5G Firewall Beta
Updating the 4G Blacklist, the new 5G Firewall is now open for beta testing. The new code is better than ever, providing wider protection with less code and fewer false positives. I’ve had much success with this new firewall, but more testing is needed to ensure maximum compatibility and minimal issues.
At this point, the code has been tested extensively with the following WordPress configurations:
- Default WordPress installation (no plugins)
- Current WordPress version 3.0.5 (running plugins1)
- Older WordPress version 2.3.3 (running plugins2)
The 5G Firewall is the result of many months of meticulous request monitoring, analyses, and testing. With this code, my goal is an easy, plug-n-play security firewall that blocks the maximum volume of malicious requests with a minimum number of false positives. It’s also built with compatibility in mind. The 5G Firewall is fine-tuned3 to WordPress, but the directives are designed for general use and should help any site conserve bandwidth and server resources while protecting against malicious activity.
Beta Testers
Only test this code if you are familiar with .htaccess
and comfortable with diagnosing and resolving potential issues. The 5G is currently running at Perishable Press and everything seems to be working great. But there are so many different configurations that beta testing is needed to help ensure maximum compatibility. Please leave any issues/resolutions in the comments section (remember to wrap code in <code>
tags).
Disclaimer
The 5G Firewall is provided “as-is”, with the intention of helping site administrators protect their sites against bad requests and other malicious activity. The code is open and free to use and modify only if proper attribution is included (e.g., “5G FIREWALL from PerishablePress.com”. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.
Learn more..
To learn more about the theory and development of the 5G Firewall, check out my article on constructing the 4G Blacklist. A search for “blacklist” in the sidebar should also return much related information.
5G Firewall Beta
# 5G FIREWALL from PerishablePress.com
# 5G:[QUERY STRINGS]
<ifModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} echo.*kae [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} \=\\%27$ [NC,OR]
RewriteCond %{QUERY_STRING} \=\\\'$ [NC,OR]
RewriteCond %{QUERY_STRING} \.\./ [NC,OR]
RewriteCond %{QUERY_STRING} \: [NC,OR]
RewriteCond %{QUERY_STRING} \[ [NC,OR]
RewriteCond %{QUERY_STRING} \] [NC]
RewriteRule .* - [F]
</ifModule>
# 5G:[USER AGENTS]
<ifModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot) keep_out
SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid) keep_out
<limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</limit>
</ifModule>
# 5G:[REQUEST STRINGS]
<ifModule mod_alias.c>
RedirectMatch 403 (https?|ftp|php)\://
RedirectMatch 403 /(cgi|https?|ima|ucp)/
RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\|)
RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php
RedirectMatch 403 (base64|crossdomain|localhost|wwwroot)
RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae)
RedirectMatch 403 \.well\-known/host\-meta
RedirectMatch 403 /function\.array\-rand
RedirectMatch 403 \)\;\$\(this\)\.html\(
RedirectMatch 403 proc/self/environ
RedirectMatch 403 msnbot\.htm\)\.\_
RedirectMatch 403 /ref\.outcontrol
RedirectMatch 403 com\_cropimage
RedirectMatch 403 indonesia\.htm
RedirectMatch 403 \{\$itemURL\}
RedirectMatch 403 function\(\)
RedirectMatch 403 labels\.rdf
</ifModule>
1 Tested plugins for WP 3.0.5:
- Akismet
- All in One SEO Pack
- BackWPup
- Clean Options
- Feed Count
- Google XML Sitemaps
- W3 Total Cache
- WP-phpMyAdmin
- Contextual Related Posts
- Customizable Post Listings
- Custom Query String Reloaded
- Edit Author Slug
- FeedStats
- Google XML Sitemaps
- Mass Mail
- No category parents
- Pierre’s Wordspew
- Post Editor Buttons
