Latest TweetsVerify any search engine or visitor via CLI Forward-Reverse Lookup perishablepress.com/cli-forwar…
Perishable Press

5G Blacklist 2012

[ 5G (2012) ] The 5G Blacklist helps reduce the number of malicious URL requests that hit your website. It’s one of many ways to improve the security of your site and protect against evil exploits, bad requests, and other nefarious garbage. If you’re tired of all the slow, bloated security plugins and expensive 3rd-party services, the 5G Blacklist is a solid solution to help protect your Apache-powered site.

Update: Check out the new and improved 6G Firewall »

Evolution

After extensive beta testing, the 5G Blacklist/Firewall is solid and ready to help secure sites hosted on Apache servers. In addition to beta testing for the 5G, this is the 5th major update of my “G”-series blacklists. Here is a quick overview of its evolution.

  1. Ultimate htaccess Blacklist (Compressed Version)
  2. 2G Blacklist: Closing the Door on Malicious Attacks
  3. Perishable Press 3G Blacklist
  4. The Perishable Press 4G Blacklist
  5. 5G Firewall (Beta)

Along the way, I’ve explored a wide variety of different blacklist techniques. The 5G is the culmination of all these efforts, and will eventually be replaced by the imminent 6G Blacklist/Firewall.

What it does

The 5G Blacklist is a simple, flexible blacklist that checks all URI requests against a series of carefully constructed HTAccess directives. This happens quietly behind the scenes at the server level, saving resources for stuff like PHP and MySQL for all blocked requests.

How it works

Blacklists can block just about any part of a request: IP, user agent, request string, query string, referrer, and everything in between. But IP addresses change constantly, and user agents and referrers are easily spoofed. As discussed, request strings yield the best results: greater protection with fewer false positives.

The 5G works beautifully with WordPress, and should help any site conserve bandwidth and server resources while protecting against malicious activity.

How to use

To install the 5G Firewall, append the following code to your site’s root .htaccess:

# 5G BLACKLIST/FIREWALL
# @ https://perishablepress.com/5g-blacklist-2012/

# 5G:[QUERY STRINGS]
<ifModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
 RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
 RewriteCond %{QUERY_STRING} boot\.ini  [NC,OR]
 RewriteCond %{QUERY_STRING} echo.*kae  [NC,OR]
 RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\%27$   [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\\'$    [NC,OR]
 RewriteCond %{QUERY_STRING} \.\./      [NC,OR]
 RewriteCond %{QUERY_STRING} \?         [NC,OR]
 RewriteCond %{QUERY_STRING} \:         [NC,OR]
 RewriteCond %{QUERY_STRING} \[         [NC,OR]
 RewriteCond %{QUERY_STRING} \]         [NC]
 RewriteRule .* - [F]
</ifModule>

# 5G:[USER AGENTS]
<ifModule mod_setenvif.c>
 SetEnvIfNoCase User-Agent ^$ keep_out
 SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot)   keep_out
 SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
 SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid)   keep_out
 SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder|turnit)   keep_out
 SetEnvIfNoCase User-Agent (zmeu|nutch|vikspider|binlar|sucker) keep_out
 <limit GET POST PUT>
  Order Allow,Deny
  Allow from all
  Deny from env=keep_out
 </limit>
</ifModule>

# 5G:[REQUEST STRINGS]
<ifModule mod_alias.c>
 RedirectMatch 403 (https?|ftp|php)\://
 RedirectMatch 403 /(cgi|https?|ima|ucp)/
 RedirectMatch 403 /(Permanent|Better)$
 RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
 RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\")
 RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
 RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
 RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
 RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
 RedirectMatch 403 \.well\-known/host\-meta
 RedirectMatch 403 /function\.array\-rand
 RedirectMatch 403 \)\;\$\(this\)\.html\(
 RedirectMatch 403 proc/self/environ
 RedirectMatch 403 msnbot\.htm\)\.\_
 RedirectMatch 403 /ref\.outcontrol
 RedirectMatch 403 com\_cropimage
 RedirectMatch 403 indonesia\.htm
 RedirectMatch 403 \{\$itemURL\}
 RedirectMatch 403 function\(\)
 RedirectMatch 403 labels\.rdf
 RedirectMatch 403 /playing.php
 RedirectMatch 403 muieblackcat
</ifModule>

# 5G:[BAD IPS]
<limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 # uncomment/edit/repeat next line to block IPs
 # Deny from 123.456.789
</limit>

That’s the golden ticket right there. The 5G Firewall is serious protection for your website: extensively tested, plug-n-play, and completely free. “Grab, gulp, n go” as they say. For more information, see the beta article (and comments).

Troubleshooting

Remember, test thoroughly. If something stops working when the 5G is installed, try removing the 5G. If things start working normally again, you can either pass on the 5G or investigate further. Investigating further is straightforward using something like the halving method, where you remove chunks of the 5G until isolating and identifying the issue. Here is a quick example:

  • I’ve installed the 5G, thanks Jeff.
  • Uh-oh, the page at http://example.com/indonesia.html stopped loading
  • Hmm, the URL contains the phrase “indonesia”, so let’s check the 5G for it
  • Yep, there’s a rule that blocks indonesia\.htm
  • Removing that line resolves the issue, thanks me.

Is it okay to remove rules that are blocking your own pages? Yes, the only downside is that malicious requests that would have otherwise been blocked will now get through. The 5G will continue to block a massive volume of malicious requests — it’ll just be a bit less effective. The protective effect is cumulative, not dependent on any one rule. So customization is encouraged. Once you dial it in, you’re all set.

