6G Firewall
After three years of development, testing, and feedback, I’m pleased to announce the official launch version of the 6G Firewall (aka the 6G Blacklist). This version of the nG Firewall is greatly refined, heavily tested, and better than ever. Fine-tuned to minimize false positives, the 6G Firewall protects your site against a wide variety of malicious URI requests, bad bots, spam referrers, and other attacks. Blocking bad traffic improves site security, reduces server load, and conserves precious resources. The 6G Firewall is entirely plug-n-play with no configuration required. It’s also open source, easy to use, and completely free, providing strong protection for any Apache-powered website.
Contents
Shortcut menu for this post:
- About 6G
- Description
- Requirements
- 6G Firewall
- Notes
- Changelog
- FAQs
- Troubleshooting
- Reporting Bugs
- Show Support
- License
- Disclaimer
- Learn More
- Coming Soon
- Thank You
About 6G
Over the past few years, malicious server scans and bad requests have increased dramatically. If you have yet to implement strong security measures for your site, now is the time to beef up security and lock things down. There are many great security solutions available for your site, but none provide the simplicity, flexibility, and performance of 6G.
The 6G Firewall is a powerful, well-optimized blacklist that checks all URI requests against a set of carefully constructed .htaccess directives. This happens quietly behind the scenes at the server level, which is optimal for performance and resource conservation. Most WordPress plugins require both PHP and MySQL, which can be overkill and even wasteful depending on the scenario and your overall security strategy. Implementing an .htaccess solution such as the 6G Firewall, the code is executed without invoking the memory and resources required for PHP, MySQL, etc. That gives you better performance while saving server resources for legitimate traffic.
The 6G Firewall integrates the best features of the following resources:
- 6G Beta
- 5G Firewall
- 2014 Micro Blacklist
- 2010 Blacklist Update
- 5G for WordPress
- Plus all-new rules and patterns
Bottom line: 6G is an easy-to-use, cost-effective way to secure your site against malicious HTTP activity. It helps to protect against evil exploits, ill requests, and other nefarious garbage, such as XSS attacks, SQL/PHP injections, cache poisoning, response splitting, dual-header exploits, and more.
How it works
Like other Apache firewalls and blacklists, the 6G operates at the server-level. Basically you add the 6G code to your site’s root .htaccess file and then sit back and relax while 6G works its magic. That’s the beauty of it: there is no configuration required. Just add the code and done.
Once implemented, 6G scans every HTTP request made to your site. It compares key aspects of each request against a carefully formulated set of patterns and expressions. So if someone or something triggers a match, they immediately are blocked, silently behind the scenes (via 403 Forbidden response). So legitimate visitors can continue to surf your site with total confidence, while the bad guys are busy getting kicked to the curb by 6G.
Learn more about 6G and how it works »
Requirements
Before installing 6G, please make sure that your setup meets the requirements:
- Apache version 2 or better
- .htaccess files enabled on your server
If you are unsure about either of these requirements, ask your web host. If you are new to Apache and/or .htaccess, and want to learn more about it, I wrote an entire book on using .htaccess to secure and optimize your site. Also, here is a tutorial that explains how to create an .htaccess file on your local machine.
Important!
Always make a backup copy of your .htaccess before making any changes. That way if something goes awry, you can restore original functionality immediately. I realize that this may be obvious to some, but it’s important for everyone to know.
Reporting bugs
If you encounter any issue with 6G, please refer to the Troubleshooting and Reporting Bugs sections below for important information.
WordPress alternative for 6G
If your site does not meet the requirements, I develop the following WordPress plugins:
- BBQ: Block Bad Queries (free plugin)
- BBQ Pro (premium plugin with advanced security and features)
Both of these plugins are blazing fast and integrate 5G/6G technology, providing strong firewall protection for your WordPress-powered site.