- Search Everything
- Secure WordPress
- Simple:Press Forum
- TPC! Memory Usage
- Use Google Libraries
- Vote the Post
- WordPress File Monitor
- WordPress Ultimate Security
- WP-phpMyAdmin
- WP-Polls
- WP-UserOnline
- WP Favorite Posts
- WP Hide Dashboard
- WP Security Scan
- WP Socializer
- WPtouch
2 Tested plugins for WP 2.3.3:
- AddMySite (AMS)
- Akismet
- All in One SEO Pack
- Authenticate
- Code Auto Escape
- Compact Archives
- Contact Coldform
- Customizable Post Listings
- Custom Query String Reloaded
- Dagon Design Sitemap Generator
- Display Post View Count (Top10)
- Download Counter
- Feedburner Feed Replacement
- Feed Count
- Full Text Feed
- Google XML Sitemaps
- KillNag
- Plugins Used Plugin
- Search Everything
- Simple Recent Comments
- Simple Tags
- SimpleTwitter
- Stealth Publish
- Subscribe To Comments
- Theme Switcher
- the_excerpt Reloaded
- Yet Another Related Posts Plugin
3 Test Environment:
- Operating System: Linux
- Server: Apache/2.2.3 (CentOS)
- MYSQL Version: 5.0.77-log
- PHP Version: 5.2.6
4 Example query strings for testing:
http://example.com/path/?../
http://example.com/path/?php://
http://example.com/path/?scanner
http://example.com/path/?boot.ini
http://example.com/path/?echo.*kae
http://example.com/path/?mosconfig
http://example.com/path/?etc/passwd
http://example.com/path/?path=./
http://example.com/path/?=\'
http://example.com/path/?=\%27
http://example.com/path/?environ
http://example.com/path/?menu=
http://example.com/path/?mod=
http://example.com/path/?tag=
http://example.com/path/?ftp:
http://example.com/path/?http:
http://example.com/path/?https:
http://example.com/path/?[
http://example.com/path/?]
http://example.com/path/?
66 responses to “5G Firewall Beta”
Hi Jeff, thanks for doing all this work, your site is a huge resource for me.
I noticed with my setup (WordPress 3.0.5, a stack of plugins, a lot of stuff in functions.php, various bits in htaccess, custom php.ini, your latest robots.txt, blackhole … ) that Navigation Menus in WordPress throws an error when swapping between menus. I traced it in my case to this line:
RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
I removed ‘menu’ and it works again.
Jeff,
Line 15 is poison to MediaWiki due to page names such as Special:Pages and Random:Page and etc. That’s the colon filter.
I took all 55 lines of 5G and put it into the appropriate part of my .htaccess… I had it in the wrong place and I had to nuke the 3G stuff.
Thanks
Jeff,
I received a report that the DROID Incredible by Verizon is having trouble. Hope this report helps.
Best,
Berry
Jeff & Co.,
VBulletin is affected by this filter as well, though it only shows up in the admin. I haven’t tested, but it may affect registrations too.
RewriteRule .* - [F]
Thanks for all the help, Berry :)
For this particular rule, removing it would eliminate the entire query-string block of directives. That line tells Apache to 403 any request that meets any of the
RewriteCond
requirements. I’m thinking the issue may be with one of theRewriteCond
character patterns..This line:
RedirectMatch 403 /(contac|fpw|install|pingserverr|register)\.php
hoses VBulletin’s registration system. Remove the word “
register
” from this filter and all is well:RedirectMatch 403 /(contac|fpw|install|pingserverr)\.php
I have the 5G installed on a basic default install of Joomla 1.6 all appears to be working so far. One issue that seems strange though is when I try any of the test query strings you listed above I don’t get a 403 error instead I get the default Joomla article not found page. I do have SEO friendly URLs enabled in the Admin panel so i’m not sure if this is maybe wahts casuing that to happen. I have joomla installed in a subdirectory on my domain, when i try the example query strings on my sites root directory which only has a static html page I do get a 403 error when using the example query strings.
To recap when I try the following (
http://mysite.com/path/?../
) I DO get a 403 error page. However when I try the following (http://mysite.com/myJoomlaDirectory/path/?../
) I get the default joomla article not found page, not a server 403 error page. Hope this helps.Something that I’ve found very useful in stopping probing attacks is adding “reply” to this line:
RedirectMatch 403 /(contac|fpw|install|pingserver|register|setup).php
as I seen to get a lot of rogue request strings ending in
xxx/setup.php
.I admit this might not be sensible to add to a lot of sites – but seems fine on mine so far
Jeff, great work. Is this a separate initiative from your Blackhole?
Thanks, yes this a different technique entirely, although they share some of the same functional principles. Also, the 5G is built with htaccess, and the Blackhole primarily with PHP.
Jeff, wondering if you could help out with this one. I’ve got Mint set up with the Birdfeeder Pepper, but after putting the 5G Firewall in place, if someone clicks on a seed, the link is a 404.
Example:
http://www.jeffbyrnes.net/feeder/?FeederAction=clicked&feed=Articles%20(RSS2)&seed=http://www.jeffbyrnes.net/2008/11/05/yes-we-did-yes-we-can-yes-we-will/&seed_title=A%20wise%20man%20once%20said…
I’ve narrowed it down to the query strings rules, but after going through & removing them half at a time, then one-by-one, no love. That link will only work correctly if I hose all the query strings, which kinda defeats the purpose…
Anyway, just curious if you’ve got any thoughts, I’m sure I’m missing something!
Oh, and I’ve disabled the rules for now, so that link will resolve correctly. What few readers I have subscribed by RSS definitely take precedence over stopping some bots.
Try removing the following character-string from the first QUERY-STRING directive:
https?|
I’m thinking that should work, but there may another match happening somewhere. Let me know, we’ll get it.
The only
https?|
I see is in one of the “Request Strings” lines, which is aRedirectMatch
bit. There’s nohttps?|
in any of the QUERY-STRING directives.Regardless, I tried removing both of the ones in the
RedirectMatch
rules, no dice.Right, my mistake – I was looking at the wrong section. Try removing this line from the query-string rules:
RewriteCond %{QUERY_STRING} \: [NC,OR]
That may not be it either, but the troubleshooting process is really just a few iterations of the halving method, where you remove half the code, test, remove another chunk of code, etc, until the offending match is identified.
And shazam it worked! Man, I thought I’d gone through each line one-by-one, but obviously I missed that one somehow. And yeah, split-half search is the way to go for things like this, but that didn’t reveal that was the problem either.
Regardless, seems to be working now, thanks a ton!
Hi,
Just wanted to inform about a bug already reported: switching between menus (Appareance -> Menus) or trying to add a new one won’t work because of this:
RewriteCond %{QUERY_STRING} (menu|mod|path|tag)=.?/? [NC,OR]
The menus section does include a “menu” parameter which is the id of the menu. So far the fix would be to remove the menu condition, I’m not that good on htaccess to provide an exception applied to that single area only, but maybe someone over here can :)
Thanks for sharing this great resource!
This is awesome. I can’t believe how generous you are to the web community. So great.
Works for me, but had to comment out one section:
RedirectMatch 403 (,|//|)+|/,/|{0}|(/(|...|+++||)
It was conflicting with W3 Total Cache, giving this error:
You don't have permission to access /wp-content/w3tc/pgcache/contact//_index.html.gzip on this server.
Maybe I am doing something wrong in my w3 settings?
WP 3.1
It looks like it may just be the double slashes that are matched/blocked. To keep the protection offered by the other patterns in that line, remove the following characters:
//|
That should do it, let me know if not so I can look into it. I also use W3TC here at this site along with the 5G and haven’t detected any issues. Do you know what link/action triggered the error?
That worked great, thank you!
Basically, when I include the
//|
in that line, any URLs get blocked, including the homepage of the site. This fix definitely helped.Ah – one thing I should have noticed before now – it’s only specific to one of my sites using W3TC, so it doesn’t seem to be a widespread bug at all. Probably something in my settings that I need to resave or revisit.
Hi Jeff,
Great work on 5G!!
I’ll be trying it out and let you know how it goes!
Thanks!
Ken