Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

5G Firewall Beta

[ 5G (beta) ] Updating the 4G Blacklist, the new 5G Firewall is now open for beta testing. The new code is better than ever, providing wider protection with less code and fewer false positives. I’ve had much success with this new firewall, but more testing is needed to ensure maximum compatibility and minimal issues.

Update: Check out the new and improved 6G Firewall »

At this point, the code has been tested extensively with the following WordPress configurations:

  • Default WordPress installation (no plugins)
  • Current WordPress version 3.0.5 (running plugins1)
  • Older WordPress version 2.3.3 (running plugins2)

The 5G Firewall is the result of many months of meticulous request monitoring, analyses, and testing. With this code, my goal is an easy, plug-n-play security firewall that blocks the maximum volume of malicious requests with a minimum number of false positives. It’s also built with compatibility in mind. The 5G Firewall is fine-tuned3 to WordPress, but the directives are designed for general use and should help any site conserve bandwidth and server resources while protecting against malicious activity.

Beta Testers

Only test this code if you are familiar with .htaccess and comfortable with diagnosing and resolving potential issues. The 5G is currently running at Perishable Press and everything seems to be working great. But there are so many different configurations that beta testing is needed to help ensure maximum compatibility. Please leave any issues/resolutions in the comments section (remember to wrap code in <code> tags).

Disclaimer

The 5G Firewall is provided “as-is”, with the intention of helping site administrators protect their sites against bad requests and other malicious activity. The code is open and free to use and modify only if proper attribution is included (e.g., “5G FIREWALL from PerishablePress.com”. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.

Learn more..

To learn more about the theory and development of the 5G Firewall, check out my article on constructing the 4G Blacklist. A search for “blacklist” in the sidebar should also return much related information.

5G Firewall Beta

# 5G FIREWALL from PerishablePress.com

# 5G:[QUERY STRINGS]
<ifModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
 RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
 RewriteCond %{QUERY_STRING} boot\.ini  [NC,OR]
 RewriteCond %{QUERY_STRING} echo.*kae  [NC,OR]
 RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\%27$   [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\\'$    [NC,OR]
 RewriteCond %{QUERY_STRING} \.\./      [NC,OR]
 RewriteCond %{QUERY_STRING} \:         [NC,OR]
 RewriteCond %{QUERY_STRING} \[         [NC,OR]
 RewriteCond %{QUERY_STRING} \]         [NC]
 RewriteRule .* - [F]
</ifModule>

# 5G:[USER AGENTS]
<ifModule mod_setenvif.c>
 SetEnvIfNoCase User-Agent ^$ keep_out
 SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot)   keep_out
 SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
 SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid)   keep_out
 <limit GET POST PUT>
  Order Allow,Deny
  Allow from all
  Deny from env=keep_out
 </limit>
</ifModule>

# 5G:[REQUEST STRINGS]
<ifModule mod_alias.c>
 RedirectMatch 403 (https?|ftp|php)\://
 RedirectMatch 403 /(cgi|https?|ima|ucp)/
 RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
 RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\|)
 RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
 RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php
 RedirectMatch 403 (base64|crossdomain|localhost|wwwroot)
 RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae)
 RedirectMatch 403 \.well\-known/host\-meta
 RedirectMatch 403 /function\.array\-rand
 RedirectMatch 403 \)\;\$\(this\)\.html\(
 RedirectMatch 403 proc/self/environ
 RedirectMatch 403 msnbot\.htm\)\.\_
 RedirectMatch 403 /ref\.outcontrol
 RedirectMatch 403 com\_cropimage
 RedirectMatch 403 indonesia\.htm
 RedirectMatch 403 \{\$itemURL\}
 RedirectMatch 403 function\(\)
 RedirectMatch 403 labels\.rdf
</ifModule>