6G Firewall
The 6G Firewall/Blacklist consists of the following sections:
# 6G:[QUERY STRING]
# 6G:[REQUEST METHOD]
# 6G:[REFERRER]
# 6G:[REQUEST STRING]
# 6G:[USER AGENT]
Each of these sections works independently of the others, such that you could, say, omit the entire query-string and IP-address blocks and the remaining sections would continue to work just fine. Mix ’n match ’em to suit your needs. This code is formatted for deployment in your site’s root .htaccess
file. Remember: always make a backup of your .htaccess before making any changes.
# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/
# 6G:[QUERY STRING]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REFERRER]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST STRING]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000,})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>
# 6G:[USER AGENT]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
<RequireAll>
Require all Granted
Require not env bad_bot
</RequireAll>
</IfModule>
</IfModule>
To implement: include the entire 6G Firewall in the root .htaccess file of your site. Remember to backup your original .htaccess file before making any changes. Then test your pages thoroughly while enjoying a delicious beverage. If you encounter any issues, please read the troubleshooting tips and the section on reporting bugs. As always, feel free to share any feedback or questions via my contact form :)
Notes
Some notes about 6G Firewall..
Blocking IPs
6G Firewall makes it easy to deny access based on visitor IP address. Check out How to Block IPs with 6G Firewall for complete information.
HTTP Auth
If your site is using any HTTP authentication, you will need to comment out (or remove) the following lines, located in the User Agent section:
Allow from all
Require all Granted
Code placement
If you are running WordPress and it is installed in its own directory, you may need to move the QUERY STRING rules to the .htaccess file found in the root of that directory. So for example, if WordPress is installed in a subdirectory named “blackmothsuperrainbow”, 6G would be included as follows:
- The .htaccess file located in the
/blackmothsuperrainbow/
directory includes the QUERY STRING rules - The .htaccess file located in the site’s publicly accessible root directory (e.g.,
/public_html/
) contains everything else
Also, in some cases it may be necessary to place the QUERY STRING rules before any WordPress Permalink rules. The best way to determine if this is necessary is to make the following request (note: replace example.com
with your own domain name):
http://example.com/?eval(
After making that request, if you get a 403 Forbidden response, then you’re fine. If you receive a 404 error or something else, make sure that the QUERY STRING rules are included as prescribed above.
WooCommerce
Some WooCommerce extensions like “Pirate Ship service” use PUT in addition to GET and POST. This means WooCommerce users may want to remove PUT from the REQUEST METHOD rules. So change this line:
RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
..to this:
RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|trace|track) [NC]
TimThumb
6G blocks requests for the TimThumb script/plugin with the following rules:
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
...
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
So if you are running TimThumb on your site, comment out or remove the previous rules, for example:
# RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
...
# RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
By adding a hash symbol (pound sign, whatever) #
to the beginning of any line in your .htaccess file, you effectively turn the line into a comment that is ignored by Apache. Alternately, for the RedirectMatch
line, you could remove all “thumb” related strings while keeping the others enabled.
WordPress Add-on
For those of you using the WordPress Add-on for 5G, it’s no longer necessary if you’re upgrading to 6G. The WP 5G Add-on is integrated into 6G.
File types
To help secure your site against threats, the 6G blocks requests for specific types of files. These files are specified in the Request Strings section of the 6G, which begins with asp|bash|cfg
. 99% of the time, these file types are not requested over HTTP, and are totally safe to block. Even so, you may want to examine the list and make sure that it’s not blocking any file types that are required by your site.
CGI
If you’re doing anything with CGI like from /cgi-bin/
, remove the cgi-
from this line: RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
. So you should end up with this:
RedirectMatch 403 (?i)/(=|\$&|_mm|etc/passwd|muieblack)
NextCloud
If you are using NextCloud with 6G, you will need to remove put
from the following line: ^(connect|debug|move|put|trace|track) [NC]
. So you should end up with this:
^(connect|debug|move|trace|track) [NC]
Without this change, some of the back-end settings won’t save.
