7G Firewall

♦ Posted by Jeff Starr in .htaccess, Security

Updated June 26, 2024 • 156 comments

[ 7G Firewall (Beta) ] The 7G Firewall is here! 7G is now out of beta and ready for production sites. So you can benefit from the powerful protection of the latest nG Firewall (aka nG Blacklist).

The 7G Firewall offers lightweight, server-level protection against a wide range of malicious requests, bad bots, automated attacks, spam, and many other types of threats and nonsense.

7G is a lightweight (only 12KB) strong firewall that provides site security and peace of mind. Plus, 7G is open source and 100% free for everyone :)

Update! 8G Firewall (beta) now available!

About 7G
How It Works
Features
Requirements
Download 7G
License
Disclaimer
Deployment
Testing & Feedback
Notes & Infos
Learn More..
Show Support
Thank You

About 7G

Two unwritten laws of the Web: 1) Nothing is 100% secure, and 2) All websites are under pretty much 24/7 constant attack. Whether it’s just nuisance traffic like spam, or serious in-your-face DDoS attack, now is the time to strengthen site security and lock things down. 7G helps with this by protecting your site against many types of bad requests and attacks. It gives your site a super strong layer of protection at the server level. So bad requests are blocked without having to load up PHP, MySQL, and everything else.

I’ve seen many times sites just getting hammered with bad traffic.. then you add nG Firewall and watch the noise drop to zero. You free up all those server resources for the good traffic.

What’s the downside? Same as with any firewall, potential false positives. Fortunately for us, 7G is the seventh generation of a firewall/blacklist that comprises over a decade of research, testing, and development. 7G integrates the best features of all previous nG Firewalls and builds upon them. So the goal for 7G is zero false positives. Hence the purpose of the “beta” version is to fine-tune the firewall rules based on larger sample size.

Bottom line: 7G is an easy-to-use, cost-effective way to secure your site against malicious HTTP activity. It helps to protect against evil exploits, ill requests, and other nefarious garbage, such as XSS attacks, code injections, cache poisoning, response splitting, dual-header exploits, and more.

Tip: 7G works on any Apache-powered website. WordPress not required!

Tip: 7G complements ModSecurity giving your site extra protection.

How It Works

The 7G Firewall is a powerful, well-optimized set of rewrite rules that checks all URI requests against a set of carefully constructed Apache/.htaccess or Nginx directives. This happens quietly behind the scenes at the server level, which is optimal for performance because it avoids the need to load up PHP and MySQL just to block a bad request. This is one reason why securing at the server level is better than using a plugin or other PHP script.

7G improves performance by freeing up server resources.

And it’s super-easy to add 7G to your site. Just add the code to your site’s root .htaccess file and then sit back and relax while 7G works its magic. That’s the beauty of it: there is no configuration required. Security via simplicity: add the code and done. For more details, check out the Deployment section below.

Check out a live demo of 7G Firewall »

Once implemented, 7G scans every HTTP request made to your site. It compares key aspects of each request against a carefully formulated set of patterns and regular expressions (regex). So if someone or something triggers a match, they immediately are blocked silently behind the scenes (via 403 Forbidden response). So legitimate visitors can continue to surf your site with total confidence, while the bad guys are getting stomped by 7G.

Features

7G is a strong firewall that is lightweight and super fast. It strives for the optimal balance between security and performance, delivering significantly better protection than previous nG. Each iteration of nG builds upon previous versions, fortifying successful patterns, removing outdated patterns, and of course adding new patterns and rules based on current data. The result is a 7th-generation firewall that is cumulatively developed and extensively tested, based on code with a proven track record.

Here are some top features and goals of the 7G Firewall:

Security via simplicity
Extensive firewall protection
Fine-tuned to minimize false positives
Lightweight (only 12KB!), modular, flexible and fast
Completely plug-&-play with no configuration required
Improves security, reduces server load, and conserves resources
Git/SVN friendly (does not block svn/git files et al)
Open source, easy to use, and completely free
100% compatible with WordPress
Better bad bot detection
Built-in logging! :)

7G protects against many types of attacks and threats, including:

Directory Traversal
HTTP Response Splitting
(XSS) Cross-Site Scripting
Cache Poisoning
Dual-Header Exploits
SQL/PHP/Code Injection
File Injection/Inclusion
Null Byte Injection
WordPress exploits such as revslider, timthumb, fckeditor, et al
Exploits such as c99shell, phpshell, remoteview, site copier, et al
PHP information leakage

Additionally, the 7G Firewall protects against a wide range of malicious requests, bad bots, spam, and other nonsense. Further, 7G uses Apache’s mod_rewrite, so it works on all types of HTTP request methods: GET, POST, PUT, DELETE, and all others. That means robust protection for your website.