1 Tested plugins for WP 3.0.5:

  • Akismet
  • All in One SEO Pack
  • BackWPup
  • Clean Options
  • Feed Count
  • Google XML Sitemaps
  • W3 Total Cache
  • WP-phpMyAdmin
  • Contextual Related Posts
  • Customizable Post Listings
  • Custom Query String Reloaded
  • Edit Author Slug
  • FeedStats
  • Google XML Sitemaps
  • Mass Mail
  • No category parents
  • Pierre’s Wordspew
  • Post Editor Buttons
  • Search Everything
  • Secure WordPress
  • Simple:Press Forum
  • TPC! Memory Usage
  • Use Google Libraries
  • Vote the Post
  • WordPress File Monitor
  • WordPress Ultimate Security
  • WP-phpMyAdmin
  • WP-Polls
  • WP-UserOnline
  • WP Favorite Posts
  • WP Hide Dashboard
  • WP Security Scan
  • WP Socializer
  • WPtouch

2 Tested plugins for WP 2.3.3:

  • AddMySite (AMS)
  • Akismet
  • All in One SEO Pack
  • Authenticate
  • Code Auto Escape
  • Compact Archives
  • Contact Coldform
  • Customizable Post Listings
  • Custom Query String Reloaded
  • Dagon Design Sitemap Generator
  • Display Post View Count (Top10)
  • Download Counter
  • Feedburner Feed Replacement
  • Feed Count
  • Full Text Feed
  • Google XML Sitemaps
  • KillNag
  • Plugins Used Plugin
  • Search Everything
  • Simple Recent Comments
  • Simple Tags
  • SimpleTwitter
  • Stealth Publish
  • Subscribe To Comments
  • Theme Switcher
  • the_excerpt Reloaded
  • Yet Another Related Posts Plugin

3 Test Environment:

  • Operating System: Linux
  • Server: Apache/2.2.3 (CentOS)
  • MYSQL Version: 5.0.77-log
  • PHP Version: 5.2.6

4 Example query strings for testing:

http://example.com/path/?../
http://example.com/path/?php://
http://example.com/path/?scanner
http://example.com/path/?boot.ini
http://example.com/path/?echo.*kae
http://example.com/path/?mosconfig
http://example.com/path/?etc/passwd
http://example.com/path/?path=./
http://example.com/path/?=\'
http://example.com/path/?=\%27
http://example.com/path/?environ
http://example.com/path/?menu=
http://example.com/path/?mod=
http://example.com/path/?tag=
http://example.com/path/?ftp:
http://example.com/path/?http:
http://example.com/path/?https:
http://example.com/path/?[
http://example.com/path/?]
http://example.com/path/?
About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
GA Pro: Add Google Analytics to WordPress like a pro.

66 responses to “5G Firewall Beta”

  1. Found a bug using it with MediaWiki.

    If there’s a COMMA in the page title, it kicks a 404.

    I pulled out this line and it’s fine, though obviously that’s not a great thing.
    RedirectMatch 403 (,|//|)+|/,/|{0}|(/(|...|+++||)

    • Jeff Starr 2011/03/13 1:09 pm

      You could also just remove the first pattern in that line:

      \,|

      That will prevent matches against commas in URLs while enabling the line to protect against the other character strings.

  2. Unrelated to my wiki thing, I’ve noticed a whole lot of “client denied by server configuration” messages in my error_log.

    Sadly, there was a server upgrade the day or so after I implemented this, so I’ve taken the blacklist OFF one domain just to see if that has an effect. It’s only off on my WordPress only site (very few plugins).

    • Jeff Starr 2011/03/15 8:02 am

      Those messages mean that the list is working.. Your server configuration includes directives passed by htaccess. Whenever something is blocked by one of the blacklist rules, that is the message you’ll see in your error logs (depending on server/host). Seeing “a whole lot” means it’s working great.

  3. Scott Cariss 2011/03/17 4:24 am

    Found one thing in the 5g firewall that breaks default wordpress functionality.

    When under Appearence->Menus->Change Menu Selection this URL is generated:

    /wp-admin/nav-menus.php?action=edit&menu=4

    menu in RewriteCond %{QUERY_STRING} (menu|mod|path|tag)=.?/? [NC,OR] breaks this.

    • I’ve got the same issue. Does anyone have found the proper regular expression?

