Latest TweetsVerify any search engine or visitor via CLI Forward-Reverse Lookup perishablepress.com/cli-forwar…
Perishable Press

5G Blacklist for Microsoft IIS

[ 5G (MS IIS) ] By design the 5G Blacklist works on Apache servers, but thanks to Scott Stawarz, here is a version for Microsoft IIS. Disclaimer: I do not use any Microsoft server stuff, so make sure to properly test everything before running this code on a live/production site. Also, if you scroll down to the end of this article, you will find some useful bonus snippets.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
                <clear />
                <rule name="Block Bad Query String" stopProcessing="true">
                    <match url=".*" ignoreCase="false" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{QUERY_STRING}" pattern="(environ|localhost|mosconfig|scanner)" />
                        <add input="{QUERY_STRING}" pattern="(menu|mod|path|tag)\=\.?/?" />
                        <add input="{QUERY_STRING}" pattern="boot\.ini" />
                        <add input="{QUERY_STRING}" pattern="echo.*kae" />
                        <add input="{QUERY_STRING}" pattern="etc/passwd" />
                        <add input="{QUERY_STRING}" pattern="\=\\%27$" />
                        <add input="{QUERY_STRING}" pattern="\=\\\'$" />
                        <add input="{QUERY_STRING}" pattern="\.\./" />
                        <add input="{QUERY_STRING}" pattern="\:" />
                        <add input="{QUERY_STRING}" pattern="\[" />
                        <add input="{QUERY_STRING}" pattern="\]" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
                </rule>
                <rule name="Block Bad User Agents" stopProcessing="true">
                    <match url=".*" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{HTTP_USER_AGENT}" pattern=" ^$" />
                        <add input="{HTTP_USER_AGENT}" pattern="(casper|cmsworldmap|diavol|dotbot)" />
                        <add input="{HTTP_USER_AGENT}" pattern="(flicky|ia_archiver|kmccrew)" />
                        <add input="{HTTP_USER_AGENT}" pattern="(libwww|planetwork|pycurl|skygrid)" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
                </rule>
                <rule name="Block Bad Request Strings" stopProcessing="true">
                    <match url=".*" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{URL}" pattern="(https?|ftp|php)\://" />
                        <add input="{URL}" pattern="/(cgi|https?|ima|ucp)/" />
                        <add input="{URL}" pattern="(\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$" />
                        <add input="{URL}" pattern="(\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\|)" />
                        <add input="{URL}" pattern="\.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$" />
                        <add input="{URL}" pattern="/(contac|fpw|install|pingserver|register)\.php" />
                        <add input="{URL}" pattern="(base64|crossdomain|localhost|wwwroot)" />
                        <add input="{URL}" pattern="\.well\-known/host\-meta" />
                        <add input="{URL}" pattern="/function\.array\-rand" />
                        <add input="{URL}" pattern="\)\;\$\(this\)\.html\(" />
                        <add input="{URL}" pattern="proc/self/environ" />
                        <add input="{URL}" pattern="/ref\.outcontrol" />
                        <add input="{URL}" pattern="indonesia\.htm" />
                        <add input="{URL}" pattern="\{\$itemURL\}" />
                        <add input="{URL}" pattern="function\(\)" />
                        <add input="{URL}" pattern="labels\.rdf" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
                </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Just copy/paste into your web.config file and you should be good to go. I really don’t know much about IIS, but this code looks logical to me and should be entirely plug-n-play, so no editing required. If you discover bugs or have ways of improving the code, please share via comment or directly.

Tested on IIS version 7.5.

Bonus

In his IIS version of 5G, Scott included a couple of bonus rules, one for protecting against hotlinking, and another for WordPress permalinks:

                <rule name="Prevent Image HotLinking">
                    <match url=".*\.(gif|jpg|png)$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTP_REFERER}" pattern="^$" negate="true" />
                        <add input="{HTTP_REFERER}" pattern="^http(s)?://(.*\.)?your-domain-name-goes-here\.com/.*$" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="/some-random-directory/some-random-file.html" />
                </rule>
                <rule name="wordpress" patternSyntax="Wildcard">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="index.php" />
                </rule>

This code is pre-indented for easy copy/paste into the 5G/IIS code.

Huge thanks to Scott for sharing his work with us!

Credit link: Screenflex Room Dividers

Jeff Starr
About the Author Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
Archives
4 responses
  1. This is really interesting. Thanks :)

    Some of the rules (like “etc/passwd” and “proc/self/environ”) are Linux-specific and aren’t really needed in a Windows environment.

  2. Also be careful with blocking libwww and it blocks *all* libwww-based programs.

  3. You’re welcome. You did all the difficult work. I just had to translate it.

    I’m sure the web.config file can be improved if there are IIS experts.

    Also, one note in my testing, I found the blacklist can be aggressive. If you do add this to your IIS configuration or even if you add the apache version, make sure to test your web-apps. Some web-apps and ajax applications may break due to the blacklist. For normal everyday stuff, I’m sure it works fine.

    Keep up the great work Jeff!

  4. Dallas Web Design December 7, 2011 @ 11:26 am

    Good information. Of course I only have one client that still runs IIS.

[ Comments are closed for this post ]