The Perishable Press 4G Blacklist

♦ Posted by Jeff Starr in .htaccess, Security

Updated May 5, 2019 • 233 comments

[ 4G Stormtrooper ] At last! After many months of collecting data, crafting directives, and testing results, I am thrilled to announce the release of the 4G Blacklist! The 4G Blacklist is a next-generation protective firewall that secures your site against a wide range of automated attacks and other malicious activity.

Update: Check out the new and improved 6G Blacklist/Firewall »

Like its 3G predecessor, the 4G Blacklist is designed for use on Apache servers and is easily implemented via HTAccess or the httpd.conf configuration file. In order to function properly, the 4G Blacklist requires two specific Apache modules, mod_rewrite and mod_alias. As with the third generation of the blacklist, the 4G Blacklist consists of multiple parts:

HTAccess Essentials
Request-Method Filtering
IP Address Blacklist
Query-String Blacklist
URL Blacklist

Each of these methods is designed to protect different aspects of your site. They may be used independently, mixed and matched, or combined to create the complete 4G Blacklist. This modularity provides flexibility for different implementations while facilitating the testing and updating process. The core of the 4G Blacklist consists of the last two methods, the Query-String and URL Blacklists. These two sections provide an enormous amount of protection against many potentially devastating attacks. Everything else is just icing on the cake. Speaking of which, there are also two more completely optional sections of the 4G Blacklist, namely:

These two sections have been removed from the 4G Blacklist and relegated to “optional” status because they are no longer necessary. Put simply, the 4G Blacklist provides better protection with fewer lines of code. Even so, each of these blacklists have been updated with hundreds of new directives and will be made available here at Perishable Press in the near future. But for now, let’s return to the business at hand..

Presenting the Perishable Press 4G Blacklist

As is custom here at Perishable Press, I present the complete code first, and then walk through the usage instructions and code explanations. So, without furhter ado, here is the much-anticipated 4G Blacklist [for personal use only – may not be posted elsewhere without proper link attribution]:

### PERISHABLE PRESS 4G BLACKLIST ###

# ESSENTIALS
RewriteEngine on
ServerSignature Off
Options All -Indexes
Options +FollowSymLinks

# FILTER REQUEST METHODS
<IfModule mod_rewrite.c>
 RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
 RewriteRule ^(.*)$ - [F,L]
</IfModule>

# BLACKLIST CANDIDATES
<Limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 Deny from 75.126.85.215   "# blacklist candidate 2008-01-02 = admin-ajax.php attack "
 Deny from 128.111.48.138  "# blacklist candidate 2008-02-10 = cryptic character strings "
 Deny from 87.248.163.54   "# blacklist candidate 2008-03-09 = block administrative attacks "
 Deny from 84.122.143.99   "# blacklist candidate 2008-04-27 = block clam store loser "
 Deny from 210.210.119.145 "# blacklist candidate 2008-05-31 = block _vpi.xml attacks "
 Deny from 66.74.199.125   "# blacklist candidate 2008-10-19 = block mindless spider running "
 Deny from 203.55.231.100  "# 1048 attacks in 60 minutes"
 Deny from 24.19.202.10    "# 1629 attacks in 90 minutes"
</Limit>

# QUERY STRING EXPLOITS
<IfModule mod_rewrite.c>
 RewriteCond %{QUERY_STRING} \.\.\/    [NC,OR]
 RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
 RewriteCond %{QUERY_STRING} tag\=     [NC,OR]
 RewriteCond %{QUERY_STRING} ftp\:     [NC,OR]
 RewriteCond %{QUERY_STRING} http\:    [NC,OR]
 RewriteCond %{QUERY_STRING} https\:   [NC,OR]
 RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|'|"|;|\?|\*).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
 RewriteRule ^(.*)$ - [F,L]
</IfModule>

