Rules are based on strings. If you see you get banned during normal legitimate traffics, remove troubled words or post your REQUESTS/QUERY_STRING here. Please kindly note that these are baseline defense not complete. Baseline Defense: # Hardened Apache Mod_Rewrite Security Rule # Provided by Aung Khant,http://yehg.net RewriteEngine on # Allow only GET and POST verbs RewriteCond %{REQUEST_METHOD} !^(GET|POST)$ [NC,OR] # Ban Typical Vulnerability Scanners and others # Kick out Script Kiddies RewriteCond %{HTTP_USER_AGENT} ^()$ [NC,OR] # void of UserAgent RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|java|curl|wget|python|nikto|wkito|pikto|pykto|scan|acunetix|qualys|fuck|kiss|ass|Morfeus|0wn|hack|h4x|h4x0r|w3af).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR] # Block out common attack strings # Directory Travarsal & Null Byte Injection RewriteCond %{QUERY_STRING} (\.\./|\.\.%2f|\.\.%u2215|%u002e%u002e%u2215|%252e%252e%252f|%00|\\x00|\\u00|%5C00|&#|&#x|%09|%0D%0A) [NC,OR] # SQL Injection Probing RewriteCond %{QUERY_STRING} ^.*(OR%201=1|/select/|/union/|/insert/|/update/|/delete/).* [NC,OR] # Remote/Local File Inclusion RewriteCond %{QUERY_STRING} (http:\/\/)*(\?)$ [NC,OR] # PHP Version Probing RewriteCond %{QUERY_STRING} (?=PHP).* [NC,OR] # XSS Probing RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] # PHP GLOBALS Overriding RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [NC,OR] # PHP REQUEST variable Overriding RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) # Deny access RewriteRule ^(.*)$ index.php [F,L] Code (markup): Baseline Defense to Admin directory # Hardened Apache Mod_Rewrite Security Rule # Provided by Aung Khant,http://yehg.net RewriteEngine on # Allow only GET and POST verbs RewriteCond %{REQUEST_METHOD} !^(GET|POST)$ [NC,OR] # Ban Typical Vulnerability Scanners and others # Kick out Script Kiddies RewriteCond %{HTTP_USER_AGENT} ^()$ [NC,OR] # void of UserAgent RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|java|curl|wget|python|nikto|wkito|pikto|pykto|scan|acunetix|qualys|fuck|kiss|ass|Morfeus|0wn|hack|h4x|h4x0r|w3af).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR] # No reasons to access from bots to your administrator panel # Ultimately Better than the useless robots.txt # Try google: intitle:phpMyAdmin intext:"Welcome to phpMyAdmin *.*.*" intext:"Log in" -wiki -forum -forums -questions intext:"Cookies must be enabled" # Comment out if this to protect from bots' indexing # RewriteCond %{HTTP_USER_AGENT} ^.*(AdsBot-Google|ia_archiver|Scooter|Ask.Jeeves|Baiduspider|Exabot|FAST.Enterprise.Crawler|FAST-WebCrawler|www\.neomo\.de|Gigabot|Mediapartners-Google|Google.Desktop|Feedfetcher-Google|Googlebot|heise-IT-Markt-Crawler|heritrix|ibm.com\cs/crawler|ICCrawler|ichiro|MJ12bot|MetagerBot|msnbot-NewsBlogs|msnbot|msnbot-media|NG-Search|lucene.apache.org|NutchCVS|OmniExplorer_Bot|online.link.validator|psbot0|Seekbot|Sensis.Web.Crawler|SEO.search.Crawler|Seoma.\[SEO.Crawler\]|SEOsearch|Snappy|www.urltrends.com|www.tkl.iis.u-tokyo.ac.jp/~crawler|SynooBot|crawleradmin.t-info@telekom.de|TurnitinBot|voyager|W3.SiteSearch.Crawler|W3C-checklink|W3C_Validator|www.WISEnutbot.com|yacybot|Yahoo-MMCrawler|Yahoo\!.DE.Slurp|Yahoo\!.Slurp|YahooSeeker|webcollage|Yanga.WorldSearch.Bot|hakiaBot).* [NC,OR] # Block out common attack strings # Directory Travarsal & Null Byte Injection RewriteCond %{QUERY_STRING} (\.\./|\.\.%2f|\.\.%u2215|%u002e%u002e%u2215|%252e%252e%252f|%00|\\x00|\\u00|%5C00|&#|&#x|%09|%0D%0A) [NC,OR] # SQL Injection Probing RewriteCond %{QUERY_STRING} ^.*(OR%201=1).* [NC,OR] # Remote/Local File Inclusion RewriteCond %{QUERY_STRING} (http:\/\/)*(\?)$ [NC,OR] # PHP Version Probing RewriteCond %{QUERY_STRING} (?=PHP).* [NC,OR] # XSS Probing RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] # PHP GLOBALS Overriding RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [NC,OR] # PHP REQUEST variable Overriding RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) # PHP Command Injection #RewriteCond %{QUERY_STRING} .*((<\?)*.(\?>)).* # Deny access RewriteRule ^(.*)$ index.php [F,L] Code (markup): Denying direct access sensitive files/dirs <FilesMatch "^(Copy of)"> Order allow,deny Deny from all </FilesMatch> # deny files like fun.inc , data.sql, config.php-bk,config-bk.php, # config-10Oct08-bk.php, yoursite.com-10Oct08-backup.tar.gz <FilesMatch "(\.inc|.*sql|.*~|.*bk|.*bak.php|.bk.php|.*bakup.php|.*bak|.*bakup|.*backup|.*backup.tgz|.*backup.tar.gz|.*backup.tar|.*backup.gz|.*backup.bz2|.*backup.zip)$"> Order allow,deny Deny from all </FilesMatch> #deny common shell files, dozens of shell out there <FilesMatch "(c99|r57|c0d3rz|shell|5h3ll|sh3ll|sh311|backdoor|b4ckd00r|pHpINJ|azrail|ayyildiz)"> Order allow,deny Deny from all </FilesMatch> #Deny directories whose names end with backup, bakup <DirectoryMatch "(backup|bakup)$"> Order allow,deny Deny from all </DirectoryMatch> Code (markup): Some Useful Documents: http://yehg.net/lab/pr0js/view.php/An Apache Trick to Prevent SensitiveBackup Files.pdf http://yehg.net/lab/pr0js/view.php/An Apache Trick to Mitigate Shell File Attack.pdf http://yehg.net/lab/pr0js/view.php/Things to Do When You Got Hacked.pdf http://yehg.net/lab/pr0js/view.php/Hunting For Backdoor Scripts.pdf http://yehg.net/lab/pr0js/view.php/MULTIPLE TRICKY WAYS TO PROTECT.pdf Attack Detection Tool: # Php-Brute-Force-Attack Detector http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip Description: (Former name: Php Attack Detection Engine) to detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. This helps you quickly identify probable probing by bad guys who's wanna dig possible security holes. For more info http://yehg.net/lab/pr0js/tools/php-brute-force-detector-readme.pdf