Requirements

Here are the only requirements for 7G Firewall:

Apache server
mod_rewrite enabled
Access to .htaccess or config

Not using Apache? Check out 7G for Nginx and 7G for Caddy Server.

If you are unsure about either of these requirements, ask your web host. If you are new to Apache and/or .htaccess, and want to learn more about it, I wrote an entire book on using .htaccess to secure and optimize your site. Also, here is a tutorial that explains how to create an .htaccess file on your local machine.

If your site does not meet the requirements, check out my WordPress plugins, BBQ: Block Bad Queries (free) and BBQ Pro (premium version). These plugins are blazing fast and integrate nG technology, providing strong firewall protection for your WordPress-powered site.

Download 7G Firewall

By downloading this file, you agree to the terms set forth in the License and Disclaimer. Also check out the 7G Changelog. To implement 7G, follow the steps in the Deployment section, below.

Download 7G FirewallVersion 1.6 ( 5.99 KB ZIP )

Note: To retain the Unix LF EOL characters (line breaks) in the 7G text file, it is recommended to use a program that supports them, such as Notepad++ (free for Windows) or TextEdit or BBEdit (free for Mac). The line breaks keep the code structured and readable, instead of a big jumbled mess.

License

As mentioned previously, the 7G Firewall is entirely open source and free for all to use. The only requirement is that the following credit lines are included wherever 7G is used (note that version and date infos will vary):

# 7G FIREWALL
# @ https://perishablepress.com/7g-firewall/

Other than that, it’s all yours!

Disclaimer

The 7G Firewall is provided “as-is”, with the intention of helping people protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk and responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.

Deployment

Quick summary: add the 7G code to your site’s root .htaccess file (or Apache config file) and test thoroughly. After proper testing, you’re all set: 7G Firewall protects your site silently with minimal footprint. A completely set-it-and-forget-it firewall solution. Here are the steps to add 7G to your site:

Agree to the terms, download, and unzip 7G
Make a backup of your current .htaccess file
Copy all 7G code and add to your root .htaccess
Save changes and upload to your server
Test well (see next section)

Note: for best results, place 7G code before any existing mod_rewrite rules (e.g., WordPress Permalinks).

Testing & Feedback

This version of the nG Firewall is turn-key equipped for logging via PHP. Here is a complete tutorial on how to log blocked requests via PHP. Further troubleshooting tips available on the 6G Firewall homepage.

Also, if you discover any bugs, issues, or errors, report them directly via my contact form. As always, feel free to share feedback and ask any questions in the comment section. Please do not report bugs in the comment area, thanks :)

Notes & Infos

Here are some miscellaneous notes and tips about the 7G Firewall.

7G is modular: each section can be removed/added as desired
It is fine to use multiple nG firewalls, but not recommended
7G is designed to work flawlessly with WordPress and any other website
Please report any strings or user agents that should not be blocked
Always test well before going live and report any bugs or issues
Use Contao CMS? Check out the nG Apache Firewall for Contao
If using any sort of “thumb” plugin or script, remove the two lines that include (thumbs?(. One line is in User Agents and the other in Request URI.
Nice tutorial on Using 7G Firewall with OpenLiteSpeed
If using Prestashop, remove filemanager from Request URI rules
Other notes will be added here..

Enable phpMyAdmin

Depending on your setup, it may be necessary to make the following changes for phpMyAdmin to work. First, remove |request from the following line:

RewriteCond %{QUERY_STRING} (globals|mosconfig([a-z_]{1,22})|request)(=|\[) [NC,OR]

Then also remove (or comment out) this entire line:

RewriteCond %{QUERY_STRING} (_|%5f)(r|%72|%52)(e|%65|%45)(q|%71|%51)(u|%75|%55)(e|%65|%45)(s|%73|%53)(t|%74|%54)(=|\[|%[0-9A-Z]{2,}) [NC,OR]

With those changes in place, phpMyAdmin should work properly on most servers.

Enable s2Member

To enable the s2Member WordPress plugin, make the following changes. First, remove globals| from the following line:

RewriteCond %{QUERY_STRING} (globals|mosconfig([a-z_]{1,22})|request)(=|\[) [NC,OR]

Then also remove (or comment out) this entire line:

RewriteCond %{QUERY_STRING} (g|%67|%47)(l|%6c|%4c)(o|%6f|%4f)(b|%62|%42)(a|%61|%41)(l|%6c|%4c)(s|%73|%53)(=|[|%[0-9A-Z]{0,2}) [NC,OR]

With those changes in place, s2Member should work properly.

