Error
  • JHTMLicon not supported. File not found.
  • JHTMLicon not supported. File not found.
  • JHTMLicon not supported. File not found.
  • JHTMLicon not supported. File not found.
  • JHTMLicon not supported. File not found.
  • JHTMLicon not supported. File not found.
  • JHTMLicon not supported. File not found.
  • JHTMLicon not supported. File not found.
  • JHTMLicon not supported. File not found.

%{query_string}

5G Blacklist 2012
Wednesday, 11 January 2012 15:47
the-redirectmatch-and-%{query_string}

[ 5G ] The 5G Blacklist helps reduce the number of malicious URL requests that hit your website. It’s one of many ways to improve the security of your site and protect against evil exploits, bad requests, and other nefarious garbage.

After extensive beta testing, the 5G Blacklist/Firewall is solid and ready to help secure sites hosted on Apache servers. In addition to beta testing for the 5G, this is the 5th major update of my “G”-series blacklists. Here is a quick overview of its evolution:

  1. Ultimate htaccess Blacklist (Compressed Version)
  2. 2G Blacklist: Closing the Door on Malicious Attacks
  3. Perishable Press 3G Blacklist
  4. The Perishable Press 4G Blacklist
  5. 5G Firewall (Beta)

Along the way, I’ve explored a wide variety of different blacklist techniques. The 5G is the culmination of all these efforts, and will eventually be replaced by the imminent 6G Blacklist/Firewall.

What it does

The 5G Blacklist is a simple, flexible blacklist that checks all URI requests against a series of carefully constructed HTAccess directives. This happens quietly behind the scenes at the server level, saving resources for stuff like PHP and MySQL for all blocked requests.

How it works

Blacklists can block just about any part of a request: IP, user agent, request string, query string, referrer, and everything in between. But IP addresses change constantly, and user agents and referrers are easily spoofed. As discussed, request strings yield the best results: greater protection with fewer false positives.

The 5G works beautifully with WordPress, and should help any site conserve bandwidth and server resources while protecting against malicious activity.

How to use

To install the 5G Firewall, append the following code to your site’s root .htaccess:

# 5G BLACKLIST/FIREWALL
# @ http://perishablepress.com/5g-blacklist/

# 5G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
 RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
 RewriteCond %{QUERY_STRING} boot\.ini  [NC,OR]
 RewriteCond %{QUERY_STRING} echo.*kae  [NC,OR]
 RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\%27$   [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\\'$    [NC,OR]
 RewriteCond %{QUERY_STRING} \.\./      [NC,OR]
 RewriteCond %{QUERY_STRING} \?         [NC,OR]
 RewriteCond %{QUERY_STRING} \:         [NC,OR]
 RewriteCond %{QUERY_STRING} \[         [NC,OR]
 RewriteCond %{QUERY_STRING} \]         [NC]
 RewriteRule .* - [F]
</IfModule>

# 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
 SetEnvIfNoCase User-Agent ^$ keep_out
 SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot)   keep_out
 SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
 SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid)   keep_out
 SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder|turnit)   keep_out
 SetEnvIfNoCase User-Agent (zmeu|nutch|vikspider|binlar|sucker) keep_out
 <Limit GET POST PUT>
  Order Allow,Deny
  Allow from all
  Deny from env=keep_out
 </Limit>
</IfModule>

# 5G:[REQUEST STRINGS]
<IfModule mod_alias.c>
 RedirectMatch 403 (https?|ftp|php)\://
 RedirectMatch 403 /(cgi|https?|ima|ucp)/
 RedirectMatch 403 /(Permanent|Better)$
 RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
 RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\")
 RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
 RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
 RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
 RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
 RedirectMatch 403 \.well\-known/host\-meta
 RedirectMatch 403 /function\.array\-rand
 RedirectMatch 403 \)\;\$\(this\)\.html\(
 RedirectMatch 403 proc/self/environ
 RedirectMatch 403 msnbot\.htm\)\.\_
 RedirectMatch 403 /ref\.outcontrol
 RedirectMatch 403 com\_cropimage
 RedirectMatch 403 indonesia\.htm
 RedirectMatch 403 \{\$itemURL\}
 RedirectMatch 403 function\(\)
 RedirectMatch 403 labels\.rdf
 RedirectMatch 403 /playing.php
 RedirectMatch 403 muieblackcat
</IfModule>

# 5G:[BAD IPS]
<Limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 # uncomment/edit/repeat next line to block IPs
 # Deny from 123.456.789
</Limit>

That’s the golden ticket right there. The 5G Firewall is serious protection for your website: extensively tested, plug-n-play, and completely free. “Grab, gulp, n go” as they say. For more information, see the beta article (and comments).

