5G Firewall Beta

.htaccess made easy
Update: Check out the new and improved 5G Blacklist 2013! (The beta version provided in this post is now for reference only.)

Updating the 4G Blacklist, the new 5G Firewall is now open for beta testing. The new code is better than ever, providing wider protection with less code and fewer false positives. I’ve had much success with this new firewall, but more testing is needed to ensure maximum compatibility and minimal issues.

At this point, the code has been tested extensively with the following WordPress configurations:

  • Default WordPress installation (no plugins)
  • Current WordPress version 3.0.5 (running plugins1)
  • Older WordPress version 2.3.3 (running plugins2)

The 5G Firewall is the result of many months of meticulous request monitoring, analyses, and testing. With this code, my goal is an easy, plug-n-play security firewall that blocks the maximum volume of malicious requests with a minimum number of false positives. It’s also built with compatibility in mind. The 5G Firewall is fine-tuned3 to WordPress, but the directives are designed for general use and should help any site conserve bandwidth and server resources while protecting against malicious activity.

Beta Testers

Only test this code if you are familiar with .htaccess and comfortable with diagnosing and resolving potential issues. The 5G is currently running at Perishable Press and everything seems to be working great. But there are so many different configurations that beta testing is needed to help ensure maximum compatibility. Please leave any issues/resolutions in the comments section (remember to wrap code in <code> tags).

Disclaimer

The 5G Firewall is provided “as-is”, with the intention of helping site administrators protect their sites against bad requests and other malicious activity. The code is open and free to use and modify only if proper attribution is included (e.g., “5G FIREWALL from PerishablePress.com”. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.

Learn more..

To learn more about the theory and development of the 5G Firewall, check out my article on constructing the 4G Blacklist. A search for “blacklist” in the sidebar should also return much related information.

5G Firewall Beta

# 5G FIREWALL from PerishablePress.com

# 5G:[QUERY STRINGS]
<ifModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
 RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
 RewriteCond %{QUERY_STRING} boot\.ini  [NC,OR]
 RewriteCond %{QUERY_STRING} echo.*kae  [NC,OR]
 RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\%27$   [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\\'$    [NC,OR]
 RewriteCond %{QUERY_STRING} \.\./      [NC,OR]
 RewriteCond %{QUERY_STRING} \:         [NC,OR]
 RewriteCond %{QUERY_STRING} \[         [NC,OR]
 RewriteCond %{QUERY_STRING} \]         [NC]
 RewriteRule .* - [F]
</ifModule>

# 5G:[USER AGENTS]
<ifModule mod_setenvif.c>
 SetEnvIfNoCase User-Agent ^$ keep_out
 SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot)   keep_out
 SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
 SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid)   keep_out
 <limit GET POST PUT>
  Order Allow,Deny
  Allow from all
  Deny from env=keep_out
 </limit>
</ifModule>

# 5G:[REQUEST STRINGS]
<ifModule mod_alias.c>
 RedirectMatch 403 (https?|ftp|php)\://
 RedirectMatch 403 /(cgi|https?|ima|ucp)/
 RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
 RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\|)
 RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
 RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php
 RedirectMatch 403 (base64|crossdomain|localhost|wwwroot)
 RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae)
 RedirectMatch 403 \.well\-known/host\-meta
 RedirectMatch 403 /function\.array\-rand
 RedirectMatch 403 \)\;\$\(this\)\.html\(
 RedirectMatch 403 proc/self/environ
 RedirectMatch 403 msnbot\.htm\)\.\_
 RedirectMatch 403 /ref\.outcontrol
 RedirectMatch 403 com\_cropimage
 RedirectMatch 403 indonesia\.htm
 RedirectMatch 403 \{\$itemURL\}
 RedirectMatch 403 function\(\)
 RedirectMatch 403 labels\.rdf
</ifModule>

1 Tested plugins for WP 3.0.5:

  • Akismet
  • All in One SEO Pack
  • BackWPup
  • Clean Options
  • Feed Count
  • Google XML Sitemaps
  • W3 Total Cache
  • WP-phpMyAdmin
  • Contextual Related Posts
  • Customizable Post Listings
  • Custom Query String Reloaded
  • Edit Author Slug
  • FeedStats
  • Google XML Sitemaps
  • Mass Mail
  • No category parents
  • Pierre’s Wordspew
  • Post Editor Buttons
  • Search Everything
  • Secure WordPress
  • Simple:Press Forum
  • TPC! Memory Usage
  • Use Google Libraries
  • Vote the Post
  • WordPress File Monitor
  • WordPress Ultimate Security
  • WP-phpMyAdmin
  • WP-Polls
  • WP-UserOnline
  • WP Favorite Posts
  • WP Hide Dashboard
  • WP Security Scan
  • WP Socializer
  • WPtouch

2 Tested plugins for WP 2.3.3:

  • AddMySite (AMS)
  • Akismet
  • All in One SEO Pack
  • Authenticate
  • Code Auto Escape
  • Compact Archives
  • Contact Coldform
  • Customizable Post Listings
  • Custom Query String Reloaded
  • Dagon Design Sitemap Generator
  • Display Post View Count (Top10)
  • Download Counter
  • Feedburner Feed Replacement
  • Feed Count
  • Full Text Feed
  • Google XML Sitemaps
  • KillNag
  • Plugins Used Plugin
  • Search Everything
  • Simple Recent Comments
  • Simple Tags
  • SimpleTwitter
  • Stealth Publish
  • Subscribe To Comments
  • Theme Switcher
  • the_excerpt Reloaded
  • Yet Another Related Posts Plugin

3 Test Environment:

  • Operating System: Linux
  • Server: Apache/2.2.3 (CentOS)
  • MYSQL Version: 5.0.77-log
  • PHP Version: 5.2.6

4 Example query strings for testing:

http://example.com/path/?../
http://example.com/path/?php://
http://example.com/path/?scanner
http://example.com/path/?boot.ini
http://example.com/path/?echo.*kae
http://example.com/path/?mosconfig
http://example.com/path/?etc/passwd
http://example.com/path/?path=./
http://example.com/path/?=\'
http://example.com/path/?=\%27
http://example.com/path/?environ
http://example.com/path/?menu=
http://example.com/path/?mod=
http://example.com/path/?tag=
http://example.com/path/?ftp:
http://example.com/path/?http:
http://example.com/path/?https:
http://example.com/path/?[
http://example.com/path/?]
http://example.com/path/?