7G Addon: Want more 7G WAF protection, check out the free 7G Addon.

Learn More..

To learn more about the theory and development of the 7G Firewall, check out my articles on building the 3G, 4G, 5G Blacklist, and related topics. The 6G Firewall homepage also contains lots of useful and relevant information. And if all that’s not enough, you can view all nG-related posts in the nG tag archive.

Show support

I spend countless hours developing the 7G Firewall. I share it freely and openly with the hope that it will help make the Web a safer place for everyone.

If you benefit from my work with 7G and would like to show support, consider buying one of my books, such as .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site.

Of course, tweets, likes, links, and shares are super helpful and very much appreciated. Your generous support allows me to continue developing the 7G Firewall and other awesome resources for the community. Thank you kindly :)

Support 7G Firewall: Donate via PayPal or your favorite cryptocurrency »

Thank You

Thanks to everyone who shares feedback and helps beta test nG. Also thank you to everyone who supports Perishable Press with links and social shares. Additionally, I would like to thank the following sites for providing the free tools used during development. Please visit and bookmark these awesome resources:

About the Author

Jeff Starr = Web Developer. Book Author. Secretly Important.

156 responses to “7G Firewall”

basti 2022/11/16 3:13 am • Reply

should I use both 6g and 7g together or just the latest one?
- Jeff Starr 2022/11/16 10:46 am • Post Author • Reply
  
  7G is meant as a replacement for 6G. But they work together fine. Totally your call.
Shortik 2022/12/19 3:55 am • Reply

Hi,
why is there this RewriteCond?

RewriteCond %{QUERY_STRING} (localhost|loopback|127(\.|%2e)0(\.|%2e)0(\.|%2e)1)

With this cond in my .htaccess I cannot connect to DB via adminer. What’s the risk when I comment this line out?

Thanks
Shortik
- Jeff Starr 2022/12/19 9:51 pm • Post Author • Reply
  
  It blocks URI requests that match the defined patterns. If commented out or removed, the line no longer will block matching requests.
Another Andrew 2023/01/14 9:20 pm • Reply
Hi Jeff

In this line:
```
RewriteCond %{REMOTE_HOST} (163data|amazonaws|colocrossing|crimea|g00g1e|justhost|kanagawa|loopia|masterhost|onlinehome|poneytel|sprintdatacenter|reverse.softlayer|safenet|ttnet|woodpecker|wowrack) [NC]
```
I assume this rejects any visitors from those data centers? I’m getting a load of visits from IPs that originate from Microsoft Data Center in Des Moines, Iowa (have also posted on webhostingtalk . com/showthread.php?t=1888765 about this data center) and would love to block them. mxtoolbox . com reverse lookup reports ‘Your DNS hosting provider is “Azure”‘ so is it simply add ‘azure’ to the line above?
- Jeff Starr 2023/01/15 11:11 am • Post Author • Reply
  
  Technically that is correct, however doing so would block any/all traffic coming from Azure. As it’s a public cloud host, that means you would be blocking any legit traffic from that source as well.
  - Another Andrew 2023/01/18 6:04 am
    
    Thanks Jeff, actually I can’t think of any legit traffic from Azure apart from bingbots and at this point I’m willing to forego those. Only issue is that I’m not sure whether azure-dns or azure will work. Guess I can try them and find out!
NoelL 2023/01/30 9:39 pm • Reply

Hi! I’ve been using 7G since it was released, thank you so much for putting this together!

Today, I came across this github repo:
https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/tree/master/_generator_lists

It seems to have a lot of additional useragents, domain ranges etc…if you’re planning to release an update of 7G, could you consider including the data from that repo as well? Thanks!
- Jeff Starr 2023/01/30 9:54 pm • Post Author • Reply
  
  I’ll take a look, thank you.
Smith 2023/02/06 4:17 pm • Reply
Hi!

