6G Firewall
After three years of development, testing, and feedback, I’m pleased to announce the official launch version of the 6G Firewall (aka the 6G Blacklist). This version of the nG Firewall is greatly refined, heavily tested, and better than ever. Fine-tuned to minimize false positives, the 6G Firewall protects your site against a wide variety of malicious URI requests, bad bots, spam referrers, and other attacks. Blocking bad traffic improves site security, reduces server load, and conserves precious resources. The 6G Firewall is entirely plug-n-play with no configuration required. It’s also open source, easy to use, and completely free, providing strong protection for any Apache-powered website.
Contents
Shortcut menu for this post:
- About 6G
- Description
- Requirements
- 6G Firewall
- Notes
- Changelog
- FAQs
- Troubleshooting
- Reporting Bugs
- Show Support
- License
- Disclaimer
- Learn More
- Coming Soon
- Thank You
About 6G
Over the past few years, malicious server scans and bad requests have increased dramatically. If you have yet to implement strong security measures for your site, now is the time to beef up security and lock things down. There are many great security solutions available for your site, but none provide the simplicity, flexibility, and performance of 6G.
The 6G Firewall is a powerful, well-optimized blacklist that checks all URI requests against a set of carefully constructed .htaccess directives. This happens quietly behind the scenes at the server level, which is optimal for performance and resource conservation. Most WordPress plugins require both PHP and MySQL, which can be overkill and even wasteful depending on the scenario and your overall security strategy. Implementing an .htaccess solution such as the 6G Firewall, the code is executed without invoking the memory and resources required for PHP, MySQL, etc. That gives you better performance while saving server resources for legitimate traffic.
The 6G Firewall integrates the best features of the following resources:
- 6G Beta
- 5G Firewall
- 2014 Micro Blacklist
- 2010 Blacklist Update
- 5G for WordPress
- Plus all-new rules and patterns
Bottom line: 6G is an easy-to-use, cost-effective way to secure your site against malicious HTTP activity. It helps to protect against evil exploits, ill requests, and other nefarious garbage, such as XSS attacks, SQL/PHP injections, cache poisoning, response splitting, dual-header exploits, and more.
How it works
Like other Apache firewalls and blacklists, the 6G operates at the server-level. Basically you add the 6G code to your site’s root .htaccess file and then sit back and relax while 6G works its magic. That’s the beauty of it: there is no configuration required. Just add the code and done.
Once implemented, 6G scans every HTTP request made to your site. It compares key aspects of each request against a carefully formulated set of patterns and expressions. So if someone or something triggers a match, they immediately are blocked, silently behind the scenes (via 403 Forbidden response). So legitimate visitors can continue to surf your site with total confidence, while the bad guys are busy getting kicked to the curb by 6G.
Learn more about 6G and how it works »
Requirements
Before installing 6G, please make sure that your setup meets the requirements:
- Apache version 2 or better
- .htaccess files enabled on your server
If you are unsure about either of these requirements, ask your web host. If you are new to Apache and/or .htaccess, and want to learn more about it, I wrote an entire book on using .htaccess to secure and optimize your site. Also, here is a tutorial that explains how to create an .htaccess file on your local machine.
Important!
Always make a backup copy of your .htaccess before making any changes. That way if something goes awry, you can restore original functionality immediately. I realize that this may be obvious to some, but it’s important for everyone to know.
Reporting bugs
If you encounter any issue with 6G, please refer to the Troubleshooting and Reporting Bugs sections below for important information.
WordPress alternative for 6G
If your site does not meet the requirements, I develop the following WordPress plugins:
- BBQ: Block Bad Queries (free plugin)
- BBQ Pro (premium plugin with advanced security and features)
Both of these plugins are blazing fast and integrate 5G/6G technology, providing strong firewall protection for your WordPress-powered site.
6G Firewall
The 6G Firewall/Blacklist consists of the following sections:
# 6G:[QUERY STRING]
# 6G:[REQUEST METHOD]
# 6G:[REFERRER]
# 6G:[REQUEST STRING]
# 6G:[USER AGENT]
Each of these sections works independently of the others, such that you could, say, omit the entire query-string and IP-address blocks and the remaining sections would continue to work just fine. Mix ’n match ’em to suit your needs. This code is formatted for deployment in your site’s root .htaccess
file. Remember: always make a backup of your .htaccess before making any changes.
# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/
# 6G:[QUERY STRING]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REFERRER]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST STRING]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000,})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>
# 6G:[USER AGENT]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
<RequireAll>
Require all Granted
Require not env bad_bot
</RequireAll>
</IfModule>
</IfModule>
To implement: include the entire 6G Firewall in the root .htaccess file of your site. Remember to backup your original .htaccess file before making any changes. Then test your pages thoroughly while enjoying a delicious beverage. If you encounter any issues, please read the troubleshooting tips and the section on reporting bugs. As always, feel free to share any feedback or questions via my contact form :)
Notes
Some notes about 6G Firewall..
Blocking IPs
6G Firewall makes it easy to deny access based on visitor IP address. Check out How to Block IPs with 6G Firewall for complete information.
HTTP Auth
If your site is using any HTTP authentication, you will need to comment out (or remove) the following lines, located in the User Agent section:
Allow from all
Require all Granted
Code placement
If you are running WordPress and it is installed in its own directory, you may need to move the QUERY STRING rules to the .htaccess file found in the root of that directory. So for example, if WordPress is installed in a subdirectory named “blackmothsuperrainbow”, 6G would be included as follows:
- The .htaccess file located in the
/blackmothsuperrainbow/
directory includes the QUERY STRING rules - The .htaccess file located in the site’s publicly accessible root directory (e.g.,
/public_html/
) contains everything else
Also, in some cases it may be necessary to place the QUERY STRING rules before any WordPress Permalink rules. The best way to determine if this is necessary is to make the following request (note: replace example.com
with your own domain name):
http://example.com/?eval(
After making that request, if you get a 403 Forbidden response, then you’re fine. If you receive a 404 error or something else, make sure that the QUERY STRING rules are included as prescribed above.
WooCommerce
Some WooCommerce extensions like “Pirate Ship service” use PUT in addition to GET and POST. This means WooCommerce users may want to remove PUT from the REQUEST METHOD rules. So change this line:
RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
..to this:
RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|trace|track) [NC]
TimThumb
6G blocks requests for the TimThumb script/plugin with the following rules:
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
...
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
So if you are running TimThumb on your site, comment out or remove the previous rules, for example:
# RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
...
# RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
By adding a hash symbol (pound sign, whatever) #
to the beginning of any line in your .htaccess file, you effectively turn the line into a comment that is ignored by Apache. Alternately, for the RedirectMatch
line, you could remove all “thumb” related strings while keeping the others enabled.
WordPress Add-on
For those of you using the WordPress Add-on for 5G, it’s no longer necessary if you’re upgrading to 6G. The WP 5G Add-on is integrated into 6G.
File types
To help secure your site against threats, the 6G blocks requests for specific types of files. These files are specified in the Request Strings section of the 6G, which begins with asp|bash|cfg
. 99% of the time, these file types are not requested over HTTP, and are totally safe to block. Even so, you may want to examine the list and make sure that it’s not blocking any file types that are required by your site.
CGI
If you’re doing anything with CGI like from /cgi-bin/
, remove the cgi-
from this line: RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
. So you should end up with this:
RedirectMatch 403 (?i)/(=|\$&|_mm|etc/passwd|muieblack)
NextCloud
If you are using NextCloud with 6G, you will need to remove put
from the following line: ^(connect|debug|move|put|trace|track) [NC]
. So you should end up with this:
^(connect|debug|move|trace|track) [NC]
Without this change, some of the back-end settings won’t save.
Changelog
Changelog for 6G Firewall:
2020/09/07
- Removed
%
fromGLOBALS|REQUEST
pattern in query string
2019/07/31
- Renamed some sections to singular noun
- Removed IP-blocking section,
# 6G:[BAD IPS]
. Read How to Block IPs with 6G Firewall for more information.