Changelog
Changelog for 6G Firewall:
2020/09/07
- Removed
%
fromGLOBALS|REQUEST
pattern in query string
2019/07/31
- Renamed some sections to singular noun
- Removed IP-blocking section,
# 6G:[BAD IPS]
. Read How to Block IPs with 6G Firewall for more information.
2019/01/25
- Removed redundant
etc/passwd
from request uri - Removed
\s
from request uri
2016/11/29
- Removed
delete
from request methods - Changes
{2000}
to{2000,}
in all four locations
2016/06/25
- User Agent rules now support
mod_authz_core
(Apache >= 2.3)
2016/01/31
- Appended
php
to(wp-)?config\.
(Thanks Franceska)
2016/01/27
- Removed
%
from QUERY STRINGS (Thanks Adam)
2016/01/26
- Initial release!
For more information about development, check out the 6G Beta.
FAQs
A list of frequently asked questions.
Do I need both 5G and 6G?
Nope, 6G is designed to replace 5G, based on the evolving landscape of malicious threats and exploits. If you want to run both firewalls, that’s fine too. There will be some redundant rules, but otherwise the firewalls are 100% compatible.
Does 6G work with WordPress?
The 6G works beautifully with WordPress, and should help any Apache-powered site conserve bandwidth and server resources while protecting against malicious activity. That said, WordPress is the big player these days, so most of the testing is tuned to that particular platform. If you’re installing 6G on any other CMS, please be mindful and take the time to test all of your pages.
Can I add 6G to a live site?
While it’s always recommended to test all code in a text/development environment, it’s totally fine to add 6G directly to a live/production site. As long as your site meets the above requirements, you should be good to go. Just to be safe, make a backup copy of your .htaccess file, as advised in the next section.
Troubleshooting
If you encounter any errors or non-loading resources after installing 6G, remove the entire block of code and restore your original .htaccess file. Then continue as follows..
Resource not loading
If some page or resource is not loading after adding 6G, determine its URI. Make note of any non-alphanumeric characters or anything else that looks unusual. Then compare against the rules defined in 6G. If you can spot the offending pattern, you can remove it, comment it out, or report it (see Reporting Bugs).
If you are unable to determine which pattern is at issue, further investigation is required. There are numerous ways of going about it. Here is a good walkthrough of my halving method of isolating problematic code, which I recommend unless you have your own favorite way of troubleshooting ;)
Server error
If you get a server error after installing 6G, double-check that your site meets the requirements. If you are sure that the requirements are met, you can either troubleshoot to determine the offending rule(s), and/or you can report the issue as explained below.
Reporting bugs
If you discover any bugs, issues, or errors, report them directly via my contact form. Please do not report bugs in the comment area, thanks.
Show support
I spend countless hours researching and developing the 6G Firewall. I share it freely and openly with the hope that it will help make the Web a safer place for everyone.
If you benefit from my work with the 6G and would like to show support, consider buying one of my books, such as .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site.
Of course, tweets, likes, links, and shares are super helpful and very much appreciated.
Your generous support allows me to continue developing the 6G Firewall and other awesome resources for the community. Thank you kindly :)
License
As mentioned previously, the 6G Firewall is entirely open source and free for all to use. The only requirement is that the following credit lines are included wherever 6G is used:
# 6G BLACKLIST/FIREWALL
# @ https://perishablepress.com/6g/
Other than that, it’s all yours!
Disclaimer
The 6G Firewall is provided “as-is”, with the intention of helping people protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.
Learn More..
To learn more about the theory and development of the 6G Firewall, check out my articles on building the 3G, 4G and 5G Blacklist. The 6G beta article also contains some good infos. And for even more, check out the nG tag archive.
7G Coming Soon..
Like 5G/6G? Keep an eye out for the 7G Firewall Beta, which is available as of January 2019. Stay tuned for more updates and tutorials!
