7G Firewall
The 7G Firewall is here! 7G is now out of beta and ready for production sites. So you can benefit from the powerful protection of the latest nG Firewall (aka nG Blacklist).
The 7G Firewall offers lightweight, server-level protection against a wide range of malicious requests, bad bots, automated attacks, spam, and many other types of threats and nonsense.
7G is a lightweight (only 12KB) strong firewall that provides site security and peace of mind. Plus, 7G is open source and 100% free for everyone :)
Contents
- About 7G
- How It Works
- Features
- Requirements
- Download 7G
- License
- Disclaimer
- Deployment
- Testing & Feedback
- Notes & Infos
- Learn More..
- Show Support
- Thank You
About 7G
Two unwritten laws of the Web: 1) Nothing is 100% secure, and 2) All websites are under pretty much 24/7 constant attack. Whether it’s just nuisance traffic like spam, or serious in-your-face DDoS attack, now is the time to strengthen site security and lock things down. 7G helps with this by protecting your site against many types of bad requests and attacks. It gives your site a super strong layer of protection at the server level. So bad requests are blocked without having to load up PHP, MySQL, and everything else.
I’ve seen many times sites just getting hammered with bad traffic.. then you add nG Firewall and watch the noise drop to zero. You free up all those server resources for the good traffic.
What’s the downside? Same as with any firewall, potential false positives. Fortunately for us, 7G is the seventh generation of a firewall/blacklist that comprises over a decade of research, testing, and development. 7G integrates the best features of all previous nG Firewalls and builds upon them. So the goal for 7G is zero false positives. Hence the purpose of the “beta” version is to fine-tune the firewall rules based on larger sample size.
Bottom line: 7G is an easy-to-use, cost-effective way to secure your site against malicious HTTP activity. It helps to protect against evil exploits, ill requests, and other nefarious garbage, such as XSS attacks, code injections, cache poisoning, response splitting, dual-header exploits, and more.
How It Works
The 7G Firewall is a powerful, well-optimized set of rewrite rules that checks all URI requests against a set of carefully constructed Apache/.htaccess or Nginx directives. This happens quietly behind the scenes at the server level, which is optimal for performance because it avoids the need to load up PHP and MySQL just to block a bad request. This is one reason why securing at the server level is better than using a plugin or other PHP script.
7G improves performance by freeing up server resources.
And it’s super-easy to add 7G to your site. Just add the code to your site’s root .htaccess file and then sit back and relax while 7G works its magic. That’s the beauty of it: there is no configuration required. Security via simplicity: add the code and done. For more details, check out the Deployment section below.
Once implemented, 7G scans every HTTP request made to your site. It compares key aspects of each request against a carefully formulated set of patterns and regular expressions (regex). So if someone or something triggers a match, they immediately are blocked silently behind the scenes (via 403 Forbidden response). So legitimate visitors can continue to surf your site with total confidence, while the bad guys are getting stomped by 7G.
Features
7G is a strong firewall that is lightweight and super fast. It strives for the optimal balance between security and performance, delivering significantly better protection than previous nG. Each iteration of nG builds upon previous versions, fortifying successful patterns, removing outdated patterns, and of course adding new patterns and rules based on current data. The result is a 7th-generation firewall that is cumulatively developed and extensively tested, based on code with a proven track record.
Here are some top features and goals of the 7G Firewall:
- Security via simplicity
- Extensive firewall protection
- Fine-tuned to minimize false positives
- Lightweight (only 12KB!), modular, flexible and fast
- Completely plug-&-play with no configuration required
- Improves security, reduces server load, and conserves resources
- Git/SVN friendly (does not block svn/git files et al)
- Open source, easy to use, and completely free
- 100% compatible with WordPress
- Better bad bot detection
- Built-in logging! :)
7G protects against many types of attacks and threats, including:
- Directory Traversal
- HTTP Response Splitting
- (XSS) Cross-Site Scripting
- Cache Poisoning
- Dual-Header Exploits
- SQL/PHP/Code Injection
- File Injection/Inclusion
- Null Byte Injection
- WordPress exploits such as revslider, timthumb, fckeditor, et al
- Exploits such as c99shell, phpshell, remoteview, site copier, et al
- PHP information leakage
Additionally, the 7G Firewall protects against a wide range of malicious requests, bad bots, spam, and other nonsense. Further, 7G uses Apache’s mod_rewrite, so it works on all types of HTTP request methods: GET, POST, PUT, DELETE, and all others. That means robust protection for your website.
