Latest TweetsWordPress and the Blank Target Vulnerability (aka rel noopener + noreferrer): perishablepress.com/wordpress-… #WordPress #security #html
Perishable Press

5G Firewall Beta

[ 5G (beta) ] Updating the 4G Blacklist, the new 5G Firewall is now open for beta testing. The new code is better than ever, providing wider protection with less code and fewer false positives. I’ve had much success with this new firewall, but more testing is needed to ensure maximum compatibility and minimal issues.

Update: Check out the new and improved 6G Firewall »

At this point, the code has been tested extensively with the following WordPress configurations:

  • Default WordPress installation (no plugins)
  • Current WordPress version 3.0.5 (running plugins1)
  • Older WordPress version 2.3.3 (running plugins2)

The 5G Firewall is the result of many months of meticulous request monitoring, analyses, and testing. With this code, my goal is an easy, plug-n-play security firewall that blocks the maximum volume of malicious requests with a minimum number of false positives. It’s also built with compatibility in mind. The 5G Firewall is fine-tuned3 to WordPress, but the directives are designed for general use and should help any site conserve bandwidth and server resources while protecting against malicious activity.

Beta Testers

Only test this code if you are familiar with .htaccess and comfortable with diagnosing and resolving potential issues. The 5G is currently running at Perishable Press and everything seems to be working great. But there are so many different configurations that beta testing is needed to help ensure maximum compatibility. Please leave any issues/resolutions in the comments section (remember to wrap code in <code> tags).

Disclaimer

The 5G Firewall is provided “as-is”, with the intention of helping site administrators protect their sites against bad requests and other malicious activity. The code is open and free to use and modify only if proper attribution is included (e.g., “5G FIREWALL from PerishablePress.com”. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.

Learn more..

To learn more about the theory and development of the 5G Firewall, check out my article on constructing the 4G Blacklist. A search for “blacklist” in the sidebar should also return much related information.

5G Firewall Beta

# 5G FIREWALL from PerishablePress.com

# 5G:[QUERY STRINGS]
<ifModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
 RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
 RewriteCond %{QUERY_STRING} boot\.ini  [NC,OR]
 RewriteCond %{QUERY_STRING} echo.*kae  [NC,OR]
 RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\%27$   [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\\'$    [NC,OR]
 RewriteCond %{QUERY_STRING} \.\./      [NC,OR]
 RewriteCond %{QUERY_STRING} \:         [NC,OR]
 RewriteCond %{QUERY_STRING} \[         [NC,OR]
 RewriteCond %{QUERY_STRING} \]         [NC]
 RewriteRule .* - [F]
</ifModule>

# 5G:[USER AGENTS]
<ifModule mod_setenvif.c>
 SetEnvIfNoCase User-Agent ^$ keep_out
 SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot)   keep_out
 SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
 SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid)   keep_out
 <limit GET POST PUT>
  Order Allow,Deny
  Allow from all
  Deny from env=keep_out
 </limit>
</ifModule>

# 5G:[REQUEST STRINGS]
<ifModule mod_alias.c>
 RedirectMatch 403 (https?|ftp|php)\://
 RedirectMatch 403 /(cgi|https?|ima|ucp)/
 RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
 RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\|)
 RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
 RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php
 RedirectMatch 403 (base64|crossdomain|localhost|wwwroot)
 RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae)
 RedirectMatch 403 \.well\-known/host\-meta
 RedirectMatch 403 /function\.array\-rand
 RedirectMatch 403 \)\;\$\(this\)\.html\(
 RedirectMatch 403 proc/self/environ
 RedirectMatch 403 msnbot\.htm\)\.\_
 RedirectMatch 403 /ref\.outcontrol
 RedirectMatch 403 com\_cropimage
 RedirectMatch 403 indonesia\.htm
 RedirectMatch 403 \{\$itemURL\}
 RedirectMatch 403 function\(\)
 RedirectMatch 403 labels\.rdf
</ifModule>

