anyone using 6g htaccess firewall?

[bernhard]

@jacmaes mentioned he's using https://perishablepress.com/6g/ and i wonder if he is the only one?

@jacmaes, as i read in your link there are some wordpress plugins for that. would you think it would be hard (or useful) to create a pw module for that? are you using it in conjunction with other firewalls or standalone?

 

[netcarver]

The module would require write access to the .htaccess file - if I'm understanding its operation correctly.

[bernhard]

sure, that's correct. but it would be interesting if there are some other things to keep an eye on when using it with processwire. unfortunately i'm so busy atm that i can't try it myself so i wanted to ask if anyone has some experience with it to save me time when i try it out

the module could indicate if htaccess is writeable and show instructions how to chmod and alert to chmod back after making the changes.

[Mike Rockett]

Fascinating how that file works. Given the scale of attackers these days, I'd have expected that file to be somewhat bigger.

Also curious to see archive.org in the bad_bot list...

[jacmaes]

@bernhard

I've used various versions of the firewall over the years (it's usually updated once a year), and while I ran into the occasional conflict a few years back, it's been solid ever since. I'm currently using it on a couple of Apache servers (Ubuntu 14.04 with the most recent version of Apache) on about 6 different PW-powered sites (both http:// and https://), and so far so good. I haven't run any specific test to measure its efficiency, but I see fewer traffic peaks from questionable sources and fewer errors in my logs. And it gives me an additional peace of mind to have this added layer of protection against bad actors. 

I've added this additional block as my logs showed persistent automated (and dumb) attempts to access Wordpress login or directories.     

# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)(wp-admin|wp-content|wp-login)

I don't think this really needs a module as it's a quick copy and paste operation, although it's true that releasing a module would raise awareness and more people would discover it. 

@Mike Rockett

I'm certainly not a Regex expert, but if you look at the "Learn more" section, there are various articles over the years that show how some highly optimized regex rules can go a long way.  

 

[Macrura]

@jacmaes

any advice on placement of the rules, i tried before/after the PW directives but couldn't get the eval test to return 403 (pw returned 404)

[jacmaes]

@Macrura Here's what's above the PW directives in my .htaccess. Notice that I'm pointing explicitly to a 403 html file, right below the 6G directives:

ErrorDocument 403 /403.html

Start of .htaccess:

# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/

# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
	RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
	RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
	RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
	RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
	RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
	RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
	RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
	RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
	RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
	RewriteRule .* - [F]
</IfModule>

# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
	RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
	RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
	RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
	RedirectMatch 403 (?i)(wp-admin|wp-content|wp-login)
	RedirectMatch 403 (?i)([a-z0-9]{2000})
	RedirectMatch 403 (?i)(https?|ftp|php):/
	RedirectMatch 403 (?i)(base64_encode)(.*)(\()
	RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
	RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
	RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
	RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
	RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
	RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
	RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
	RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>

# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
	SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
	SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot

	# Apache < 2.3
	<IfModule !mod_authz_core.c>
		Order Allow,Deny
		Allow from all
		Deny from env=bad_bot
	</IfModule>

	# Apache >= 2.3
	<IfModule mod_authz_core.c>
		<RequireAll>
			Require all Granted
			Require not env bad_bot
		</RequireAll>
	</IfModule>
</IfModule>

ErrorDocument 403 /403.html

<FilesMatch "\.(js|css|html|htm|php|svg)$">
SetOutputFilter DEFLATE
</FilesMatch>

<ifModule mod_headers.c>
    Header set Connection keep-alive
</ifModule>

# ----------------------------------------------------------------------
# Expires headers (for better cache control)
# ----------------------------------------------------------------------

<IfModule mod_expires.c>
  ExpiresActive on

# Your document html
  ExpiresByType text/html                 "access plus 0 seconds"

# Data
  ExpiresByType text/xml                  "access plus 0 seconds"
  ExpiresByType application/xml           "access plus 0 seconds"
  ExpiresByType application/json          "access plus 0 seconds"

# Favicon (cannot be renamed)
  ExpiresByType image/x-icon              "access plus 5 days"

# Media: images, video, audio
  ExpiresByType image/gif                 "access plus 1 week"
  ExpiresByType image/png                 "access plus 1 week"
  ExpiresByType image/jpeg                "access plus 1 week"
  ExpiresByType image/webp                "access plus 1 week"
  ExpiresByType image/svg+xml             "access plus 1 week"

# HTC files  (css3pie)
  ExpiresByType text/x-component          "access plus 1 month"

# Webfonts
  ExpiresByType application/x-font-ttf    "access plus 1 month"
  ExpiresByType font/opentype             "access plus 1 month"
  ExpiresByType application/x-font-woff   "access plus 1 month"
  ExpiresByType application/vnd.ms-fontobject "access plus 1 month"

# CSS and JavaScript
  ExpiresByType text/css                  "access plus 1 week"
  ExpiresByType application/x-javascript    "access plus 1 week"

</IfModule>


#################################################################################################
# START PROCESSWIRE HTACCESS DIRECTIVES
# @version 3.0
# @indexVersion 300
#################################################################################################
  ....

 

[Macrura]

great, many thanks!

[szabesz]

On 10/6/2016 at 9:39 PM, jacmaes said:

Start of .htaccess:

...

@jacmaes Hi,

Is it also exactly what you insert before the standard WP "# BEGIN WordPress ... # END WordPress" block? I have a few WP sites, that's why I ask  

[jacmaes]

@szabesz you'll need to remove the line that I added to block attempts to scan Wordpress, or you won't be able to login:

RedirectMatch 403 (?i)(wp-admin|wp-content|wp-login)

But you can basically copy and paste from from the code from the original site: https://perishablepress.com/6g/

[szabesz]

I see, thanks a lot!