I watched the work of the 7G Firewall, and made several finds. In essence, these comments are not critical, but they may be useful for FAQ documentation and clarification of the rules in the future.
- For a strange reason, the END flag did not work on one of the hosting sites – I had to replace it with L. It turned out that it worked without a log, but if I wanted to get a log, it went into Apache error.
- The plugin Really Simple SSL outputs two triggers. I’ll copy a piece of the log – I think everything will be clear: ?rsssl_scan_request=1 [request] [=]
- The native function WordPress Health Check blocked, since when called loopback
Otherwise, a wonderful product and I am completely satisfied! And can say Perfect!
Anonymous User 2023/02/06 6:01 pm • Reply

According to the Apache2 documentation, the only way to prevent trace from being usable as an HTTP “verb” on your site, is to disable it from an Apache2 configuration by turning it “off” (EX: TraceEnable Off). This setting is not affected by htaccess-level directives.
- Jeff Starr 2023/02/06 6:02 pm • Post Author • Reply
  Thanks for the infos. Do you happen to have a link to the specific Apache documentation? (I couldn’t find it.) I would be glad to add a note to the 7G post if I can verify the source of the information.
  
  For anyone reading, the comment refers to this line in 7G Firewall:
  
  RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|trace|track) [NC]
  
  From my understanding, this is sufficient to disable the trace method. Depending on your setup/config, it also may be necessary to disable trace via Apache’s httpd.conf file, which can be done with this:
  
  RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]
  
  Any further information on this would be appreciated.
Danilo 2023/02/06 6:04 pm • Reply
In my .htaccess I defined:
```
ErrorDocument 403 /errori/forbidden.html
```
The requests that come from the user-agent “python-requests”, are prohibited by rule #3 of 7G (User Agent rules). But I get 500, instead of 403 (AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error). This is because it attempts to redirect to /errors/forbidden.html, but is denied.

My workaround:
```
RewriteCond %{REQUEST_URI} !^/errori/forbidden.html$
RewriteCond %{HTTP_USER_AGENT} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|%0a|%0d|%27|%3c|%3e|%00|0x00) [NC,OR]
```
To reproduce the problem, you can add “firefox” to the list of blocked user agents, then try with browser.
Skynet 2023/02/14 9:28 am • Reply

I have BBQ plugin, if I use 7G Firewall can I remove BBQ or not ?
- Jeff Starr 2023/02/14 10:16 am • Post Author • Reply
  
  The rule sets are not the same, so when both you have extra protection. You also may remove one or the other, whichever you prefer as needed for your site.
Sam 2023/04/26 12:51 am • Reply

Great work as always Jeff. Installed 7g and it’s working beautifully. One question, ahrefs can no longer crawl my site or detect the robots.txt? Is this a known or issue or is local to me?
- Jeff Starr 2023/04/26 1:13 am • Post Author • Reply
  
  Thank you Sam. ahrefs is blocked but you can remove ahrefs| to allow it.
AndrewPandrew 2023/06/02 4:37 pm • Reply
Hi Jeff

Getting a load of traffic from ap-southeast-1.compute.amazonaws.com, eg ip 54.255.110.242 ( https://www.abuseipdb.com/check/54.255.110.242 )

Thought this line would drop them, but it doesn’t appear to be the case:
```
RewriteCond %{REMOTE_HOST} (163data|amazonaws|colocrossing|crimea|g00g1e|justhost|kanagawa|loopia|masterhost|onlinehome|poneytel|sprintdatacenter|reverse.softlayer|safenet|ttnet|woodpecker|wowrack) [NC]
```
- Jeff Starr 2023/06/02 8:57 pm • Post Author • Reply
  
  Is ap-southeast-1.compute.amazonaws.com reported as the host name for the unwanted requests?
  - AndrewPandrew 2023/06/04 5:27 pm
    
    It’s different ip’s eg:
    
    ec2-54-255-110-242.ap-southeast-1.compute.amazonaws.com
    
    ec2-13-213-114-96.ap-southeast-1.compute.amazonaws.com
    
    ec2-18-136-2-192.ap-southeast-1.compute.amazonaws.com
  - Jeff Starr 2023/06/04 11:15 pm • Post Author
    
    Okay thanks, those do not *look* like IP addresses, although the prefixed numbers may correspond to IP addresses. What I was asking, is whether those lines are reported as the host name specifically? Not the referrer or part of the request, or user agent, etc.
AndrewPandrew 2023/06/08 6:35 pm • Reply

Maybe I’m misinterpreting how hostname works.

Eg: If I single out one ip originating from Singapore:

18.139.56.41 and then use whatismyipaddress.com/ip/ the result for that ip shows a host name of ec2-18-139-56-41.ap-southeast-1.compute.amazonaws.com

I’m guessing RewriteCond %{REMOTE_HOST} isn’t for http traffic but for other hosts attempting to login etc. to the server?
AndrewPandrew 2023/06/08 7:27 pm • Reply

Found user agent (compatible; Bytespider

Added Bytespider to

RewriteCond %{HTTP_USER_AGENT}

line; issue seems resolved!