Troubleshooting

Remember, test thoroughly. If something stops working when the 5G is installed, try removing the 5G. If things start working normally again, you can either pass on the 5G or investigate further. Investigating further is straightforward using something like the halving method, where you remove chunks of the 5G until isolating and identifying the issue. Here is a quick example:

  • I’ve installed the 5G, thanks Jeff.
  • Uh-oh, the page at http://example.com/indonesia.html stopped loading
  • Hmm, the URL contains the phrase “indonesia”, so let’s check the 5G for it
  • Yep, there’s a rule that blocks indonesia\.htm
  • Removing that line resolves the issue, thanks me.

Is it okay to remove rules that are blocking your own pages? Yes, the only downside is that malicious requests that would have otherwise been blocked will now get through. The 5G will continue to block a massive volume of malicious requests — it’ll just be a bit less effective. The protective effect is cumulative, not dependent on any one rule. So customization is encouraged. Once you dial it in, you’re all set.

Disclaimer

The 5G Firewall is provided “as-is”, with the intention of helping site administrators protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.

Learn more..

To learn more about the theory and development of the 5G Firewall, check out my articles on building the 3G, 4G and 5G Blacklist. A search for “blacklist” in the sidebar should also yield many results.

Happy securing!

© 2012 Perishable Press

Read more: http://perishablepress.com/5g-blacklist-2012/
 
5G Blacklist for Microsoft IIS
Friday, 25 November 2011 15:31
add-input{url}-input{query_string}-conditions-rule

By design the 5G Blacklist works on Apache servers, but thanks to Scott Stawarz, here is a version for Microsoft IIS:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
                <clear />
                <rule name="Block Bad Query String" stopProcessing="true">
                    <match url=".*" ignoreCase="false" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{QUERY_STRING}" pattern="(environ|localhost|mosconfig|scanner)" />
                        <add input="{QUERY_STRING}" pattern="(menu|mod|path|tag)\=\.?/?" />
                        <add input="{QUERY_STRING}" pattern="boot\.ini" />
                        <add input="{QUERY_STRING}" pattern="echo.*kae" />
                        <add input="{QUERY_STRING}" pattern="etc/passwd" />
                        <add input="{QUERY_STRING}" pattern="\=\\%27$" />
                        <add input="{QUERY_STRING}" pattern="\=\\\'$" />
                        <add input="{QUERY_STRING}" pattern="\.\./" />
                        <add input="{QUERY_STRING}" pattern="\:" />
                        <add input="{QUERY_STRING}" pattern="\[" />
                        <add input="{QUERY_STRING}" pattern="\]" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
                </rule>
                <rule name="Block Bad User Agents" stopProcessing="true">
                    <match url=".*" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{HTTP_USER_AGENT}" pattern=" ^$" />
                        <add input="{HTTP_USER_AGENT}" pattern="(casper|cmsworldmap|diavol|dotbot)" />
                        <add input="{HTTP_USER_AGENT}" pattern="(flicky|ia_archiver|jakarta|kmccrew)" />
                        <add input="{HTTP_USER_AGENT}" pattern="(libwww|planetwork|pycurl|skygrid)" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
                </rule>
                <rule name="Block Bad Request Strings" stopProcessing="true">
                    <match url=".*" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{URL}" pattern="(https?|ftp|php)\://" />
                        <add input="{URL}" pattern="/(cgi|https?|ima|ucp)/" />
                        <add input="{URL}" pattern="(\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$" />
                        <add input="{URL}" pattern="(\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\|)" />
                        <add input="{URL}" pattern="\.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$" />
                        <add input="{URL}" pattern="/(contac|fpw|install|pingserver|register)\.php" />
                        <add input="{URL}" pattern="(base64|crossdomain|localhost|wwwroot)" />
                        <add input="{URL}" pattern="\.well\-known/host\-meta" />
                        <add input="{URL}" pattern="/function\.array\-rand" />
                        <add input="{URL}" pattern="\)\;\$\(this\)\.html\(" />
                        <add input="{URL}" pattern="proc/self/environ" />
                        <add input="{URL}" pattern="/ref\.outcontrol" />
                        <add input="{URL}" pattern="indonesia\.htm" />
                        <add input="{URL}" pattern="\{\$itemURL\}" />
                        <add input="{URL}" pattern="function\(\)" />
                        <add input="{URL}" pattern="labels\.rdf" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
                </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Just copy/paste into your web.config file and you should be good to go. I really don’t know much about IIS, but this code looks logical to me and should be entirely plug-n-play, so no editing required. If you discover bugs or have ways of improving the code, please share via comment or directly.

