Block scanners using agent strings

Heres some scanners you should really block the User Agents of

  • sqlmap
  • havij
  • nmap
  • nessus
  • absinthe
  • nikto
  • w3af
  • pangolin
  • bsqlbf
  • sql power injector
  • mysqloit
  • netsparker
  • wpscan

and whilest not scanners I would even consider

  • libwww-perl
  • curl
  • wget

In Apache

modify the .htaccess

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} sqlmap [OR]
RewriteCond %{HTTP_USER_AGENT} havij [OR]
RewriteCond %{HTTP_USER_AGENT} nmap [OR]
RewriteCond %{HTTP_USER_AGENT} nessus [OR]
RewriteCond %{HTTP_USER_AGENT} nikto
RewriteRule . - [F,L]

on F5

when HTTP_REQUEST {
    log local0. "User-Agent:[HTTP::header "User-Agent"]"
    switch -glob [string tolower [HTTP::header "User-Agent"]] {
        "*sqlmap*" -
        "*havij*" -
        "*nmap*" -
        "*nessus*" -
        "*absinthe*" -
        "*nikto*" -
        "*w3af*" -
        "*pangolin*" -
        "*bsqlbf*" -
        "*sql power injector*" -
        "*mysqloit*" -
        "*netsparker*" {
            if { !([IP::addr [IP::client_addr] equals 10.10.10.10]) } {
                discard
                log local0. "[HTTP::header "User-Agent"] discarding."
            }
    }
}