Some useful Mod_Rewrite Rules

Discussion in 'Security' started by justdoit1, Mar 25, 2009.

  1. #1
    Rules are based on strings. If you see you get banned during normal legitimate traffics, remove troubled words or post your REQUESTS/QUERY_STRING here.
    Please kindly note that these are baseline defense not complete.


    Baseline Defense:
    
    # Hardened Apache Mod_Rewrite Security Rule
    # Provided by Aung Khant,http://yehg.net
    RewriteEngine on
    # Allow only GET and POST verbs
    RewriteCond %{REQUEST_METHOD} !^(GET|POST)$ [NC,OR]
    # Ban Typical Vulnerability Scanners and others
    # Kick out Script Kiddies
    RewriteCond %{HTTP_USER_AGENT} ^()$ [NC,OR] # void of UserAgent
    RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|java|curl|wget|python|nikto|wkito|pikto|pykto|scan|acunetix|qualys|fuck|kiss|ass|Morfeus|0wn|hack|h4x|h4x0r|w3af).* [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
    
    # Block out common attack strings 
    # Directory Travarsal & Null Byte Injection
    RewriteCond %{QUERY_STRING} (\.\./|\.\.%2f|\.\.%u2215|%u002e%u002e%u2215|%252e%252e%252f|%00|\\x00|\\u00|%5C00|&#|&#x|%09|%0D%0A) [NC,OR]
    # SQL Injection	Probing
    RewriteCond %{QUERY_STRING} ^.*(OR%201=1|/select/|/union/|/insert/|/update/|/delete/).* [NC,OR]
    # Remote/Local File Inclusion
    RewriteCond %{QUERY_STRING} (http:\/\/)*(\?)$ [NC,OR]
    # PHP Version Probing
    RewriteCond %{QUERY_STRING} (?=PHP).* [NC,OR]
    # XSS Probing
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    # PHP GLOBALS Overriding
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]
    # PHP REQUEST variable Overriding
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    # Deny access
    RewriteRule ^(.*)$ index.php [F,L]
    
    Code (markup):
    Baseline Defense to Admin directory
    
    # Hardened Apache Mod_Rewrite Security Rule
    # Provided by Aung Khant,http://yehg.net
    RewriteEngine on
    # Allow only GET and POST verbs
    RewriteCond %{REQUEST_METHOD} !^(GET|POST)$ [NC,OR]
    # Ban Typical Vulnerability Scanners and others
    # Kick out Script Kiddies
    RewriteCond %{HTTP_USER_AGENT} ^()$ [NC,OR] # void of UserAgent
    RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|java|curl|wget|python|nikto|wkito|pikto|pykto|scan|acunetix|qualys|fuck|kiss|ass|Morfeus|0wn|hack|h4x|h4x0r|w3af).* [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
    
    # No reasons to access from bots to your administrator panel
    # Ultimately Better than the useless robots.txt
    # Try google: intitle:phpMyAdmin intext:"Welcome to phpMyAdmin *.*.*" intext:"Log in" -wiki -forum -forums -questions intext:"Cookies must be enabled"
    # Comment out if this to protect from bots' indexing
    # RewriteCond %{HTTP_USER_AGENT} ^.*(AdsBot-Google|ia_archiver|Scooter|Ask.Jeeves|Baiduspider|Exabot|FAST.Enterprise.Crawler|FAST-WebCrawler|www\.neomo\.de|Gigabot|Mediapartners-Google|Google.Desktop|Feedfetcher-Google|Googlebot|heise-IT-Markt-Crawler|heritrix|ibm.com\cs/crawler|ICCrawler|ichiro|MJ12bot|MetagerBot|msnbot-NewsBlogs|msnbot|msnbot-media|NG-Search|lucene.apache.org|NutchCVS|OmniExplorer_Bot|online.link.validator|psbot0|Seekbot|Sensis.Web.Crawler|SEO.search.Crawler|Seoma.\[SEO.Crawler\]|SEOsearch|Snappy|www.urltrends.com|www.tkl.iis.u-tokyo.ac.jp/~crawler|SynooBot|crawleradmin.t-info@telekom.de|TurnitinBot|voyager|W3.SiteSearch.Crawler|W3C-checklink|W3C_Validator|www.WISEnutbot.com|yacybot|Yahoo-MMCrawler|Yahoo\!.DE.Slurp|Yahoo\!.Slurp|YahooSeeker|webcollage|Yanga.WorldSearch.Bot|hakiaBot).* [NC,OR]
    