Requirements
Here are the only requirements for 7G Firewall:
- Apache server
mod_rewrite
enabled- Access to .htaccess or config
If you are unsure about either of these requirements, ask your web host. If you are new to Apache and/or .htaccess, and want to learn more about it, I wrote an entire book on using .htaccess to secure and optimize your site. Also, here is a tutorial that explains how to create an .htaccess file on your local machine.
Download 7G Firewall
By downloading this file, you agree to the terms set forth in the License and Disclaimer. Also check out the 7G Changelog. To implement 7G, follow the steps in the Deployment section, below.
License
As mentioned previously, the 7G Firewall is entirely open source and free for all to use. The only requirement is that the following credit lines are included wherever 7G is used (note that version and date infos will vary):
# 7G FIREWALL
# @ https://perishablepress.com/7g-firewall/
Other than that, it’s all yours!
Disclaimer
The 7G Firewall is provided “as-is”, with the intention of helping people protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk and responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.
Deployment
Quick summary: add the 7G code to your site’s root .htaccess file (or Apache config file) and test thoroughly. After proper testing, you’re all set: 7G Firewall protects your site silently with minimal footprint. A completely set-it-and-forget-it firewall solution. Here are the steps to add 7G to your site:
- Agree to the terms, download, and unzip 7G
- Make a backup of your current .htaccess file
- Copy all 7G code and add to your root
.htaccess
- Save changes and upload to your server
- Test well (see next section)
Note: for best results, place 7G code before any existing mod_rewrite
rules (e.g., WordPress Permalinks).
Testing & Feedback
This version of the nG Firewall is turn-key equipped for logging via PHP. Here is a complete tutorial on how to log blocked requests via PHP. Further troubleshooting tips available on the 6G Firewall homepage.
Also, if you discover any bugs, issues, or errors, report them directly via my contact form. As always, feel free to share feedback and ask any questions in the comment section. Please do not report bugs in the comment area, thanks :)
Notes & Infos
Here are some miscellaneous notes and tips about the 7G Firewall.
- 7G is modular: each section can be removed/added as desired
- It is fine to use multiple nG firewalls, but not recommended
- 7G is designed to work flawlessly with WordPress and any other website
- Please report any strings or user agents that should not be blocked
- Always test well before going live and report any bugs or issues
- Use Contao CMS? Check out the nG Apache Firewall for Contao
- If using any sort of “thumb” plugin or script, remove the two lines that include
(thumbs?(
. One line is in User Agents and the other in Request URI. - Nice tutorial on Using 7G Firewall with OpenLiteSpeed
- If using Prestashop, remove
filemanager
from Request URI rules - Other notes will be added here..
Enable phpMyAdmin
Depending on your setup, it may be necessary to make the following changes for phpMyAdmin to work. First, remove |request
from the following line:
RewriteCond %{QUERY_STRING} (globals|mosconfig([a-z_]{1,22})|request)(=|\[) [NC,OR]
Then also remove (or comment out) this entire line:
RewriteCond %{QUERY_STRING} (_|%5f)(r|%72|%52)(e|%65|%45)(q|%71|%51)(u|%75|%55)(e|%65|%45)(s|%73|%53)(t|%74|%54)(=|\[|%[0-9A-Z]{2,}) [NC,OR]
With those changes in place, phpMyAdmin should work properly on most servers.