# CHARACTER STRINGS
<IfModule mod_alias.c>
 # BASIC CHARACTERS
 RedirectMatch 403 \,
 RedirectMatch 403 \:
 RedirectMatch 403 \;
 RedirectMatch 403 \=
 RedirectMatch 403 \@
 RedirectMatch 403 \[
 RedirectMatch 403 \]
 RedirectMatch 403 \^
 RedirectMatch 403 \`
 RedirectMatch 403 \{
 RedirectMatch 403 \}
 RedirectMatch 403 \~
 RedirectMatch 403 \"
 RedirectMatch 403 \$
 RedirectMatch 403 \<
 RedirectMatch 403 \>
 RedirectMatch 403 \|
 RedirectMatch 403 \.\.
 RedirectMatch 403 \/\/
 RedirectMatch 403 \%0
 RedirectMatch 403 \%A
 RedirectMatch 403 \%B
 RedirectMatch 403 \%C
 RedirectMatch 403 \%D
 RedirectMatch 403 \%E
 RedirectMatch 403 \%F
 RedirectMatch 403 \%22
 RedirectMatch 403 \%27
 RedirectMatch 403 \%28
 RedirectMatch 403 \%29
 RedirectMatch 403 \%3C
 RedirectMatch 403 \%3E
 RedirectMatch 403 \%3F
 RedirectMatch 403 \%5B
 RedirectMatch 403 \%5C
 RedirectMatch 403 \%5D
 RedirectMatch 403 \%7B
 RedirectMatch 403 \%7C
 RedirectMatch 403 \%7D
 # COMMON PATTERNS
 Redirectmatch 403 \_vpi
 RedirectMatch 403 \.inc
 Redirectmatch 403 xAou6
 Redirectmatch 403 db\_name
 Redirectmatch 403 select\(
 Redirectmatch 403 convert\(
 Redirectmatch 403 \/query\/
 RedirectMatch 403 ImpEvData
 Redirectmatch 403 \.XMLHTTP
 Redirectmatch 403 proxydeny
 RedirectMatch 403 function\.
 Redirectmatch 403 remoteFile
 Redirectmatch 403 servername
 Redirectmatch 403 \&rptmode\=
 Redirectmatch 403 sys\_cpanel
 RedirectMatch 403 db\_connect
 RedirectMatch 403 doeditconfig
 RedirectMatch 403 check\_proxy
 Redirectmatch 403 system\_user
 Redirectmatch 403 \/\(null\)\/
 Redirectmatch 403 clientrequest
 Redirectmatch 403 option\_value
 RedirectMatch 403 ref\.outcontrol
 # SPECIFIC EXPLOITS
 RedirectMatch 403 errors\.
 RedirectMatch 403 config\.
 RedirectMatch 403 include\.
 RedirectMatch 403 display\.
 RedirectMatch 403 register\.
 Redirectmatch 403 password\.
 RedirectMatch 403 maincore\.
 RedirectMatch 403 authorize\.
 Redirectmatch 403 macromates\.
 RedirectMatch 403 head\_auth\.
 RedirectMatch 403 submit\_links\.
 RedirectMatch 403 change\_action\.
 Redirectmatch 403 com\_facileforms\/
 RedirectMatch 403 admin\_db\_utilities\.
 RedirectMatch 403 admin\.webring\.docs\.
 Redirectmatch 403 Table\/Latest\/index\.
</IfModule>

That’s the juice right there. This 4G Blacklist is some powerful stuff, blocking and filtering a wide range of potential attacks and eliminating tons of malicious nonsense. Much care has been taken to beta test this firewall on multiple configurations running various types of software, however, due to my limited financial resources, it is impossible to test the 4G as comprehensively as I would have preferred. Even so, for the average site running typical software, everything should continue to work perfectly. With that in mind, please read through the remainder of the article before implementing the 4G Blacklist.

Installation and Usage

Before implementing the 4G Blacklist, ensure that you are equipped with the following system requirements:

Linux server running Apache
Enabled Apache module: mod_alias
Enabled Apache module: mod_rewrite
Ability to edit your site”s root htaccess file (or)
Ability to modify Apache’s server configuration file

With these requirements met, copy and paste the entire 4G Blacklist into either the root HTAccess file or the server configuration file ( httpd.conf ). After uploading, visit your site and check proper loading of as many different types of pages as possible. For example, if you are running a blogging platform (such as WordPress), test different page views (single, archive, category, home, etc.), log into and surf the admin pages (plugins, themes, options, posts, etc.), and also check peripheral elements such as individual images, available downloads, and alternate protocols (FTP, HTTPS, etc.).