    • Thanks for the report, Scott. The final version of 5G will remove the matching menu pattern.

      @vale: To resolve the issue, simply remove the following characters from the line mentioned by Scott:

      menu|

      After removing it, the line should look like this:

      RewriteCond %{QUERY_STRING} (mod|path|tag)\=\.?/? [NC,OR]

  4. Seogeeker 2011/04/07 7:18 am

    Nice thanks for updating this, been using 3g for a long time. 5g works great on the few I have just tried it on!

  5. Kai Gittens 2011/09/18 9:05 am

    I just installed the 5G Firewall on my .htaccess file. All is working great except for an issue with WP Security Scan v3.0.7. When I try to access the plugin’s Scanner section, I get a permission denied/403 error.

    Under the QUERY STRINGS section, I commented out the following line and all worked great:

    RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]

    I’m assuming that it has to do with the word ‘scanner’ in there but I was just wondering if doing stuff like this was all OK.

    Also, another quick question: If I intsall the full 5G Firewall, is there still a need for the WordPress Firewall 2 plugin?

    Thanx in advance!

  6. Jeff Starr 2011/09/18 9:09 am

    Hey Kai, thanks for the heads up. That’s totally okay to remove or comment out patterns that interfere with normal functionality. The firewall still works great, just doesn’t block requests that contain that particular string.

    Not sure about the Firewall 2 plugin – running 5G, I haven’t felt the need, although it does provide some additional security.

  7. My main dir .htaccess file starts with “Options -Indexes” to block file listing. Works great. But I have a few sub-dirs for which I want the file listing to work. In those dirs I add a simple .htaccess file that starts with “Options +Indexes”. This line in the [REQUEST STRINGS] section breaks it, causing a 403 error whenever someone tries to navigate to one of those dirs:

    RedirectMatch 403 .(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$

    If I remove “cgi|” from the line, it starts working again. Am I breaking anything or doing myself any harm by removing the cgi thingy?

  8. A reader has reported that they are getting a 403 forbidden error when visiting my WordPress site (which is using the 5G Firewall Beta). The visitor is using the latest version of the LYNX browser (http://lynx.browser.org/). Could one of the 403 REQUEST STRINGS be the culprit? Has anybody been able to text this using Lynx? I’ll try to narrow down which one might be causing the problem.

  9. Further to my previous comment (https://perishablepress.com/5g-firewall-beta/comment-page-3/#comment-85991), the culprit that is blocking Lynx browsers from reading my blog is this line:

    SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid) keep_out

    That line blocks this user agent (which is what my visitor is using): Lynx/2.8.7rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.0a

    I was able to test this here: http://www.botsvsbrowsers.com/SimulateUserAgent.asp

    What I don’t quite understand is why this is happening. Any ideas?

  10. Now I get it. libwww is blocked by the 5G firewall and the user agent that my visitor was using is based on libwww: Lynx/2.8.7rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.0a

    If I block that user agent, I block that visitor. Not sure what the best solution is…

    • That’s the trade-off implicit in using blacklists. It’s up to the admin to understand traffic and fine-tune the list accordingly. If unsure, remove the libwww rule and continue to keep an eye on things. Unless things have changed, you’ll see more shady than legit requests associated with libwww, which is why it’s included in the 5G.

    • Also, this post is for the “beta” release of 5G. The current version is here:

      https://perishablepress.com/5g-blacklist-2012/

  11. Thanks. I’ll update to the new version. The above comments still apply to the new version, though. Feel free to move all my comments to that post.

    Since Lynx is often used by people with visual impairments, explicitly blocking libwww could wreak havoc for certain bloggers whose visitors use Lynx for accessibility reasons.

  12. I just got attacks on my site and hostgator didnt even notice it, just disabled my host :) found this in raw access logs, so maybe you can add this too

    95.9.57.113 - - [17/Apr/2012:20:49:58 -0500] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.0" 404 10615 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

    so its basically some vulnerably scanner with name acunetix or something

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
SAC Pro: Unlimited chats.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.