Enable s2Member
To enable the s2Member WordPress plugin, make the following changes. First, remove globals|
from the following line:
RewriteCond %{QUERY_STRING} (globals|mosconfig([a-z_]{1,22})|request)(=|\[) [NC,OR]
Then also remove (or comment out) this entire line:
RewriteCond %{QUERY_STRING} (g|%67|%47)(l|%6c|%4c)(o|%6f|%4f)(b|%62|%42)(a|%61|%41)(l|%6c|%4c)(s|%73|%53)(=|[|%[0-9A-Z]{0,2}) [NC,OR]
With those changes in place, s2Member should work properly.
Learn More..
To learn more about the theory and development of the 7G Firewall, check out my articles on building the 3G, 4G, 5G Blacklist, and related topics. The 6G Firewall homepage also contains lots of useful and relevant information. And if all that’s not enough, you can view all nG-related posts in the nG tag archive.
Show support
I spend countless hours developing the 7G Firewall. I share it freely and openly with the hope that it will help make the Web a safer place for everyone.
If you benefit from my work with 7G and would like to show support, consider buying one of my books, such as .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site.
Of course, tweets, likes, links, and shares are super helpful and very much appreciated. Your generous support allows me to continue developing the 7G Firewall and other awesome resources for the community. Thank you kindly :)
Thank You
Thanks to everyone who shares feedback and helps beta test nG. Also thank you to everyone who supports Perishable Press with links and social shares. Additionally, I would like to thank the following sites for providing the free tools used during development. Please visit and bookmark these awesome resources:
- regex101.com – Online Regex Tester
- Complete Character List for UTF-8
- Megaproxy Proxy Service
- Apache Module mod_rewrite
- Apache Module mod_setenvif
- Htaccess SetEnvIf and SetEnvIfNoCase Examples
- Blocking user agents, requests & query strings
156 responses to “7G Firewall”
Getting the following error… any suggestions?
RewriteCond: cannot compile regular expression '(acapbot|acoonbot|asterias|attackbot|backdorbot|becomebot|binlar|blackwidow|blekkobot|blexbot|blowfish|bullseye|bunnys|butterfly|careerbot|casper|checkpriv|cheesebot|cherrypick|chinaclaw|choppy|clshttp|cmsworld|copernic|copyrightcheck|cosmos|crescent|cy_cho|datacha|demon|diavol|discobot|dittospyder|dotbot|dotne
Hmm.. not familiar with it. You might try re-copy/pasting fresh or maybe ask your web host for help. They would be able to tell you why the error is happening (based on the site’s error log).
Hey Jeff
A couple of suggestions for your next update:
1.) Can requests with no UA be added and filtered?
2.) What about the ability to filter http version requests; anything not using http/2 is legacy and almost undoubtedly not human, correct?
Hi Brad,
1) Previous nG included such a rule. Then in 5G it was removed (commented out). Reason is because too many widely used services (e.g., Facebook is a biggie) started making use of the blank empty agent. And so there were just too many false positives. You can find the rule in the 5G firewall.
2) HTTP version is trickier. I’ve used the technique in protecting POST requests, but it’s not ready for prime time in nG. You can add it if you want, find an example in that “protect POST requests” tutorial.
Hi,
I try add my website to Petal search. When add sitemap to webmaster tools return error Failed. Remove one line where is string “petal” but error is still here. Is something else block Petal search or?
The 7G firewall is really awesome. Thanks guys for the effort to protect my website.
I see that the plugin is integrated in “Hide My WP” plugin from WordPress recently.
Hi Jeff, hats off man, used 7G on different WordPress installs and it’s brilliant :-)
But I want to take this one step further: I’d like to try adding 7G rules in Apache config, then set the CSF to block any IP that triggers some dozens of 403s in 30-60 minutes or similar, hehe.
So I’d like to ask if there is any docs on installing the 7G in .conf files instead of .htaccess?
Hi Alex, thank you for your feedback on 7G :)
For adding via Apache config, there may be such a guide somewhere online. Not something I’ve written though.
Would you say it’s safe compatibility-wise to implement 7G by default in all new WP installations in a hosting environment?