Tested on IIS version 7.5.

Bonus

In his IIS version of 5G, Scott included a couple of bonus rules, one for protecting against hotlinking, and another for WordPress permalinks:

                <rule name="Prevent Image HotLinking">
                    <match url=".*\.(gif|jpg|png)$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTP_REFERER}" pattern="^$" negate="true" />
                        <add input="{HTTP_REFERER}" pattern="^http(s)?://(.*\.)?your-domain-name-goes-here\.com/.*$" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="/some-random-directory/some-random-file.html" />
                </rule>
                <rule name="wordpress" patternSyntax="Wildcard">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="index.php" />
                </rule>

This code is pre-indented for easy copy/paste into the 5G/IIS code.

Huge thanks to Scott for sharing his work with us!

Credit link: Screenflex Room Dividers

© 2011 Perishable Press

Read more: http://perishablepress.com/5g-blacklist-iis/
 
5G Firewall Beta
Wednesday, 09 February 2011 16:58
redirectmatch-the-and-%{query_string}
Perishable Press

Updating the 4G Blacklist, the new 5G Firewall is now open for beta testing. The new code is better than ever, providing wider protection with less code and fewer false positives. I’ve had much success with this new firewall, but more testing is needed to ensure maximum compatibility and minimal issues.

At this point, the code has been tested extensively with the following WordPress configurations:

  • Default WordPress installation (no plugins)
  • Current WordPress version 3.0.5 (running plugins1)
  • Older WordPress version 2.3.3 (running plugins2)

The 5G Firewall is the result of many months of meticulous request monitoring, analyses, and testing. With this code, my goal is an easy, plug-n-play security firewall that blocks the maximum volume of malicious requests with a minimum number of false positives. It’s also built with compatibility in mind. The 5G Firewall is fine-tuned3 to WordPress, but the directives are designed for general use and should help any site conserve bandwidth and server resources while protecting against malicious activity.

Beta Testers

Only test this code if you are familiar with .htaccess and comfortable with diagnosing and resolving potential issues. The 5G is currently running at Perishable Press and everything seems to be working great. But there are so many different configurations that beta testing is needed to help ensure maximum compatibility. Please leave any issues/resolutions in the comments section (remember to wrap code in <code> tags).

Disclaimer

The 5G Firewall is provided “as-is”, with the intention of helping site administrators protect their sites against bad requests and other malicious activity. The code is open and free to use and modify only if proper attribution is included (e.g., “5G FIREWALL from PerishablePress.com”. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.

Learn more..

To learn more about the theory and development of the 5G Firewall, check out my article on constructing the 4G Blacklist. A search for “blacklist” in the sidebar should also return much related information.