1 Tested plugins for WP 3.0.5:

  • Akismet
  • All in One SEO Pack
  • BackWPup
  • Clean Options
  • Feed Count
  • Google XML Sitemaps
  • W3 Total Cache
  • WP-phpMyAdmin
  • Contextual Related Posts
  • Customizable Post Listings
  • Custom Query String Reloaded
  • Edit Author Slug
  • FeedStats
  • Google XML Sitemaps
  • Mass Mail
  • No category parents
  • Pierre’s Wordspew
  • Post Editor Buttons
  • Search Everything
  • Secure WordPress
  • Simple:Press Forum
  • TPC! Memory Usage
  • Use Google Libraries
  • Vote the Post
  • WordPress File Monitor
  • WordPress Ultimate Security
  • WP-phpMyAdmin
  • WP-Polls
  • WP-UserOnline
  • WP Favorite Posts
  • WP Hide Dashboard
  • WP Security Scan
  • WP Socializer
  • WPtouch

2 Tested plugins for WP 2.3.3:

  • AddMySite (AMS)
  • Akismet
  • All in One SEO Pack
  • Authenticate
  • Code Auto Escape
  • Compact Archives
  • Contact Coldform
  • Customizable Post Listings
  • Custom Query String Reloaded
  • Dagon Design Sitemap Generator
  • Display Post View Count (Top10)
  • Download Counter
  • Feedburner Feed Replacement
  • Feed Count
  • Full Text Feed
  • Google XML Sitemaps
  • KillNag
  • Plugins Used Plugin
  • Search Everything
  • Simple Recent Comments
  • Simple Tags
  • SimpleTwitter
  • Stealth Publish
  • Subscribe To Comments
  • Theme Switcher
  • the_excerpt Reloaded
  • Yet Another Related Posts Plugin

3 Test Environment:

  • Operating System: Linux
  • Server: Apache/2.2.3 (CentOS)
  • MYSQL Version: 5.0.77-log
  • PHP Version: 5.2.6

4 Example query strings for testing:

http://example.com/path/?../
http://example.com/path/?php://
http://example.com/path/?scanner
http://example.com/path/?boot.ini
http://example.com/path/?echo.*kae
http://example.com/path/?mosconfig
http://example.com/path/?etc/passwd
http://example.com/path/?path=./
http://example.com/path/?=\'
http://example.com/path/?=\%27
http://example.com/path/?environ
http://example.com/path/?menu=
http://example.com/path/?mod=
http://example.com/path/?tag=
http://example.com/path/?ftp:
http://example.com/path/?http:
http://example.com/path/?https:
http://example.com/path/?[
http://example.com/path/?]
http://example.com/path/?
Jeff Starr
About the Author Jeff Starr = Web Developer. Book Author. Secretly Important.
Archives
66 responses
  1. Hi Jeff. Thanks for sharing such a useful tool. I have just read your 4G post, and have now given 5G a test.

    I’ve tested this on three WP sites, all work fine without a hitch.

    These include:
    WP 3.0.5 site running Genesis (but no other plugins).
    WP 2.9.2 site running WP-Touch, Lightbox 2, WP-Polls
    WP 3.0.1 site without any plugins

    I hope to be able to test this on my Magento e-Commerce sites over the next couple of days. Will keep you posted.

  2. Berry Sizemore February 9, 2011 @ 3:16 pm

    I have deployed the firewall without modification to my WordPress and VBulletin sites. My Worpress site is nested in the tree of VBulletin. When I put the firewall into .htaccess of ~/public_html/ (for VBulletin) and ~/public_html/wordpress/ (for WordPress), some functionality for WordPress gives 500 errors.

    • Jeff Starr

      Hmm, you might try one section of the firewall at a time. The user-agent and query-string directives shouldn’t cause any problems, but the request-pattern rules are a bit trickier.

      If you decide to try again, any specific information to help diagnose the issue would be useful. For example, what stopped working, was there a URL request involved, and any ideas for which rule might be causing the issue would be awesome.

  3. Great stuff. I shall try and implement this tonight. My site is a non-Word Press environment so I’m guessing 5G should run without causing any problems.