2019/01/25
- Removed redundant
etc/passwd
from request uri - Removed
\s
from request uri
2016/11/29
- Removed
delete
from request methods - Changes
{2000}
to{2000,}
in all four locations
2016/06/25
- User Agent rules now support
mod_authz_core
(Apache >= 2.3)
2016/01/31
- Appended
php
to(wp-)?config\.
(Thanks Franceska)
2016/01/27
- Removed
%
from QUERY STRINGS (Thanks Adam)
2016/01/26
- Initial release!
For more information about development, check out the 6G Beta.
FAQs
A list of frequently asked questions.
Do I need both 5G and 6G?
Nope, 6G is designed to replace 5G, based on the evolving landscape of malicious threats and exploits. If you want to run both firewalls, that’s fine too. There will be some redundant rules, but otherwise the firewalls are 100% compatible.
Does 6G work with WordPress?
The 6G works beautifully with WordPress, and should help any Apache-powered site conserve bandwidth and server resources while protecting against malicious activity. That said, WordPress is the big player these days, so most of the testing is tuned to that particular platform. If you’re installing 6G on any other CMS, please be mindful and take the time to test all of your pages.
Can I add 6G to a live site?
While it’s always recommended to test all code in a text/development environment, it’s totally fine to add 6G directly to a live/production site. As long as your site meets the above requirements, you should be good to go. Just to be safe, make a backup copy of your .htaccess file, as advised in the next section.
Troubleshooting
If you encounter any errors or non-loading resources after installing 6G, remove the entire block of code and restore your original .htaccess file. Then continue as follows..
Resource not loading
If some page or resource is not loading after adding 6G, determine its URI. Make note of any non-alphanumeric characters or anything else that looks unusual. Then compare against the rules defined in 6G. If you can spot the offending pattern, you can remove it, comment it out, or report it (see Reporting Bugs).
If you are unable to determine which pattern is at issue, further investigation is required. There are numerous ways of going about it. Here is a good walkthrough of my halving method of isolating problematic code, which I recommend unless you have your own favorite way of troubleshooting ;)
Server error
If you get a server error after installing 6G, double-check that your site meets the requirements. If you are sure that the requirements are met, you can either troubleshoot to determine the offending rule(s), and/or you can report the issue as explained below.
Reporting bugs
If you discover any bugs, issues, or errors, report them directly via my contact form. Please do not report bugs in the comment area, thanks.
Show support
I spend countless hours researching and developing the 6G Firewall. I share it freely and openly with the hope that it will help make the Web a safer place for everyone.
If you benefit from my work with the 6G and would like to show support, consider buying one of my books, such as .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site.
Of course, tweets, likes, links, and shares are super helpful and very much appreciated.
Your generous support allows me to continue developing the 6G Firewall and other awesome resources for the community. Thank you kindly :)
License
As mentioned previously, the 6G Firewall is entirely open source and free for all to use. The only requirement is that the following credit lines are included wherever 6G is used:
# 6G BLACKLIST/FIREWALL
# @ https://perishablepress.com/6g/
Other than that, it’s all yours!
Disclaimer
The 6G Firewall is provided “as-is”, with the intention of helping people protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.
Learn More..
To learn more about the theory and development of the 6G Firewall, check out my articles on building the 3G, 4G and 5G Blacklist. The 6G beta article also contains some good infos. And for even more, check out the nG tag archive.
7G Coming Soon..
Like 5G/6G? Keep an eye out for the 7G Firewall Beta, which is available as of January 2019. Stay tuned for more updates and tutorials!
Thank You
Thanks to everyone who helped test the beta and provide feedback on 6G. Also thank you to everyone who helps to support Perishable Press! :)
37 responses to “6G Firewall”
Can you confirm that your contact form is being sent to you? I just sent a message and it was delivered to myself..
Yep, received and replied. The contact form sends a carbon copy, fyi.
Amazing. Thanks for making it freely available. I’ve used all your previous versions (and your bad bot trap too), I look forward to implementing this version soon.
Cheers
Andy
Thanks for this update! Tested on WordPress 4.4.1 and everything is working, including the Image Editor, which had some problems in the previous version>5G.
