 Jan 2012 - https://twitter.com/mubix/status/157115321155723264

3 Oct 2012 - https://twitter.com/mubix/status/253705438581903360

Answer

Tarun Lalwani picture Tarun Lalwani · Sep 18, 2017

Instead of blocking what is a bad method, one should allow what is acceptable good method

add_header Allow "GET, POST, HEAD" always; 
if ( $request_method !~ ^(GET|POST|HEAD)$ ) { 
   return 405; 
}

You will have to add more methods to this if your app uses methods like PUT, PATCH, DELETE, OPTIONS

Or you can block the request using approach mentioned in below

https://serverfault.com/questions/772833/fail2ban-regex-to-block-x00-requests