Disclaimer

The 5G Firewall is provided “as-is”, with the intention of helping site administrators protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.

Learn more..

To learn more about the theory and development of the 5G Firewall, check out my articles on building the 3G, 4G and 5G Blacklist. A search for “blacklist” in the sidebar should also yield many results.

Happy securing!

Jeff Starr
About the Author Jeff Starr = Web Developer. Book Author. Secretly Important.
Archives
223 responses
  1. Is this only for wordpress sites? Does this work on SMF forums? SMF version 2.0.2. I have a forum i want to install it on.

  2. You saved my day! Thanks for sharing.

  3. Ian Anderson Gray January 14, 2012 @ 1:09 pm

    Absolutely fab! Using this across a few of my sites and works well.

    One issue I have found is that it blocks Google+ from sharing a page on the site. I get an error and Google+ doesn’t give me the preview. When I removed the 5G Firewall it worked, so something is blocking it.

    • Ian Anderson Gray January 17, 2012 @ 1:58 pm

      I was wondering if anyone knew what could be causing the conflict when using the 5G Firewall with Google+ sharing as I mentioned above? I’ve had to remove it from my sites until I work out what the issue could be. I haven’t tried it with other social media sites such as Facebook or Twitter, but I can confirm that there is an issue with Google+. I’d love to solve the issue!

      • I’m just guessing, but you might try commenting-out the https blocking sections from 5G.

        GoogleSharing ‘uses’ https.

  4. Thanks 1’000 times Jeff.
    It worked out of the box for WordPress.

    I noticed today that some tit is trying the following exploits by url:

    //phpMyAdmin-2.5.7-pl1/index.php 41.203.119.18
    //phpMyAdmin-2.5.7/index.php 41.203.119.18
    //phpMyAdmin-2.5.6/index.php 41.203.119.18
    .
    .
    .

    [Editor’s note: log excerpt edited to conserve resources]

    Apart now from adding those two ip addresses, how else can I send them to hell please?

  5. Thanks. I’m trying it after having some problems with bad-bots.

  6. Ok, I’m learning …
    I added

    RedirectMatch 403 myphp
    RedirectMatch 403 phpmy
    RedirectMatch 403 websql
    RedirectMatch 403 dbadmin
    RedirectMatch 403 php-my-admin
    RedirectMatch 403 xampp
    RedirectMatch 403 mysql
    RedirectMatch 403 typo3
    RedirectMatch 403 phpmyadmin

    and it works. Should these lines be separate, or can you combine it ?

    Good thing I found you, I have these exploits on 15 domains …

    What is better: to show a 403 page that says nothing, or to let the Parallels Hsphere 403 error page come?

  7. Jeff Starr

    Looks like a good start, here’s what I came up with:

    RedirectMatch 403 (phpMyAdmin|php\-my\-admin)
    RedirectMatch 403 (websql|mysqladmin|pma|mysql|myadmin|dbadmin|db|cdr)

    Needs testing and could be further refined based on existing site URIs.

    Using the default server error page is my advice, but I’ve seen a cool technique where blocks are kicked directly back to localhost.

    • Thanks for a great hack man. But i need to know this before i use the 5G blacklist. Does it work on forums(SMF 2.0.2)? Or is it only configured for wordpress sites? Thanks!

      • Jeff Starr

        It should be general enough to work on any site, but keep an eye on things and begin your search with 5G if/when any pages stop loading.

  8. Thanks Jeff,
    You seriously kick ass!

  9. Just installed it. Thanks!

  10. Jeff, I was wondering, isn’t there the makings of a nice product/service in here if you combine the 5G blacklist with your Error logging script and then add the functionality of doing reverse ip lookups and sending emails to the Abuse address listed in the ARIN and other databases, once a certain level of repeated 301 errors are produced?

    Offer the basics free and then make the more advanced features paid for.
    And if there was a plugin for WordPress you’d be able to service a lot of troubled people.

    In fact, you could have a “share” feature in the script that aggregates the 301 exploits sort of in real time and thus have the possibility to push an updated .htaccess or whatever down the line for people to install for better protection.

    Once the presets trigger, all people on the subscription would be informed of a new issue or ip to block. As the attack moves to a different address, the ip can be released again, with multiple offenders getting a more permanent level of blocking. Something in the order of defining several levels of blocking.

    If you also have selectors that the user can click on, people that want to, could also decide to include country level ip blocks if they wanted to.

    Wish I had the skills to do this … :-)

    • Jeff Starr

      It’s a great idea Mark, and I’ve thought about doing something similar for quite awhile now, with the only thing really stopping me really is the time factor, just not enough these days.

      For the record though, there are existing services that function similarly to what you describe, but much more is certainly possible ;)

  11. Such a great script you provide Jeff. Thank you so much, I have been checking back every few weeks for the past few months waiting on the final release.

    I will be checking this out this weekend on my server. I do have a question about mentions regarding server wide usage. If I have 1 install of wordpress Multisite in the root of public_html, will this work ok with it?

  12. # Anti XSS protection
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
    RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index_error.php [F,L]
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

    # Anti cross site tracing - protection
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]

    http://www.hackosis.com/simple-htaccess-intrusion-detection-system/

    I strongly suggest u integrate this idea into your 5G blacklists.

    • Jeff Starr

      Hey Jeriff,

      Looks like some good stuff in there, so definitely will investigate further for possible inclusion with the imminent 6G. Note that I cover many of these rules in this article. Either way, thanks for sharing.

[ Comments are closed for this post ]