While the 4G Blacklist is designed to target only the bad guys, the regular expressions used in the list may interfere with legitimate URL or file access. If the directives in the blacklist are blocking a specific URL, the browsing device will display a 403 Forbidden error; similarily, if the blacklist happens to block a file or resource required for some script to function properly, the script (JavaScript, PHP, etc.) may simply stop working. If you experience either of these scenarios after installing the blacklist, don’t panic! Simply check the blocked URL or file, locate the matching blacklist string, and disable the directive by placing a pound sign ( # ) at the beginning of the associated line. Once the correct line is commented out, the blocked URL should load normally. Also, if you do happen to experience any conflicts involving the 4G Blacklist, please leave a comment or contact me directly.

Set for Stun

As my readers know, I am serious about site security. Nothing gets my juices flowing like the thought of chopping up mindless cracker whores into small, square chunks and feeding their still-twitching flesh to a pack of starving mongrels. That’s good times, but unfortunately there are probably laws against stuff like that. So in the meantime, we take steps to secure our sites using the most effective tools at our disposal. There is no one single magic bullet that will keep the unscrupulous bastards from exploiting and damaging your site, but there are many cumulative steps that may be taken to form a solid security strategy. Within this cumulative context, the 4G Blacklist recognizes and immunizes against a broad array of common attack elements, thereby maximizing resources while providing solid defense against malicious attacks.

Many Thanks

A huge “Thank You” to the dedicated people who helped beta test the 4G Blacklist. Your excellent feedback played an instrumental role in the development of this version. Thank you!

Next Up

Next up in the March 2009 Blacklist Series: The Ultimate User-Agent Blacklist. Don’t miss it!

Updates

Since the release of the 4G Blacklist, several users have discovered issues with the following 4G directives.

Joomla

In the query-string section, Joomla users should delete the following patterns:

request
config
[
]

In the character-string section, Joomla users should comment-out or delete the following lines:

RedirectMatch 403 \,
RedirectMatch 403 \;
RedirectMatch 403 config\.
RedirectMatch 403 register\.

WordPress

In the query-string section of the 4G Blacklist, the following changes have been made:

"%3D" character-string has been changed to "%5C"

Likewise, in the character-string section, the following change has been made:

"wp\_" character-string has been removed

And in the request-method filtering section, the following change has been made:

"HEAD" method has been removed

Also, the following changes may be necessary according to which plugins you have installed:

Ozh' Admin Drop Down Menu - remove "drop" from the query-string rules
WordPress' Akismet - remove "config" from the query-string rules

OpenID

OpenID users should read the information in this comment.

SMF

SMF users should read the information in this comment.

vBulletin

vBulletin users should read the information in these comments.

About the Author

Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.

233 responses to “The Perishable Press 4G Blacklist”

Deb Phillips 2009/04/08 12:18 pm

Hey, Jeff —

I don’t want to put you on the spot, but I’m a real novice at the bot wars and how to deal with them. So when the mention was made in previous comments about using plugins to combat bad bots, it made me wonder why you chose to take the time to come up with code to add to the .htaccess file versus using a plugin or two.

Are there advantages to taking your route versus plugins? Perhaps WordPress performance advantages? Or something else?

I’m just curious! :) Thanks.

Deb
Deb Phillips 2009/04/08 12:28 pm

Then I’ll stay on this path, Garrett W.! Thanks for answering.
Tony 2009/04/08 12:31 pm

What Garrett said, plus the wonderful thing about this blacklist is that you can use it even if you don’t use WordPress.

I feel great when I know that some malicious bots don’t consume any of my bandwidth and don’t slow my websites. Stop them at the door! ;-)
Jeff Starr 2009/04/08 5:21 pm • Post Author

@Deb Phillips: Sure, it’s a good question that I am sure other people have wondered about. The main reason I work with Apache/HTAccess for blacklisting involves performance, as you suggest. In my experience using a plugin really slows things down, especially anti-spam and blacklisting plugins that must interact with both PHP and a database. Throw WordPress functionality into the equation and performance may be affected drastically. I say “may be affected” because different servers and configurations will also play a role in determining overall performance, as will the WordPress setup in question.

Also, as Garrett W. points out, stopping malicious behavior before it reaches the inside of your site eliminates potential vulnerabilities and thus provides a greater degree of security.