Yes, 7G is implemented and tested across a wide variety of WordPress setups. It’s included in several WordPress security plugins, and also implemented at some web hosts. Very safe and well-tested on latest WordPress versions.
Hi. Thanks for 7G!
I’ve been implementing 7G part by part and testing my site after each addition. I’ve run into a conflict in the QUERY_STRING section with my serving of pdf files.
I use pdf.js viewer.html in a modal window to serve pdf files.
Here’s the github link to pdf.js
Something in the QUERY_STRING section of 7G Firewall is causing a 403 forbidden error when I try to serve a pdf file. I am not a coder, but perhaps the conflict relates to how viewer.html calls the pdf file, using
viewer.html?file=path/to/file.pdf
Is there a part of 7G Firewall that I can remove so my pdf files aren’t blocked? For now, I’ve removed the entire QUERY_STRING section.
Thanks. I definitely appreciate 7G Firewall. Other than this conflict it is working great.
Hi Kathy,
7G does not block
viewer.html?file=path/to/file.pdf
, as you can verify on the 7G test site. So it may be something happening “under the hood”, like maybe some Ajax or REST API request is getting blocked. To resolve the issue, you would need to determine the actual URL(s) using your browser’s code inspector (or whatever method). Once the URL is identified, it’s trivial to modify 7G to allow access.All pdf files I’ve tried opening via pdf.js viewer.html are being blocked by something in the QUERY_STRING section of 7G Firewall (I have tested on many pdf files).
Maybe the parameters are at fault? The code calling the viewer also accepts parameters, e.g.,
https://example.com/libraries/pdfjs/web/viewer.html?file=../../../../pdfdirectory/filename.pdf#page=1&zoom=page-width
.Exactly, it’s something other than
viewer.html?file=path/to/file.pdf
. 7G does not block that string (as you can verify at the test site). Maybe there is something in the actual file namefile.pdf
that’s getting blocked? Like if the PDF file is named something weird likeeval(-file.pdf
with forbidden strings or whatever, then yeah 7G would deny the request. You just have to dig around to find the various URLs that are involved, including all parameters, etc.OK. Thanks for pointing me to where I needed to concentrate. I found the issue.
In the QUERY_STRING section there is a RewriteCond of
RewriteCond %{QUERY_STRING} (((/|%2f){3,3})|((\.|%2e){3,3})|((\.|%2e){2,2})(/|%2f|%u2215)) [NC,OR]
The last half of that condition,
((\.|%2e){2,2})(/|%2f|%u2215))
matches every pdf URL that I use.
I’m altering the RewriteCond.
Learned a lot about regex tracking this down! Thanks for pointing me in the direction I needed to look.
Awesome, glad to hear you got it all sorted. Cheers!
I noticed this firewall block some plugins. I use Admin Column and I had a 403 while I was doing an advanced search.
What are the URLs that are getting blocked? For example:
https://example.com/some/path/?vars=etc.
Here is the kind of URL blocked from Admin columns :
Ah thanks. So that URL contains numerous unsafe characters. Rather than try modifying 7G to allow for such URLs, it would be better to report the issue to the plugin developer, so they can improve the safety of their URL requests.
Hello, Thanks so much for your work in helping to ward off spammers. I’m not a developer, so please don’t mind my question if it seems stupid! I entered the code from the 7G-firewall.txt file into the .htaccess file, and my site seems to be working fine still. However, what am I supposed to do with the 7G-changelog.txt file? Am I also supposed to put that code in the .htaccess file? I tried to do that, but then I got a 500 server error. Thanks for your help!
Hi heather, great questions:
1) “what am I supposed to do with the 7G-changelog.txt file?”
Read and/or delete is fine. It’s just text information about changes made to 7G FYI.
2) “Am I also supposed to put that code in the .htaccess file?”
Noooo.. don’t do that :) Just read and delete the changelog file.
Let me know if I can provide any further informations!
Is there a way to allow a certain bot to go through 7g firewall?
Essentially, I’d love if anything that had Discordbot was allowed