Apache Security: A Watched Bot Never Spoils (Your Server)

By Ken Coar (Send Email)
Posted Feb 6, 2009


In my last article I introduced the idea of having robots.txt be a dynamic document, rather than a static text file. The reason for this was to allow it to respond in real-time to the particulars of the robot that was making the request.

A smart, dynamic robots.txt makes it easier to keep an eye on those cagey bots for better server security and performance.

Here are the five cases I laid out for robot behavior when it comes to processing robots.txt:

  1. The spider doesn't even bother to check for robots.txt at all.
  2. The spider checks for robots.txt and doesn't crawl prohibited areas. (Good bot! Here, have a cookie.)
  3. The spider reads robots.txt, scans for 'allow' stanzas1 that apply to other spiders, and then masquerades as those in order to access the protected areas.
  4. The spider checks for robots.txt but doesn't comply with the restrictions.
  5. The spider reads robots.txt and explicitly tries to scan prohibited areas.

(I've reordered this slightly to make more sense.)

The first two cases are not problems — first because robots.txt isn't even involved and secondly because it's working properly and we don't have to be concerned with a misbehaving spider.

It's the next three that we need to address.

At the time that robots.txt is being processed, there is no way of telling which of these five cases will apply. For this reason, robots.txt merely checks the ID, as it were, of the spider making the request, for use by intelligence in subsequent requests.

We can handle case number three by emitting stanzas that only apply to the robot making the request. That way, there are no other robots mentioned whose permissions it can record and later abuse.

Now that robots.txt is actually a dynamic document, let's put it to work and actually do something with it.

For starters, and for performance, I use a MySQL database to record bot activity and access rules. Let's begin by having it record the particulars of the current request. Here is the first MySQL table I use for that:

mysql> explain client;
+---------+---------+------+-----+---------+----------------+
| Field   | Type    | Null | Key | Default | Extra          |
+---------+---------+------+-----+---------+----------------+
| xid     | int(11) | NO   | PRI | NULL    | auto_increment |
| client  | blob    | YES  | UNI | NULL    |                |
| comment | text    | YES  |     | NULL    |                |
+---------+---------+------+-----+---------+----------------+

The client table simply records each user agent that accesses the robots.txt file, and assigns it a unique identifying number. The first thing our dynamic robots.txt script does is look up the current client in this table, and either determine its unique number or create an entry for it if it doesn't already exist.

Now we have a record that the client has accessed robots.txt file just now or in the past. Let's do something with the information about this current request. Here's a MySQL table for that:

mysql> explain access;

+----------------+-------------+------+-----+---------+----------------+
| Field          | Type        | Null | Key | Default | Extra          |
+----------------+-------------+------+-----+---------+----------------+
| xid            | int(11)     | NO   | PRI | NULL    | auto_increment |
| client         | int(11)     | YES  | MUL | NULL    |                |
| ipa            | varchar(16) | YES  |     | NULL    |                |
| total_requests | int(11)     | YES  |     | 0       |                |
| last_request   | datetime    | YES  |     | NULL    |                |
+----------------+-------------+------+-----+---------+----------------+

The key fields here are 'client' and 'ipa' (IP address). Together, they let us determine how often and how recently a particular client has accessed us from a particular IP address. This may be useful in the future if, for example, we decide to block access for all clients from that particular IP address. We used the unique number for the client, rather than its full name, to save space and improve performance.

So we now have a robots.txt file that is actually a script and which:

  • Makes a record of every client to access it and
  • Makes a record of where the request came from (the IP address) and how many times requests for robots.txt have been made from that address by that user-agent.

This is useful stuff, but so far it's just record keeping, and we're not yet taking any action based on the information gathered. In order to do so, within the role of the robots.txt file, we must have some rules pertaining to each client.

I feel another MySQL table coming on ...

1. The original RES didn't support 'allow' stanzas, and not all RES-compliant bots recognize them. However, the basic issue is the same even for 'disallow' stanzas – a bot with evil intentions can conceivably change its access by pretending to be one of those for which you have explicit rules.

This article was originally published on Enterprise IT Planet.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.