Tony also makes a good point. Even though the 4G Blacklist is geared heavily toward WordPress, there are many Joomla/Mambo users who also enjoy its benefits. I would suspect many other sites do as well. ;)
Yieu 2009/04/13 5:42 am

I just wanted to say that I implemented the 4G Blacklist on my website, and it is a regular website — not a blogging website such as WordPress. It is very handy, as I know of no other blacklist such as this, and it appears to be very comprehensive. I do hope the fact that it is geared towards WordPress does not leave out some security for regular websites, though. Perhaps a version geared towards regular websites might benefit other webmasters?

I also make use of the proxy blocking blacklist found here which helps keep spammers away, and the universal URL canonization directive. Thank you for making all of these available, it has definitely helped greatly.
Jeff Starr 2009/04/14 9:14 am • Post Author

@Yieu: My pleasure, and thanks for the feedback. Other people have also requested a version of the Blacklist that is geared for “regular” websites, and I am certainly considering putting something together. Keep in mind, however, that WordPress is the most popular blogging/website software in the world, and as such it is highly targeted for malicious behavior. Thus, even if your site is not running WordPress, there are scores of WP-related scans and bad requests hitting your server and wasting bandwidth nonetheless. In my experience, there are far fewer attacks directed specifically at general sites, such that a regular-site (i.e., non-WP) blacklist would leave your site wide open to the relentless barrage of platform-specific attacks.
Yieu 2009/04/18 3:13 am

When I said a version geared towards regular websites, I did not mean to only include directives relevant to regular websites and to leave out the WordPress directives. I noticed that you were removing directives because they were in conflcit with WordPress, so one geared towards regular websites would re-include those directives for a tighter level of security — so it would leave in the WordPress directives, add in the ones that were removed for WordPress compatibility, and add directives geared specifically for regular websites on top of that.

I am not sure if this is asking for a too much (the current 4G Blacklist is very nice as it is), but it would also be a more universal security solution for websites and I am sure that would be useful. Such a list may require some explanation for some of the directives that are more liable to cause issues, though (or to simply continue leaving some out if they are too restrictive).
Greg 2009/04/19 3:10 pm

Hi,

today I found that the %3D block some of my google ads, so:

RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3D|%3E|%7B|%7C).* [NC,OR]

become (for me):

RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%7B|%7C).* [NC,OR]
Jeff Starr 2009/04/19 3:39 pm • Post Author

@Yieu: Yes, I see.. Keep in mind that only a handful of the original directives were removed on account of WordPress, Joomla, and various plugins. Re-inclusion of these directives should be straightforward, however implementing additional rules for “regular” websites will take some time.

Actually — and you probably figured this — during the development of the 4G, many powerful rules were tested and ultimately dropped strictly for the sake of WordPress. These incompatible directives could be re-included in a non-WordPress blacklist, such as you have described.

It is a good idea and I will try to release something along those lines with the next version (5G) of the blacklist. Thanks for pushing the idea ;)
Jeff Starr 2009/04/19 3:40 pm • Post Author

@Greg: Thank you Sir! — That information may come in handy for people running the same configuration :)
Yieu 2009/04/23 9:26 am

I have just installed vBulletin version 3.8.2 on my website which runs the 4G Blacklist, and I had to comment out the following directives:

# RedirectMatch 403 display.
# RedirectMatch 403 register.

The 403 display directive was blocking the individual forums from displaying, because their link includes “forumdisplay.php”, and the 403 register directive was preventing the registering of new accounts because the link to register includes “register.php”.
Dave Stuttard 2009/04/25 10:14 am

Hi, this innovative package looks great. Just implemented the 4G Blacklist in .htaccess on 3 sites (all standard, ie not WP or Joomla!), two being static, one being dynamic with a CMS. All features work fine, except:

1) I had to comment out http in the Query String Exploits before my Flash elements displayed – thought I’d mention that because nobody else has noted it.
2) I had to comment out RedirectMatch 403 config in the SPECIFIC EXPLOITS before the wysywyg Editor box was displayed for User data entry on the dynamic site – the code with ‘config’ in it is (the id):

Now I will study the stats to make sure Google, Yahoo! and MSN get 200s. I’ll let you know….. Many thanks