5G Firewall Beta

# 5G FIREWALL from PerishablePress.com

# 5G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
 RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
 RewriteCond %{QUERY_STRING} boot\.ini  [NC,OR]
 RewriteCond %{QUERY_STRING} echo.*kae  [NC,OR]
 RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\%27$   [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\\'$    [NC,OR]
 RewriteCond %{QUERY_STRING} \.\./      [NC,OR]
 RewriteCond %{QUERY_STRING} \:         [NC,OR]
 RewriteCond %{QUERY_STRING} \[         [NC,OR]
 RewriteCond %{QUERY_STRING} \]         [NC]
 RewriteRule .* - [F]
</IfModule>

# 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
 SetEnvIfNoCase User-Agent ^$ keep_out
 SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot)   keep_out
 SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
 SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid)   keep_out
 <Limit GET POST PUT>
  Order Allow,Deny
  Allow from all
  Deny from env=keep_out
 </Limit>
</IfModule>

# 5G:[REQUEST STRINGS]
<IfModule mod_alias.c>
 RedirectMatch 403 (https?|ftp|php)\://
 RedirectMatch 403 /(cgi|https?|ima|ucp)/
 RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
 RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\|)
 RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
 RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php
 RedirectMatch 403 (base64|crossdomain|localhost|wwwroot)
 RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae)
 RedirectMatch 403 \.well\-known/host\-meta
 RedirectMatch 403 /function\.array\-rand
 RedirectMatch 403 \)\;\$\(this\)\.html\(
 RedirectMatch 403 proc/self/environ
 RedirectMatch 403 msnbot\.htm\)\.\_
 RedirectMatch 403 /ref\.outcontrol
 RedirectMatch 403 com\_cropimage
 RedirectMatch 403 indonesia\.htm
 RedirectMatch 403 \{\$itemURL\}
 RedirectMatch 403 function\(\)
 RedirectMatch 403 labels\.rdf
</IfModule>

1 Tested plugins for WP 3.0.5:

  • Akismet
  • All in One SEO Pack
  • BackWPup
  • Clean Options
  • Feed Count
  • Google XML Sitemaps
  • W3 Total Cache
  • WP-phpMyAdmin
  • Contextual Related Posts
  • Customizable Post Listings
  • Custom Query String Reloaded
  • Edit Author Slug
  • FeedStats
  • Google XML Sitemaps
  • Mass Mail
  • No category parents
  • Pierre’s Wordspew
  • Post Editor Buttons
  • Search Everything
  • Secure WordPress
  • Simple:Press Forum
  • TPC! Memory Usage
  • Use Google Libraries
  • Vote the Post
  • WordPress File Monitor
  • WordPress Ultimate Security
  • WP-phpMyAdmin
  • WP-Polls
  • WP-UserOnline
  • WP Favorite Posts
  • WP Hide Dashboard
  • WP Security Scan
  • WP Socializer
  • WPtouch

2 Tested plugins for WP 2.3.3:

  • AddMySite (AMS)
  • Akismet
  • All in One SEO Pack
  • Authenticate
  • Code Auto Escape
  • Compact Archives
  • Contact Coldform
  • Customizable Post Listings
  • Custom Query String Reloaded
  • Dagon Design Sitemap Generator
  • Display Post View Count (Top10)
  • Download Counter
  • Feedburner Feed Replacement
  • Feed Count
  • Full Text Feed
  • Google XML Sitemaps
  • KillNag
  • Plugins Used Plugin
  • Search Everything
  • Simple Recent Comments
  • Simple Tags
  • SimpleTwitter
  • Stealth Publish
  • Subscribe To Comments
  • Theme Switcher
  • the_excerpt Reloaded
  • Yet Another Related Posts Plugin

3 Test Environment:

  • Operating System: Linux
  • Server: Apache/2.2.3 (CentOS)
  • MYSQL Version: 5.0.77-log
  • PHP Version: 5.2.6

4 Example query strings for testing:

http://example.com/path/?../
http://example.com/path/?php://
http://example.com/path/?scanner
http://example.com/path/?boot.ini
http://example.com/path/?echo.*kae
http://example.com/path/?mosconfig
http://example.com/path/?etc/passwd
http://example.com/path/?path=./
http://example.com/path/?=\'
http://example.com/path/?=\%27
http://example.com/path/?environ
http://example.com/path/?menu=
http://example.com/path/?mod=
http://example.com/path/?tag=
http://example.com/path/?ftp:
http://example.com/path/?http:
http://example.com/path/?https:
http://example.com/path/?[
http://example.com/path/?]
http://example.com/path/?

© 2011 

Read more: http://perishablepress.com/5g-firewall-beta/
 


Taxonomy by Zaragoza Online

Login Form



Scroll To Top