Jump to content

anyone using 6g htaccess firewall?


bernhard
 Share

Recommended Posts

@jacmaes mentioned he's using https://perishablepress.com/6g/ and i wonder if he is the only one?

@jacmaes, as i read in your link there are some wordpress plugins for that. would you think it would be hard (or useful) to create a pw module for that? are you using it in conjunction with other firewalls or standalone?

 

  • Like 1
Link to comment
Share on other sites

sure, that's correct. but it would be interesting if there are some other things to keep an eye on when using it with processwire. unfortunately i'm so busy atm that i can't try it myself so i wanted to ask if anyone has some experience with it to save me time when i try it out :)

the module could indicate if htaccess is writeable and show instructions how to chmod and alert to chmod back after making the changes.

  • Like 1
Link to comment
Share on other sites

@bernhard

I've used various versions of the firewall over the years (it's usually updated once a year), and while I ran into the occasional conflict a few years back, it's been solid ever since. I'm currently using it on a couple of Apache servers (Ubuntu 14.04 with the most recent version of Apache) on about 6 different PW-powered sites (both http:// and https://), and so far so good. I haven't run any specific test to measure its efficiency, but I see fewer traffic peaks from questionable sources and fewer errors in my logs. And it gives me an additional peace of mind to have this added layer of protection against bad actors. 

I've added this additional block as my logs showed persistent automated (and dumb) attempts to access Wordpress login or directories.     

# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)(wp-admin|wp-content|wp-login)

I don't think this really needs a module as it's a quick copy and paste operation, although it's true that releasing a module would raise awareness and more people would discover it. 

@Mike Rockett

I'm certainly not a Regex expert, but if you look at the "Learn more" section, there are various articles over the years that show how some highly optimized regex rules can go a long way.  

 

  • Like 4
Link to comment
Share on other sites

@Macrura Here's what's above the PW directives in my .htaccess. Notice that I'm pointing explicitly to a 403 html file, right below the 6G directives:

ErrorDocument 403 /403.html

Start of .htaccess:

# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/

# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
	RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
	RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
	RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
	RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
	RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
	RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
	RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
	RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
	RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
	RewriteRule .* - [F]
</IfModule>

# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
	RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
	RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
	RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
	RedirectMatch 403 (?i)(wp-admin|wp-content|wp-login)
	RedirectMatch 403 (?i)([a-z0-9]{2000})
	RedirectMatch 403 (?i)(https?|ftp|php):/
	RedirectMatch 403 (?i)(base64_encode)(.*)(\()
	RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
	RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
	RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
	RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
	RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
	RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
	RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
	RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>

# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
	SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
	SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot

	# Apache < 2.3
	<IfModule !mod_authz_core.c>
		Order Allow,Deny
		Allow from all
		Deny from env=bad_bot
	</IfModule>

	# Apache >= 2.3
	<IfModule mod_authz_core.c>
		<RequireAll>
			Require all Granted
			Require not env bad_bot
		</RequireAll>
	</IfModule>
</IfModule>

ErrorDocument 403 /403.html

<FilesMatch "\.(js|css|html|htm|php|svg)$">
SetOutputFilter DEFLATE
</FilesMatch>

<ifModule mod_headers.c>
    Header set Connection keep-alive
</ifModule>

# ----------------------------------------------------------------------
# Expires headers (for better cache control)
# ----------------------------------------------------------------------

<IfModule mod_expires.c>
  ExpiresActive on

# Your document html
  ExpiresByType text/html                 "access plus 0 seconds"

# Data
  ExpiresByType text/xml                  "access plus 0 seconds"
  ExpiresByType application/xml           "access plus 0 seconds"
  ExpiresByType application/json          "access plus 0 seconds"

# Favicon (cannot be renamed)
  ExpiresByType image/x-icon              "access plus 5 days"

# Media: images, video, audio
  ExpiresByType image/gif                 "access plus 1 week"
  ExpiresByType image/png                 "access plus 1 week"
  ExpiresByType image/jpeg                "access plus 1 week"
  ExpiresByType image/webp                "access plus 1 week"
  ExpiresByType image/svg+xml             "access plus 1 week"

# HTC files  (css3pie)
  ExpiresByType text/x-component          "access plus 1 month"

# Webfonts
  ExpiresByType application/x-font-ttf    "access plus 1 month"
  ExpiresByType font/opentype             "access plus 1 month"
  ExpiresByType application/x-font-woff   "access plus 1 month"
  ExpiresByType application/vnd.ms-fontobject "access plus 1 month"

# CSS and JavaScript
  ExpiresByType text/css                  "access plus 1 week"
  ExpiresByType application/x-javascript    "access plus 1 week"

</IfModule>


#################################################################################################
# START PROCESSWIRE HTACCESS DIRECTIVES
# @version 3.0
# @indexVersion 300
#################################################################################################
  ....

 

  • Like 7
Link to comment
Share on other sites

  • 4 weeks later...
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...