Adding this to the .htaccess all the sites I manage has become the default for me.
You provide a valuable service to the community.
Always excited to see a new version. Never had an issue with one before, so if you don’t hear any complaints, then kudos & gracias once again.
BIG thanks for you !!
Right know i have problem on few sites with base64 encode malware, so maybe it will help to prevent future attacks.
Thanks again
Tried applying to the main apache conf file and had to add Location tag before the last two sections to prevent the “Allow not allowed here” error.
(Allow / Denny requires a directory context).
What do you think?
Sounds about right, in terms of implementing via Apache configuration file instead of .htaccess. The other sections should work properly without modification. Let me know if you experience any weirdness.
…just when I was beginning to think you had abandoned this project, you release 6G! Thanks so much Jeff!
Seriously, Thank you for sharing your site and knowledge.
Whilst I am not a wp user, I do find some of the htaccess and php stuff interesting and helpful.
Hope I do not come off as rude or nit picking.
Part of this is baffling me.
I’m trying understand what a “part” does,
and placement method & reasoning for some it.
So if you would please …
In 6G Firewall
Under REQUEST STRINGS
RedirectMatch 403 (?i)(base64_encode)(.*)(\()(
What is the purpose of that “i” portion?
AND
why the dual application?
RedirectMatch 403 (?i)(base64_encode)(.*)(\()(
vs
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
AND
why that for some items, and not all?
Hi lee, glad to help:
1) The
(?i)
means case insensitive, as explained here2) For
base64_encode
et al, theRedirectMatch
is targeting the string in the main part of the request URI, whileQUERY_STRING
targets the query string. That is why the sections are designated accordingly, based on the part of the request that is involved.3) Not all strings are useful/common when included in certain parts of the request, so not always necessary to do both. Other times, it makes sense to do so.
Thank you very much Jeff for your help.
Can we use the 6G blacklist and the free version of BBQ together? Are there some functions that overlap?
Yes they work great together, but at some point more of 6G will be integrated into BBQ. Currently there are some functions that overlap, but still beneficial to use both.
Hi. You mentioned WordPress few times. So if you suffer newbie question: Is this wordpress specific code or will it do it’S magic with my Drupal setup too?
Great question. The code is platform agnostic, so should work well with any CMS.
Thank you for fast reply. I suspected so but long time ago I have learned the rule of never assuming anything with more complex codes :-D
Thank you very much for this new release.
I have two questions about the bad bot section.
Why semalt.com and todaperfeita are handled by the referrers section and not (as the others) in the user agent section ? Are they try to offuscated their crawl ?
About the regexp, in this line
SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
,what means this regexp ? Are there User-Agent like A2000 or b2000 ou 82000 ?
Thank you for your help.
Glad to help:
1) “Why semalt.com and todaperfeita are handled by the referrers section and not (as the others) in the user agent section ?”
Because they were found to be a threat mostly in the referrer field of URI requests, not so much user agent field.
2) “Are they try to offuscated their crawl ?”
Not sure what you mean here..
3) “what means this regexp ?”
It blocks excessively long requests, as in greater than 2000 characters.
4) “Are there User-Agent like A2000 or b2000 ou 82000 ?”
Are there? I’m not sure that you are asking here..
6G block me from using “Mysqladmin”. Is this by design?
Of course not. Do you know the URL that requires access? I think software like that usually is run via the server control panel, so should not be affected by 6G as prescribed placed in root .htaccess.
It’s turned on an off in the control panel, but it is run by signing in to what looks like a non-existent directory but is in fact I believe a logical link. “mysqladmin -> /usr/local/” is how it appears when I SSH in. Not really sure.
Yeah weird.. where did you install 6G? In public root .htaccess?
HI ya’ll
Just taking a shot in the dark…
# 6G:[REQUEST STRINGS]
(next to last “RedirectMatch”)
the catchall
|sql
Yes that’s straightforward, but what we’re trying to resolve is why the 6G is blocking “Mysqladmin”, which normally is run via the server control panel, outside of the scope of the root .htaccess file. I.e., “Mysqladmin” is something that shouldn’t be requested via any domain-based URL.