Skip to content

Instantly share code, notes, and snippets.

@petskratt

petskratt/.htaccess

Last active May 22, 2019
Embed
What would you like to do?
Perishable Press 6G firewall with slight modifications (archive.org bot enabled, no IP blocking part)
# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/
# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>
# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
SetEnvIfNoCase User-Agent (binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
<RequireAll>
Require all Granted
Require not env bad_bot
</RequireAll>
</IfModule>
</IfModule>
# 6G:[CUSTOM]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)/(readme\.html|readme\.txt|readme\.md|license\.txt)
RedirectMatch 403 (?i)debug.log
</IfModule>
# 6G END
# disable code execution in folder and subfolders
# fit for wp-content/uploads and also full wp-content if plugins/themes well written
# extensions list for zone.ee (Apache 2.4 version)
Options -ExecCGI
RemoveType .php .php3 .phtml .inc
RemoveHandler .php .php3 .phtml .inc
<FilesMatch "\.(?i:php|php3|phtml|inc)($|\.)">
Require all denied
</FilesMatch>
<IfModule mod_php7.c>
php_flag engine off
</IfModule>
# disable code execution in wp-includes
# extensions list for zone.ee (Apache 2.4 version)
Options -ExecCGI
RemoveType .php3 .phtml .inc
RemoveHandler .php3 .phtml .inc
<FilesMatch "\.(?i:php|php3|phtml|inc)($|\.)">
Require all denied
</FilesMatch>
<Files wp-tinymce.php>
Require all granted
</Files>
<Files ms-files.php>
Require all granted
</Files>
@lembitk

This comment has been minimized.

Copy link

@lembitk lembitk commented Dec 7, 2016

Been also using Perishable Press' nG firewall. There is a regular expression above that might prove problematic when couple specific conditions are met on a (WordPress) site.

Consider this regex: (\'|\")(.*)(drop|insert|md5|select|union) (1st section, "6G:[QUERY STRINGS]", last RewriteCond line: "match any string that begins with a single or double quote AND contains "drop", "insert" etc.).

This regex will block legitimate (WP) search queries / URLs on a site that

  • contains content in English,
  • and supports "exact phrase" searches (in case of WP requires vastly improved search, probably via a plugin).

A few example WP search URLs that would get blocked w/ the "403 Forbidden" response:

  • example.com/?s="select+offers",
  • example.com/?s="European+Union".

This probably is not a problem for 99% of sites. Not so much so because it's difficult to have good search engine on a site, but more so b/c users just won't search for "exact phrases" that much (at least in my experience, and even if you show them how to do that).

So, yes, it's nit-picking, but still wanted to share. Maybe will help someone someday…

@toto011

This comment has been minimized.

Copy link

@toto011 toto011 commented Feb 22, 2019

I humbly suggest adding an info about [QUERY STRINGS] section, that should be excluded from main .htaccess and added into /wp-folder/ .htaccess if WordPress is installed in a "/wp-folder/" subfolder (info from Perishable Press). Just my 2 cents. Keep up the good work !!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.