    Cheers
    I

  4. Hmmm…. spoke too soon. Getting an Access Denied error when trying to access any page on my site:

    Forbidden
    You don’t have permission to access / on this server.
    Apache Server at http://www.thedarkfortress.co.uk Port 80

    but I don’t know why.

    • Jeff Starr

      A great way to diagnose issues is to just include one piece of the 5G at a time. Then once you’ve narrowed it down to a specific section, remove half of the rules and see if it works. If not, remove a few more, and so on until it works. The last chunk of code you remove before it works should contain the code at issue.

      At least, that’s how I do it ;)

  5. Hi,

    Quick question: This code is supposed to go on top of the wp default code for permalinks right?

    I’ll start adding it to my sites and will let you know about any news.

    Thanks for sharing such a valuable resource!!

    • Jeff Starr

      I always place mine after (beneath) the WP permalink directives. But theoretically they can go anywhere, it shouldn’t matter.

      Also, the 5G Firewall may be placed in subdirectories to protect whatever is contained therein.

  6. After a year of pondering, I finally threw this down onto two WP 3.1 installs and one Invision Power Board. So far so good! And I’ve got WordPress with BuddyPress and a metric ton of weird plugins/tweaks going on!

    • Jeff Starr

      That’s great to hear! It also works great with the gigantic Simple:Press Forum plugin, which has tons of crazy stuff happening. So good signs so far – let us know if you find any surprises.

  7. Looks good Jeff. Can’t wait to try it out.

  8. the 5G firewalls seems to work on a 3.0.5 installation of WordPress with the active plugins:

    • Akismet
    • ALO EasyMail Newsletter
    • Disable wp new user notification
    • Enhanced Meta Widget
    • Shadowbox JS
    • Slickr Flickr
    • Social Media Widget
    • Theme My Login
    • Tweet This
    • User Photo
    • W3 Total Cache
    • WordPress.com Stats
    • WP-Polls
    • WP Coda Slider
    • XML Sitemap Feed
  9. I’ve been testing on one of my sites with a good deal of traffic and I’ve only run into one problem so far.

    In the user agent section is a rule blocking requests with a blank user agent:

    SetEnvIfNoCase User-Agent ^$ keep_out

    I happen to be using PayPal on that site for purchases along with PayPal’s IPN feature, which POSTs the transaction details back to a URL you specify. That request has no User-Agent set so no transactions were getting through. Here’s a sample of the request, which can come from any of several PayPal IP addresses:

    66.211.170.66 - - [10/Feb/2011:14:50:21 -0600] "POST /mypath/myipnscript.php HTTP/1.0" 200 - "-" "-"

    So those using PayPal with IPN will want to watch out for that.

    • Jeff Starr

      Thanks for the tip. PayPal’s pretty huge – I may end up removing that particular directive to avoid issues involving financial transactions and the like. Hmmm..

  10. I have one more for you. If you run bbPress along with WordPress, the forum registration will be blocked because it does a URL with

    /forumpath/register.php

    which is matched in

    RedirectMatch 403 /(contac|fpw|install|pingserver|register).php

    There are nowhere near the number of bbPress sites as there are WordPress so I imagine this one won’t affect too many. It’s good to be aware of though.

  11. I have found that a program download is blocked.

    An example link that works with 5G:
    http://www.website.com/wp-content/uploads/2010/06/Program-v4.3.2.zip

    But this one doesn’t work with 5G:
    http://www.website.com/wp-content/uploads/2010/06/Program-v4.3-Setup.exe

    I should have done the right thing and removed the periods from within the file names in the first place (my bad), but thought you’d like to know regardless.

    • It’s being blocked because of the “.exe”. That’s a good thing because there is so much malicious traffic probing sites for those to find Windows server vulnerabilities. If you really need to deliver an exe file it would be best wrap it in a zip file and take “exe” out of the file name. You could also alter the 5G rules but then you would lose out on blocking all those bad guys.

  12. Jeff I have found much help here at PP over the last 3 years and just wanted to thank you for making this code and other stuff available. I know it takes “plenty of time” to do this and that time is appreciated. BTW, your new site design looks GREAT!!!

[ Comments are closed for this post ]