    # Block out common attack strings 
    # Directory Travarsal & Null Byte Injection
    RewriteCond %{QUERY_STRING} (\.\./|\.\.%2f|\.\.%u2215|%u002e%u002e%u2215|%252e%252e%252f|%00|\\x00|\\u00|%5C00|&#|&#x|%09|%0D%0A) [NC,OR]
    # SQL Injection	Probing
    RewriteCond %{QUERY_STRING} ^.*(OR%201=1).* [NC,OR]
    # Remote/Local File Inclusion
    RewriteCond %{QUERY_STRING} (http:\/\/)*(\?)$ [NC,OR]
    # PHP Version Probing
    RewriteCond %{QUERY_STRING} (?=PHP).* [NC,OR]
    # XSS Probing
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    # PHP GLOBALS Overriding
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]
    # PHP REQUEST variable Overriding
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    
    # PHP Command Injection
    #RewriteCond %{QUERY_STRING} .*((<\?)*.(\?>)).* 
    
    # Deny access
    RewriteRule ^(.*)$ index.php [F,L]
    
    Code (markup):
    Denying direct access sensitive files/dirs

    
    <FilesMatch "^(Copy of)">
      Order allow,deny
      Deny from all
    </FilesMatch>
    
    # deny files like fun.inc , data.sql, config.php-bk,config-bk.php,
    # config-10Oct08-bk.php, yoursite.com-10Oct08-backup.tar.gz
    
    <FilesMatch "(\.inc|.*sql|.*~|.*bk|.*bak.php|.bk.php|.*bakup.php|.*bak|.*bakup|.*backup|.*backup.tgz|.*backup.tar.gz|.*backup.tar|.*backup.gz|.*backup.bz2|.*backup.zip)$">
      Order allow,deny
      Deny from all
    </FilesMatch>
    
    #deny common shell files, dozens of shell out there
    <FilesMatch "(c99|r57|c0d3rz|shell|5h3ll|sh3ll|sh311|backdoor|b4ckd00r|pHpINJ|azrail|ayyildiz)">
      Order allow,deny
      Deny from all
    </FilesMatch>
    
    
    #Deny directories whose names end with backup, bakup
    <DirectoryMatch "(backup|bakup)$">
      Order allow,deny
      Deny from all
    </DirectoryMatch>
    
    
    Code (markup):
    Some Useful Documents:

    http://yehg.net/lab/pr0js/view.php/An Apache Trick to Prevent SensitiveBackup Files.pdf

    http://yehg.net/lab/pr0js/view.php/An Apache Trick to Mitigate Shell File Attack.pdf

    http://yehg.net/lab/pr0js/view.php/Things to Do When You Got Hacked.pdf

    http://yehg.net/lab/pr0js/view.php/Hunting For Backdoor Scripts.pdf

    http://yehg.net/lab/pr0js/view.php/MULTIPLE TRICKY WAYS TO PROTECT.pdf

    Attack Detection Tool:

    # Php-Brute-Force-Attack Detector
    http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip
    Description: (Former name: Php Attack Detection Engine) to detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. This helps you quickly identify probable probing by bad guys who's wanna dig possible security holes.
    For more info
    http://yehg.net/lab/pr0js/tools/php-brute-force-detector-readme.pdf
     
    justdoit1, Mar 25, 2009 IP