Skip to content

Instantly share code, notes, and snippets.

@petskratt
Last active May 22, 2019 07:10
Show Gist options
  • Save petskratt/17fdb56c75800fc38797a7c5bd1d1127 to your computer and use it in GitHub Desktop.
Save petskratt/17fdb56c75800fc38797a7c5bd1d1127 to your computer and use it in GitHub Desktop.
Perishable Press 6G firewall with slight modifications (archive.org bot enabled, no IP blocking part)
# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/
# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>
# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
SetEnvIfNoCase User-Agent (binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
<RequireAll>
Require all Granted
Require not env bad_bot
</RequireAll>
</IfModule>
</IfModule>
# 6G:[CUSTOM]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)/(readme\.html|readme\.txt|readme\.md|license\.txt)
RedirectMatch 403 (?i)debug.log
</IfModule>
# 6G END
# disable code execution in folder and subfolders
# fit for wp-content/uploads and also full wp-content if plugins/themes well written
# extensions list for zone.ee (Apache 2.4 version)
Options -ExecCGI
RemoveType .php .php3 .phtml .inc
RemoveHandler .php .php3 .phtml .inc
<FilesMatch "\.(?i:php|php3|phtml|inc)($|\.)">
Require all denied
</FilesMatch>
<IfModule mod_php7.c>
php_flag engine off
</IfModule>
# disable code execution in wp-includes
# extensions list for zone.ee (Apache 2.4 version)
Options -ExecCGI
RemoveType .php3 .phtml .inc
RemoveHandler .php3 .phtml .inc
<FilesMatch "\.(?i:php|php3|phtml|inc)($|\.)">
Require all denied
</FilesMatch>
<Files wp-tinymce.php>
Require all granted
</Files>
<Files ms-files.php>
Require all granted
</Files>
@lembitk
Copy link

lembitk commented Dec 7, 2016

Been also using Perishable Press' nG firewall. There is a regular expression above that might prove problematic when couple specific conditions are met on a (WordPress) site.

Consider this regex: (\'|\")(.*)(drop|insert|md5|select|union) (1st section, "6G:[QUERY STRINGS]", last RewriteCond line: "match any string that begins with a single or double quote AND contains "drop", "insert" etc.).

This regex will block legitimate (WP) search queries / URLs on a site that

  • contains content in English,
  • and supports "exact phrase" searches (in case of WP requires vastly improved search, probably via a plugin).

A few example WP search URLs that would get blocked w/ the "403 Forbidden" response:

  • example.com/?s="select+offers",
  • example.com/?s="European+Union".

This probably is not a problem for 99% of sites. Not so much so because it's difficult to have good search engine on a site, but more so b/c users just won't search for "exact phrases" that much (at least in my experience, and even if you show them how to do that).

So, yes, it's nit-picking, but still wanted to share. Maybe will help someone someday…

@toto011
Copy link

toto011 commented Feb 22, 2019

I humbly suggest adding an info about [QUERY STRINGS] section, that should be excluded from main .htaccess and added into /wp-folder/ .htaccess if WordPress is installed in a "/wp-folder/" subfolder (info from Perishable Press). Just my 2 cents. Keep up the good work !!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment