5G Firewall Beta

♦ Posted by Jeff Starr in .htaccess, Security

Updated August 4, 2024 • 66 comments

[ 5G (beta) ] Updating the 4G Blacklist, the new 5G Firewall is now open for beta testing. The new code is better than ever, providing wider protection with less code and fewer false positives. I’ve had much success with this new firewall, but more testing is needed to ensure maximum compatibility and minimal issues.

Update: Check out the new and improved 6G Firewall »

At this point, the code has been tested extensively with the following WordPress configurations:

Default WordPress installation (no plugins)
Current WordPress version 3.0.5 (running plugins¹)
Older WordPress version 2.3.3 (running plugins²)

The 5G Firewall is the result of many months of meticulous request monitoring, analyses, and testing. With this code, my goal is an easy, plug-n-play security firewall that blocks the maximum volume of malicious requests with a minimum number of false positives. It’s also built with compatibility in mind. The 5G Firewall is fine-tuned³ to WordPress, but the directives are designed for general use and should help any site conserve bandwidth and server resources while protecting against malicious activity.

Beta Testers

Only test this code if you are familiar with .htaccess and comfortable with diagnosing and resolving potential issues. The 5G is currently running at Perishable Press and everything seems to be working great. But there are so many different configurations that beta testing is needed to help ensure maximum compatibility. Please leave any issues/resolutions in the comments section (remember to wrap code in <code> tags).

Disclaimer

The 5G Firewall is provided “as-is”, with the intention of helping site administrators protect their sites against bad requests and other malicious activity. The code is open and free to use and modify only if proper attribution is included (e.g., “5G FIREWALL from PerishablePress.com”. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.

Learn more..

To learn more about the theory and development of the 5G Firewall, check out my article on constructing the 4G Blacklist. A search for “blacklist” in the sidebar should also return much related information.

5G Firewall Beta

# 5G FIREWALL from PerishablePress.com

# 5G:[QUERY STRINGS]
<ifModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
 RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
 RewriteCond %{QUERY_STRING} boot\.ini  [NC,OR]
 RewriteCond %{QUERY_STRING} echo.*kae  [NC,OR]
 RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\%27$   [NC,OR]
 RewriteCond %{QUERY_STRING} \=\\\'$    [NC,OR]
 RewriteCond %{QUERY_STRING} \.\./      [NC,OR]
 RewriteCond %{QUERY_STRING} \:         [NC,OR]
 RewriteCond %{QUERY_STRING} \[         [NC,OR]
 RewriteCond %{QUERY_STRING} \]         [NC]
 RewriteRule .* - [F]
</ifModule>

# 5G:[USER AGENTS]
<ifModule mod_setenvif.c>
 SetEnvIfNoCase User-Agent ^$ keep_out
 SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot)   keep_out
 SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
 SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid)   keep_out
 <limit GET POST PUT>
  Order Allow,Deny
  Allow from all
  Deny from env=keep_out
 </limit>
</ifModule>

# 5G:[REQUEST STRINGS]
<ifModule mod_alias.c>
 RedirectMatch 403 (https?|ftp|php)\://
 RedirectMatch 403 /(cgi|https?|ima|ucp)/
 RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
 RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\|)
 RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
 RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php
 RedirectMatch 403 (base64|crossdomain|localhost|wwwroot)
 RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae)
 RedirectMatch 403 \.well\-known/host\-meta
 RedirectMatch 403 /function\.array\-rand
 RedirectMatch 403 \)\;\$\(this\)\.html\(
 RedirectMatch 403 proc/self/environ
 RedirectMatch 403 msnbot\.htm\)\.\_
 RedirectMatch 403 /ref\.outcontrol
 RedirectMatch 403 com\_cropimage
 RedirectMatch 403 indonesia\.htm
 RedirectMatch 403 \{\$itemURL\}
 RedirectMatch 403 function\(\)
 RedirectMatch 403 labels\.rdf
</ifModule>

¹ Tested plugins for WP 3.0.5:

Akismet
All in One SEO Pack
BackWPup
Clean Options
Feed Count
Google XML Sitemaps
W3 Total Cache
WP-phpMyAdmin
Contextual Related Posts
Customizable Post Listings
Custom Query String Reloaded
Edit Author Slug
FeedStats
Google XML Sitemaps
Mass Mail
No category parents
Pierre’s Wordspew
Post Editor Buttons
Search Everything
Secure WordPress
Simple:Press Forum
TPC! Memory Usage
Use Google Libraries
Vote the Post
WordPress File Monitor
WordPress Ultimate Security
WP-phpMyAdmin
WP-Polls
WP-UserOnline
WP Favorite Posts
WP Hide Dashboard
WP Security Scan
WP Socializer
WPtouch

² Tested plugins for WP 2.3.3:

AddMySite (AMS)
Akismet
All in One SEO Pack
Authenticate
Code Auto Escape
Compact Archives
Contact Coldform
Customizable Post Listings
Custom Query String Reloaded
Dagon Design Sitemap Generator
Display Post View Count (Top10)
Download Counter
Feedburner Feed Replacement
Feed Count
Full Text Feed
Google XML Sitemaps
KillNag
Plugins Used Plugin
Search Everything
Simple Recent Comments
Simple Tags
SimpleTwitter
Stealth Publish
Subscribe To Comments
Theme Switcher
the_excerpt Reloaded
Yet Another Related Posts Plugin

³ Test Environment:

Operating System: Linux
Server: Apache/2.2.3 (CentOS)
MYSQL Version: 5.0.77-log
PHP Version: 5.2.6

⁴ Example query strings for testing:

http://example.com/path/?../
http://example.com/path/?php://
http://example.com/path/?scanner
http://example.com/path/?boot.ini
http://example.com/path/?echo.*kae
http://example.com/path/?mosconfig
http://example.com/path/?etc/passwd
http://example.com/path/?path=./
http://example.com/path/?=\'
http://example.com/path/?=\%27
http://example.com/path/?environ
http://example.com/path/?menu=
http://example.com/path/?mod=
http://example.com/path/?tag=
http://example.com/path/?ftp:
http://example.com/path/?http:
http://example.com/path/?https:
http://example.com/path/?[
http://example.com/path/?]
http://example.com/path/?

About the Author

Jeff Starr = Web Developer. Book Author. Secretly Important.

66 responses to “5G Firewall Beta”

Wil 2012/04/22 5:58 am

Possibility to make a nginx version?
- Jeff Starr 2012/04/22 1:21 pm • Post Author
  
  Yes, I’m working on it now ;)
  - Wil 2012/04/22 3:57 pm
    
    Good news, thanks a lot
  - David Gregg 2012/04/25 7:18 am
    
    Any update on an NginX version?
  - Jeff Starr 2012/04/25 9:45 am • Post Author
    
    Still collecting resources, researching, and testing.. if you know of anything useful that’s not appearing in the first few pages of Google let me know. Also are you able to help beta-test?
Stacy 2012/05/10 12:25 pm

This is a great resource. Thanks for your work on it! One question I have is should I use both the 4G and 5G blacklist together or is that not recommended.
- Jeff Starr 2012/05/10 12:30 pm • Post Author
  
  Good question. I recommend only the current version, 5G. Note that I am nearing completion of the beta version of 6G, to be announced soon :)

« Previous Comments • 1234

Comments are closed for this post. Something to add? Let me know.