Thank You
Thanks to everyone who helped test the beta and provide feedback on 6G. Also thank you to everyone who helps to support Perishable Press! :)
37 responses to “6G Firewall”
The following line is the offender:
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|[|%) [NC,OR]
When in mysqladmin and I click on a table I get a 403 forbidden error. It is the only line that is failing. This is the link that I’ve been testing.
<a href="db_structure.php?server=1&db=director&token=9f166d3abcb38b5f18e35c78c18e07f5">director</a>
Yeah the pattern possibly makes sense, but it’s just amazing that your database is accessible via the front-end..
got you, and makes good sense
panel is lower/closer level
so is before site htaccess
but if was working before 6G & not after then?
back to htaccess and what was altered.
# the obvious… sql comments
2 mins time and even if doesn’t fix, narrows the field
Not sure what Lee is saying. It worked before, then 6G was added, and it fails. With the 1 line commented it appears to work. The phpMyadmin is on all my sites. Its password protected and it’s used for db maint and testing.
Hi
Thanks for this 6G list, awesome job! I previously had 5G list + 2014 micro black-list, can i remove 2014 micro blacklist ? I don’t see the 6G list the ip blocked in this list. Why is there dozanes of ip to block on micro list and jsut one line on 6G list ?
Thanks
Yes, you can remove the 2014 Micro Blacklist, as explained in the part where it talks about “The 6G Firewall integrates the best features of the following resources..”, the 6G integrates quite a bit of my previous work.
For the IPs, also as explained in the article, they are constantly changing, so maybe good for short-term security solutions, but pretty much pointless in the long term. Based on this logic, the 6G starts fresh with the IP list, so you can add/remove any as needed going forward.
Many thanks for the 6G, Jeff.
Two questions, if I may.
1. Directives in the 6G end with
RewriteRule .* - [F]
but similar directives in chapter 7.8 (“Blacklisting access”) of your book .htaccess made easy end withRewriteRule .* - [F,L]
. What is the reasoning behind the change? Perhaps I’m overlooking the obvious.2. Ought we use curly (
“
|”
|‘
|’
) or non-curly quotes ("
|'
) in .htaccess? The 6G seems to use non-curly quotes, but, again, similar directives in your book (at least the PDF version) seem to have curly quotes.Just looking for clarification.
Editor’s note: comment/code formatted for clarity.
Hi Thomas,
Glad to help:
1) In most cases, it’s inconsequential whether or not the
L
flag is included. Basically it indicates that the same rules should not be run twice, in order to prevent possible infinite loops. So it’s useful especially when redirects are involved, if that helps. You can learn more about it in the Apache Docs.2) Always use straight quotes. There are no curly quotes used for any directive anywhere in the book. Curly quotes will cause an error if included.
Hello,
I’d like to thank you for your work on the firewall and giving it away to everyone for free. In case anyone else is going to use it for a Simple Machines Forum: There is one line which made forum sections and posts inaccessible, and it is this one in Request Strings:
RedirectMatch 403 (?i)(~|`||:|;|,|%|\|s|{|}|[|]||)
I had to remove the comma from that list, now everything (so far) seems to be working fine.
Thanks for the feedback. Most likely it’s not the whole line, but rather a single pattern that is making the Simple Machines Forum posts inaccessible. If you have time to troubleshoot further to isolate the exact pattern, that would be a huge help. Thanks again.
Indeed, as I said then, I had to remove the comma (more precisely I removed “|,”) from the line, since then I have had no more issues in SMF.
The URLs when calling up forum sections or posts use a comma, I suppose that’s the reason. I haven’t actuall tried to get my head around the regex. ;)
Ah sorry, I totally missed the part where you had mentioned the comma as the culprit.. thanks for clarifying and helping to pinpoint the exact pattern. I may end up removing the comma from xG, because technically it does not require encoding when included in URLs.